lsass.exe

The application lsass.exe has been detected as a potentially unwanted program by 37 anti-malware scanners. It is set to automatically execute when any user logs into Windows (through the local user run registry setting) with the name ‘lsass’. Accoriding to the detections, this has been classified as a kyelogger which is capable of recoring a user's keystrokes. While running, it connects to the Internet address ip-184-168-221-36.ip.secureserver.net on port 80 using the HTTP protocol.
MD5:
254cfb57481dc86f0cd1655d001812c3

SHA-1:
a3e0cb28ffcd9585e9d8e2fc17503c5ee0bcb511

Scanner detections:
37 / 68

Status:
Potentially unwanted

Analysis date:
11/23/2024 8:15:07 AM UTC  (today)

Scan engine
Detection
Engine version

Lavasoft Ad-Aware
Gen:Trojan.Heur.kzGfr9ATZXfib
-36

AegisLab AV Signature
W32.W.AutoRun.mwqI
2.1.4+

AhnLab V3 Security
Trojan/Win32.Agent
2016.04.25

Avira AntiVirus
TR/Dropper.Gen
8.3.3.4

Arcabit
Trojan.Heur.kzGfr9ATZXfib
1.0.0.672

avast!
Win32:HomeKeyLog-B [PUP]
2014.9-170311

AVG
Dropper.Generic4
2018.0.2442

Baidu Antivirus
Win32.Trojan.WisdomEyes.151026.9950
4.0.3.17311

Bitdefender
Gen:Trojan.Heur.kzGfr9ATZXfib
1.0.20.350

Bkav FE
W32.HfsAutoB
1.3.0.7744

Clam AntiVirus
Legacy.Trojan.Agent-1388589
0.98/21511

Comodo Security
TrojWare.Win32.Kryptik.VARA
24865

Dr.Web
Trojan.KeyLogger.25070
9.0.1.070

Emsisoft Anti-Malware
Gen:Trojan.Heur.kzGfr9ATZXfib
8.17.03.11.05

ESET NOD32
Win32/AutoRun.Autoit.GB
11.13385

Fortinet FortiGate
W32/AutoRun.GB!worm
3/11/2017

F-Secure
Gen:Trojan.Heur.kzGfr9ATZXfib
11.2017-11-03_7

G Data
Gen:Trojan.Heur.kzGfr9ATZXfib
17.3.25

IKARUS anti.virus
Trojan-Spy.Win32.KeyLogger
t3scan.2.0.9.0

K7 AntiVirus
Trojan
13.222.19406

Kaspersky
IM-Worm.Win32.Sohanad
14.0.0.-1294

Malwarebytes
Trojan.Agent
v2017.03.11.05

McAfee
Artemis!254CFB57481D
5600.6098

Microsoft Security Essentials
Worm:AutoIt/Autorun.AN
1.1.12603.0

MicroWorld eScan
Gen:Trojan.Heur.kzGfr9ATZXfib
18.0.0.210

NANO AntiVirus
Trojan.Win32.Sohanad.dfjtgm
1.0.30.8000

Panda Antivirus
Trj/Genetic.gen
17.03.11.05

Qihoo 360 Security
Win32/Worm.IM.a4d
1.0.0.1120

Quick Heal
Worm.Autoit.Sohanad.A4
3.17.14.00

Rising Antivirus
PE:Win32.KUKU.kj!1522176 [F]
23.00.65.17309

Sophos
FamilyKeylogger (PUA)
4.98

Total Defense
Win32/SillyAutorun.FUH
37.1.62.1

Trend Micro House Call
Mal_OtorunO
7.2.70

Trend Micro
Mal_OtorunO
10.465.11

Vba32 AntiVirus
Trojan.Autoit.Injcrypt
3.12.26.4

VIPRE Antivirus
Trojan.Win32.Generic!SB.0
48892

Zillya! Antivirus
Worm.AutoItGen.Win32.483
2.0.0.2810

File size:
1.2 MB (1,215,744 bytes)

File type:
Executable application (Win32 EXE)

Common path:
C:\Documents and Settings\{user}\Application data\lsass.exe

File PE Metadata
Compilation timestamp:
5/5/1999 4:57:00 PM

OS version:
5.0

OS bitness:
Win32

Subsystem:
Windows GUI

Linker version:
9.0

Entry address:
0xB2B50

Entry point:
60, BE, 00, D0, 45, 00, 8D, BE, 00, 40, FA, FF, 57, 83, CD, FF, EB, 10, 90, 90, 90, 90, 90, 90, 8A, 06, 46, 88, 07, 47, 01, DB, 75, 07, 8B, 1E, 83, EE, FC, 11, DB, 72, ED, B8, 01, 00, 00, 00, 01, DB, 75, 07, 8B, 1E, 83, EE, FC, 11, DB, 11, C0, 01, DB, 73, EF, 75, 09, 8B, 1E, 83, EE, FC, 11, DB, 73, E4, 31, C9, 83, E8, 03, 72, 0D, C1, E0, 08, 8A, 06, 46, 83, F0, FF, 74, 74, 89, C5, 01, DB, 75, 07, 8B, 1E, 83, EE, FC, 11, DB, 11, C9, 01, DB, 75, 07, 8B, 1E, 83, EE, FC, 11, DB, 11, C9, 75, 20, 41, 01, DB, 75...
 
[+]

Entropy:
6.4478

Packer / compiler:
UPX 2.90LZMA

Code size:
344 KB (352,256 bytes)

Startup File (All Users Run)
Registry location:
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run

Name:
lsass

Command:
C:\Documents and Settings\{user}\Application data\lsass.exe


The executing file has been seen to make the following network communication in live environments.

TCP (HTTP):
Connects to ip-184-168-221-36.ip.secureserver.net  (184.168.221.36:80)

Remove lsass.exe - Powered by Reason Core Security