» lss.exe
Overview
Analysis
File Details
Behaviors (1)
Downloads (2)

lss.exe

The executable lss.exe has been detected as malware by 36 anti-virus scanners. It is set to automatically start when a user logs into Windows via the current user run registry key under the display name ‘f674606c373688130d0d5c80cb323a1d’. The file has been seen being downloaded from www.filetolink.com and multiple other hosts.

File name:

lss.exe

MD5:

2967663e2f57fc2a945978986e8be1c3

SHA-1:

8f7a11dacfa1577e27889c946b0a8f22ef816b53

SHA-256:

f647a643d032155981319ef261c1f8da2721eb5280bc9d916e4ce5d41f7b22f2

Scanner detections:

36 / 68

Status:

Malware

Analysis date:

11/28/2024 1:45:55 AM UTC (today)

Scan engine

Detection

Engine version

Lavasoft Ad-Aware

Gen:Variant.Barys.10219

5699743

AhnLab V3 Security

Backdoor/Win32.Bladabindi

2015.07.01

Avira AntiVirus

TR/Dropper.Gen7

8.3.1.6

Arcabit

Trojan.Barys.D27EB

1.0.0.425

avast!

MSIL:GenMalicious-V [Trj]

150602-1

AVG

PSW.ILUSpy

2016.0.3062

Baidu Antivirus

Trojan.MSIL.Disfa

4.0.3.15630

Bitdefender

Gen:Variant.Barys.10219

1.0.20.905

Clam AntiVirus

Win.Backdoor.Bladabindi-1

0.98/20624

Comodo Security

Backdoor.MSIL.Bladabindi.A

22631

Dr.Web

BackDoor.Bladabindi.1056

9.0.1.05190

Emsisoft Anti-Malware

Gen:Variant.Barys.10219

10.0.0.5366

ESET NOD32

MSIL/Bladabindi.BC trojan

7.0.302.0

Fortinet FortiGate

MSIL/Bladabindi.SMC!tr

6/30/2015

F-Prot

W32/MSIL_Bladabindi.I2.ge

v6.4.7.1.166

F-Secure

Gen:Variant.Barys.10219

5.14.151

G Data

Gen:Variant.Barys.10219

15.6.25

IKARUS anti.virus

Trojan.MSIL.Disfa

t3scan.1.9.5.0

K7 AntiVirus

Trojan

13.205.16415

Kaspersky

Trojan.MSIL.Disfa

15.0.0.543

Malwarebytes

Backdoor.NJBot.MSIL

v2015.06.30.06

McAfee

Trojan.BackDoor-NJRat!2967663E2F57

17.6.569.0

Microsoft Security Essentials

Threat.Undefined

1.201.130.0

MicroWorld eScan

Gen:Variant.Barys.10219

16.0.0.543

Norman

Gen:Variant.Barys.10219

02.06.2015 14:23:46

nProtect

Trojan/W32.Agent.24064.TY

15.06.30.01

Panda Antivirus

Trj/CI.A

15.06.30.06

Quick Heal

Backdoor.Bladabindi.AL3

6.15.14.00

Sophos

Virus 'Troj/DotNet-P'

5.15

SUPERAntiSpyware

Trojan.Agent/Gen-Bladabindi

9781

Total Defense

Win32/DotNetDl.A!generic

37.1.62.1

Trend Micro House Call

BKDR_BLBINDI.SMN

7.2.181

Trend Micro

BKDR_BLBINDI.SMN

10.465.30

Vba32 AntiVirus

Trojan.MSIL.Disfa

3.12.26.4

VIPRE Antivirus

Threat.4799966

40830

Zillya! Antivirus

Backdoor.Agent.Win32.55233

2.0.0.2259

File size:

23.5 KB (24,064 bytes)

File type:

Executable application (Win32 EXE)

Common path:

C:\users\{user}\appdata\roaming\lss.exe

File PE Metadata

Compilation timestamp:

6/23/2015 7:37:04 PM

OS version:

4.0

OS bitness:

Win32

Subsystem:

Windows GUI

Linker version:

8.0

.NET CLR dependent:

Yes

CTPH (ssdeep):

384:rc6CqbFYh3odrVCGiHssCB4b6i6fgpEupNXRmRvR6JZlbw8hqIusZzZ52:wIU0twcRpcnu7

Entry address:

0x749E

Entry point:

FF, 25, 00, 20, 40, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00... 
[+]

Entropy:

5.5302

Developed / compiled with:

Microsoft Visual C# / Basic .NET

Code size:

21.5 KB (22,016 bytes)

Startup File (User Run)

Registry location:

HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run

Name:

f674606c373688130d0d5c80cb323a1d

Command:

"C:\users\{user}\appdata\roaming\lss.exe"..

The file lss.exe has been seen being distributed by the following 2 URLs.

http://www.filetolink.com/.../?h=05273e1321a0ddec5133ccff78142870&t=1467749397&f=46d06f9df0

http://www.filetolink.com/.../?h=9c7c7b8e7874f80bef4f56f4605bc82f&t=1467818648&f=3052cac98c

Remove lss.exe - Powered by Reason Core Security

herdProtect is a second line of defense malware removal platform powered by 68 anti-malware engines in the cloud. Since no single anti-malware program is perfect 100% of the time, herdProtect utilizes a 'herd' of multiple engines to guarantee the widest coverage and the earliest possible detection.