» lsass.exe
Overview
Analysis
File Details
Behaviors (1)
Network (1)

lsass.exe

The executable lsass.exe has been detected as malware by 40 anti-virus scanners. While running, it connects to the Internet address ats.sbs.vip.bf1.yahoo.com on port 443.

File name:

lsass.exe

MD5:

e33cdb7bc85a599303a6716d0b9a6db7

SHA-1:

5417a44b343e67c72483acc60bfc2d09d3931646

SHA-256:

d425106858e4a0ea2c4f9ff87ccd707361cbfb65cca1fcc79cf09fcb1a01275f

Scanner detections:

40 / 68

Status:

Malware

Analysis date:

5/3/2024 1:01:50 AM UTC (today)

Scan engine

Detection

Engine version

Lavasoft Ad-Aware

Worm.Generic.87016

606

Agnitum Outpost

I-Worm.Brontok

7.1.1

AhnLab V3 Security

HEUR/Fakon.mwf

2015.06.07

Avira AntiVirus

WORM/Brontok.E.1

8.3.1.6

Arcabit

Worm.Generic.D153E8

1.0.0.425

avast!

Win32:Brontok-CE [Wrm]

2014.9-150609

AVG

I-Worm/Brontok.X

2016.0.3084

Baidu Antivirus

Trojan.Win32.Agent

4.0.3.1569

Bitdefender

Worm.Generic.87016

1.0.20.800

Bkav FE

W32.BrontokQ

1.3.0.6379

Clam AntiVirus

Worm.Brontok.H

0.98/21511

Comodo Security

Packed.Win32.Packer.~GEN

22360

Dr.Web

Win32.HLLM.Generic.440

9.0.1.0160

Emsisoft Anti-Malware

Worm.Generic.87016

8.15.06.09.02

ESET NOD32

Win32/Brontok.AS

9.11745

Fortinet FortiGate

W32/Brontok.Q@mm

6/9/2015

F-Prot

W32/EmailWorm.CLS

v6.4.7.1.166

F-Secure

Worm.Generic.87016

11.2015-09-06_3

G Data

Worm.Generic.87016

15.6.25

IKARUS anti.virus

Email-Worm.Win32.Brontok

t3scan.1.9.5.0

K7 AntiVirus

Trojan

13.204.16151

Kaspersky

Email-Worm.Win32.Brontok

14.0.0.1915

Malwarebytes

Trojan.Dropper

v2015.06.09.02

McAfee

W32/Rontokbro.worm

5600.6740

Microsoft Security Essentials

Worm:Win32/Brontok.BM@mm

1.1.11701.0

MicroWorld eScan

Worm.Generic.87016

16.0.0.480

NANO AntiVirus

Trojan.Win32.Brontok.ppjl

0.30.24.1636

Panda Antivirus

Trj/WLT.A

15.06.09.02

Qihoo 360 Security

Win32/Worm.Email-Worm.343

1.0.0.1015

Quick Heal

W32.Brontok.Q

6.15.14.00

Rising Antivirus

PE:Trojan.Win32.Mnless.dyr!1075184010

23.00.65.15607

Sophos

W32/Brontok-Gen

4.98

SUPERAntiSpyware

Unclassified.Unknown Origin

9825

Total Defense

Win32/ASuspect.HFAEN!genus

37.1.62.1

Trend Micro House Call

WORM_BRONTOK.FWC

7.2.160

Trend Micro

WORM_BRONTOK.FWC

10.465.09

Vba32 AntiVirus

Email-Worm.Brontok

3.12.26.4

VIPRE Antivirus

Email-Worm.Win32.Brontok.q

40886

ViRobot

I-Worm.Win32.Brontok.44448[h]

2014.3.20.0

Zillya! Antivirus

Worm.Brontok.Win32.489

2.0.0.2208

File size:

43.4 KB (44,448 bytes)

File type:

Executable application (Win32 EXE)

Common path:

C:\users\{user}\appdata\local\lsass.exe

File PE Metadata

OS version:

4.0

OS bitness:

Win32

Subsystem:

Windows GUI

Linker version:

5.12

CTPH (ssdeep):

768:rZYd/mil8ZcouS+QemRBxUPJftwBG72EvuAN5kTvCOTgUHv35BMCl:VYVmil8Z5xemR7StwMfuADyCGgUv5J

Entry address:

0x31B87

Entry point:

E9, C8, E5, FC, FF, 0C, 70, 02, 00, 00, 00, 00, 00, 00, 00, 00, 00, 5E, 1B, 03, 00, 0C, 70, 02, 00... 
[+]

Entropy:

7.3168

Packer / compiler:

RLPack FullEdition V1.1X

Code size:

512 Bytes (512 bytes)

Safe Boot Alternate Shell

Name:

cmd-brontok.exe

The executing file has been seen to make the following network communication in live environments.

TCP (HTTP SSL):

Connects to ats.sbs.vip.bf1.yahoo.com (72.30.202.139:443)

Remove lsass.exe - Powered by Reason Core Security

herdProtect is a second line of defense malware removal platform powered by 68 anti-malware engines in the cloud. Since no single anti-malware program is perfect 100% of the time, herdProtect utilizes a 'herd' of multiple engines to guarantee the widest coverage and the earliest possible detection.