home

lsass.exe

The executable lsass.exe has been detected as malware by 5 anti-virus scanners. It is set to automatically start when a user logs into Windows via the current user run registry key under the display name ‘Tok-Cirrhatus-1497’. While running, it connects to the Internet address unknown.prolexic.com on port 80 using the HTTP protocol.
MD5:
5826e6bb41d49f72b2f82c5f38d9ffb1

SHA-1:
4bc94e8e03d8b38da62aff6b5f1961190d3488f4

SHA-256:
3209c34a0560ec25aaf4734bdd25732f18d2c0f1701fe009bf667488ba690397

Scanner detections:
5 / 68

Status:
Malware

Analysis date:
5/21/2024 12:09:23 PM UTC  (today)

Scan engine
Detection
Engine version

AVG
I-Worm/Brontok.X
2013.0.4477

Clam AntiVirus
Win.Worm.Brontok-60
0.98/22993

ESET NOD32
Win32/Brontok.BR worm
6.3.12010.0

F-Prot
W32/Brontok.C.gen
4.6.5.141

Kaspersky
Email-Worm.Win32.Brontok
15.0.2.529

File size:
126.7 KB (129,737 bytes)

File type:
Executable application (Win32 EXE)

Common path:
C:\users\{user}\appdata\local\lsass.exe

File PE Metadata
Compilation timestamp:
11/14/2002 3:29:43 PM

OS version:
4.0

OS bitness:
Win32

Subsystem:
Windows GUI

Linker version:
5.12

Entry address:
0x31B58

Entry point:
E9, F7, E5, FC, FF, 0C, 70, 02, 00, 00, 00, 00, 00, 00, 00, 00, 00, 2F, 1B, 03, 00, 0C, 70, 02, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00...
 
[+]

Entropy:
4.9484

Packer / compiler:
MEW, 0x11 SE v1.2

Code size:
512 Bytes (512 bytes)

Startup File (User Run)
Registry location:
HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run

Name:
Tok-Cirrhatus-1497

Command:
"C:\users\{user}\appdata\local\br4017on.exe"


The executing file has been seen to make the following network communication in live environments.

TCP (HTTP):
Connects to unknown.prolexic.com  (72.52.4.121:80)

Remove lsass.exe - Powered by Reason Core Security
herdProtect is a second line of defense malware removal platform powered by 68 anti-malware engines in the cloud. Since no single anti-malware program is perfect 100% of the time, herdProtect utilizes a 'herd' of multiple engines to guarantee the widest coverage and the earliest possible detection.