home

lsass.exe

The executable lsass.exe has been detected as malware by 53 anti-virus scanners. It is set to automatically execute when any user logs into Windows (through the local user run registry setting) with the name ‘run32’. While running, it connects to the Internet address ns2.ttidc.com.tr on port 80 using the HTTP protocol.
Version:
0.0.0.0

MD5:
bf818d549f8435027ad9c4d2bb1130ec

SHA-1:
0c24896386baa0a7386f3ed6f07677dc5cf1fc27

SHA-256:
2fe82caf02575fee3336480a0d921abb3c90b8de5e132d4cdb2377687c86bd61

Scanner detections:
53 / 68

Status:
Malware

Analysis date:
4/27/2024 3:12:00 AM UTC  (today)

Scan engine
Detection
Engine version

Lavasoft Ad-Aware
Gen:Trojan.Heur.NqNfrbQkkOlib
889

Agnitum Outpost
Trojan.DR.Agent
7.1.1

AhnLab V3 Security
HEUR/Fakon.mwf
2014.08.22

Avira AntiVirus
TR/Dropper.Gen
7.11.168.134

avast!
HTML:Malware-gen
2014.9-140829

AVG
Dropper.Generic3
2015.0.3367

Baidu Antivirus
Trojan.Win32.Agent
4.0.3.14829

Bitdefender
Gen:Trojan.Heur.NqNfrbQkkOlib
1.0.20.1205

Bkav FE
W32.HelompyQKA
1.3.0.4959

Comodo Security
TrojWare.Win32.Downloader.Agent.ewxm
19266

Dr.Web
Trojan.Click2.8937
9.0.1.0241

Emsisoft Anti-Malware
Gen:Trojan.Heur.NqNfrbQkkOlib
8.14.08.29.12

ESET NOD32
Win32/Autoit.GP
8.10293

Fortinet FortiGate
W32/Sohana.A!worm.im
8/29/2014

F-Prot
W32/Trojan2.MFAR
v6.4.7.1.166

F-Secure
Trojan-Spy:W32/Keylogger.RG
11.2014-29-08_6

G Data
Gen:Trojan.Heur.NqNfrbQkkOlib
14.8.24

IKARUS anti.virus
Trojan.Crypt
t3scan.1.7.5.0

K7 AntiVirus
Trojan
13.183.13125

Kaspersky
IM-Worm.Win32.Sohanad
14.0.0.3332

Malwarebytes
Trojan.Autoit
v2014.08.29.12

McAfee
W32/YahLover.worm.gen
5600.7023

Microsoft Security Essentials
Worm:Win32/Helompy.A
1.10903

MicroWorld eScan
Gen:Trojan.Heur.NqNfrbQkkOlib
15.0.0.723

NANO AntiVirus
Trojan.Win32.Napad.ijfyd
0.28.2.61721

nProtect
Worm/W32.Sohanad_Packed.654069
14.08.21.01

Panda Antivirus
Trj/Keylogger.FX
14.08.29.12

Qihoo 360 Security
HEUR/Malware.QVM11.Gen
1.0.0.1015

Quick Heal
I-Worm.Sohanad.r4
8.14.14.00

Rising Antivirus
PE:Worm.Win32.Agent.abv!1447412
23.00.65.14827

Sophos
W32/AutoRun-BUC
4.98

SUPERAntiSpyware
Trojan.Agent/Gen-Helompy
10392

Total Defense
Win32/Yahlover.HZ
37.0.11135

Trend Micro House Call
TROJ_GEN.R0CCOH0CH14
7.2.241

Trend Micro
Mal_OtorunN
10.465.29

Vba32 AntiVirus
Trojan-Downloader.Autoit.gen
3.12.26.3

VIPRE Antivirus
Trojan.Win32.AutoIT.gen
32422

ViRobot
Worm.Win32.A.IM-Sohanad.278196
2011.4.7.4223

Zillya! Antivirus
Virus.Sality.Win32.15
2.0.0.1897

File size:
638.7 KB (654,069 bytes)

File type:
Executable application (Win32 EXE)

Language:
English (United Kingdom)

File PE Metadata
Compilation timestamp:
7/11/2007 11:21:32 AM

OS version:
4.0

OS bitness:
Win32

Subsystem:
Windows GUI

Linker version:
7.10

CTPH (ssdeep):
12288:HM5DSN6aAH0XNp7gGpWa7U8oico9hJMBex+gQL0:HM5D18NpEGZNVlxnF

Entry address:
0x9B110

Entry point:
60, BE, 00, B0, 46, 00, 8D, BE, 00, 60, F9, FF, 57, EB, 0B, 90, 8A, 06, 46, 88, 07, 47, 01, DB, 75, 07, 8B, 1E, 83, EE, FC, 11, DB, 72, ED, B8, 01, 00, 00, 00, 01, DB, 75, 07, 8B, 1E, 83, EE, FC, 11, DB, 11, C0, 01, DB, 73, 0B, 75, 28, 8B, 1E, 83, EE, FC, 11, DB, 72, 1F, 48, 01, DB, 75, 07, 8B, 1E, 83, EE, FC, 11, DB, 11, C0, EB, D4, 01, DB, 75, 07, 8B, 1E, 83, EE, FC, 11, DB, 11, C9, EB, 52, 31, C9, 83, E8, 03, 72, 11, C1, E0, 08, 8A, 06, 46, 83, F0, FF, 74, 75, D1, F8, 89, C5, EB, 0B, 01, DB, 75, 07, 8B...
 
[+]

Entropy:
7.0428

Packer / compiler:
UPX v0.89.6 - v1.02 / v1.05 -v1.24

Code size:
196 KB (200,704 bytes)

Startup File (All Users Run)
Registry location:
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run

Name:
run32

Command:
C:\win\lsass.exe


The executing file has been seen to make the following network communications in live environments.

TCP (HTTP):
Connects to ns2.ttidc.com.tr  (85.111.6.83:80)

TCP (HTTP):
Connects to dnsrev.romtelecom.net  (86.35.3.192:80)

Remove lsass.exe - Powered by Reason Core Security
herdProtect is a second line of defense malware removal platform powered by 68 anti-malware engines in the cloud. Since no single anti-malware program is perfect 100% of the time, herdProtect utilizes a 'herd' of multiple engines to guarantee the widest coverage and the earliest possible detection.