» lsass.exe
Overview
Analysis
File Details
Behaviors (1)
Network (1)

lsass.exe

Project1

The executable lsass.exe has been detected as malware by 38 anti-virus scanners. It is set to automatically start when a user logs into Windows via the current user run registry key under the display name ‘pikachu’.

File name:

lsass.exe

Product:

Project1

Version:

1.00

MD5:

84812d6bc28f27b0e2dcce93a2e8ec12

SHA-1:

2a21e7cff1800c693bf921972ad8fbdeb49f5632

Scanner detections:

38 / 68

Status:

Malware

Analysis date:

4/18/2024 7:58:48 PM UTC (today)

Scan engine

Detection

Engine version

Lavasoft Ad-Aware

IRC-Worm.Generic.24658

-40

Agnitum Outpost

Worm.Chupik

7.1.1

AhnLab V3 Security

Trojan/Win32.Cosmu

2014.08.09

Avira AntiVirus

TR/Crypt.ULPM.Gen

7.11.166.32

avast!

Win32:Sality

2014.9-170316

AVG

Worm/VB

2018.0.2438

Bitdefender

IRC-Worm.Generic.24658

1.0.20.375

Bkav FE

W32.PikachuGTA

1.3.0.4959

Comodo Security

Worm.Win32.Autorun.eb0

19128

Dr.Web

Trojan.MulDrop2.63234

9.0.1.075

Emsisoft Anti-Malware

IRC-Worm.Generic.24658

8.17.03.16.09

ESET NOD32

Win32/VB.NSP

11.10226

Fortinet FortiGate

W32/VB.SDE!tr

3/16/2017

F-Prot

W32/Worm.APUJ

v6.4.7.1.166

F-Secure

IRC-Worm.Generic.24658

11.2017-16-03_5

G Data

IRC-Worm.Generic.24658

17.3.24

IKARUS anti.virus

Worm.Win32.VB

t3scan.1.6.1.0

K7 AntiVirus

Trojan

13.183.12998

Kaspersky

Trojan.Win32.Agent

14.0.0.-1317

Malwarebytes

Trojan.Agent

v2017.03.16.09

McAfee

W32/Worm-FEL!84812D6BC28F

5600.6094

Microsoft Security Essentials

Worm:Win32/Chupik.A

1.10802

MicroWorld eScan

IRC-Worm.Generic.24658

18.0.0.225

NANO AntiVirus

Trojan.Win32.MulDrop2.crsvig

0.28.2.61349

Norman

Obfuscated.CD!genr

11.20170316

nProtect

IRC-Worm.Generic.24658

14.08.08.01

Panda Antivirus

W32/Picachu.A.worm

17.03.16.09

Qihoo 360 Security

Malware.QVM01.Gen

1.0.0.1015

Quick Heal

Worm.Chupik.A3

3.17.14.00

Rising Antivirus

PE:Worm.VobfusEx!1.99E4

23.00.65.17314

Sophos

Mal/VB-F

4.98

SUPERAntiSpyware

Trojan.Agent/Gen-Pikachu

8532

Total Defense

Win32/Chupika.A

37.0.11108

Trend Micro House Call

TROJ_SPNR.02EM12

7.2.75

Trend Micro

TROJ_SPNR.02EM12

10.465.16

Vba32 AntiVirus

Worm.VB

3.12.26.3

VIPRE Antivirus

Trojan.Win32.Generic.pak!cobra

32050

ViRobot

Worm.Win32.VB.110592.B

2011.4.7.4223

File size:

1.5 MB (1,560,576 bytes)

Product version:

1.00

Original file name:

pikachu.exe

File type:

Executable application (Win32 EXE)

Language:

English (United States)

Common path:

C:\windows\system\lsass.exe

File PE Metadata

Compilation timestamp:

4/15/2009 2:57:02 AM

OS version:

4.0

OS bitness:

Win32

Subsystem:

Windows GUI

Linker version:

6.0

Entry address:

0x50860

Entry point:

60, BE, 00, 50, 44, 00, 8D, BE, 00, C0, FB, FF, 57, 83, CD, FF, EB, 10, 90, 90, 90, 90, 90, 90, 8A, 06, 46, 88, 07, 47, 01, DB, 75, 07, 8B, 1E, 83, EE, FC, 11, DB, 72, ED, B8, 01, 00, 00, 00, 01, DB, 75, 07, 8B, 1E, 83, EE, FC, 11, DB, 11, C0, 01, DB, 73, 0B, 75, 28, 8B, 1E, 83, EE, FC, 11, DB, 72, 1F, 48, 01, DB, 75, 07, 8B, 1E, 83, EE, FC, 11, DB, 11, C0, EB, D4, 01, DB, 75, 07, 8B, 1E, 83, EE, FC, 11, DB, 11, C9, EB, 52, 31, C9, 83, E8, 03, 72, 11, C1, E0, 08, 8A, 06, 46, 83, F0, FF, 74, 75, D1, F8, 89... 
[+]

Entropy:

7.7989

Packer / compiler:

UPX 2.90LZMA

Code size:

48 KB (49,152 bytes)

Startup File (User Run)

Registry location:

HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run

Name:

pikachu

Command:

C:\windows\nacl.exe

The executing file has been seen to make the following network communication in live environments.

TCP (HTTP):

Connects to ec2-52-24-5-162.us-west-2.compute.amazonaws.com (52.24.5.162:80)

Remove lsass.exe - Powered by Reason Core Security

herdProtect is a second line of defense malware removal platform powered by 68 anti-malware engines in the cloud. Since no single anti-malware program is perfect 100% of the time, herdProtect utilizes a 'herd' of multiple engines to guarantee the widest coverage and the earliest possible detection.