» lsass.exe
Overview
Analysis
File Details
Behaviors (1)
Network (1)

lsass.exe

The application lsass.exe has been detected as a potentially unwanted program by 37 anti-malware scanners. It is set to automatically execute when any user logs into Windows (through the local user run registry setting) with the name ‘lsass’. Accoriding to the detections, this has been classified as a kyelogger which is capable of recoring a user's keystrokes. While running, it connects to the Internet address ip-184-168-221-36.ip.secureserver.net on port 80 using the HTTP protocol.

File name:

lsass.exe

MD5:

254cfb57481dc86f0cd1655d001812c3

SHA-1:

a3e0cb28ffcd9585e9d8e2fc17503c5ee0bcb511

Scanner detections:

37 / 68

Status:

Potentially unwanted

Analysis date:

4/19/2024 7:56:11 AM UTC (today)

Scan engine

Detection

Engine version

Lavasoft Ad-Aware

Gen:Trojan.Heur.kzGfr9ATZXfib

-36

AegisLab AV Signature

W32.W.AutoRun.mwqI

2.1.4+

AhnLab V3 Security

Trojan/Win32.Agent

2016.04.25

Avira AntiVirus

TR/Dropper.Gen

8.3.3.4

Arcabit

Trojan.Heur.kzGfr9ATZXfib

1.0.0.672

avast!

Win32:HomeKeyLog-B [PUP]

2014.9-170311

AVG

Dropper.Generic4

2018.0.2442

Baidu Antivirus

Win32.Trojan.WisdomEyes.151026.9950

4.0.3.17311

Bitdefender

Gen:Trojan.Heur.kzGfr9ATZXfib

1.0.20.350

Bkav FE

W32.HfsAutoB

1.3.0.7744

Clam AntiVirus

Legacy.Trojan.Agent-1388589

0.98/21511

Comodo Security

TrojWare.Win32.Kryptik.VARA

24865

Dr.Web

Trojan.KeyLogger.25070

9.0.1.070

Emsisoft Anti-Malware

Gen:Trojan.Heur.kzGfr9ATZXfib

8.17.03.11.05

ESET NOD32

Win32/AutoRun.Autoit.GB

11.13385

Fortinet FortiGate

W32/AutoRun.GB!worm

3/11/2017

F-Secure

Gen:Trojan.Heur.kzGfr9ATZXfib

11.2017-11-03_7

G Data

Gen:Trojan.Heur.kzGfr9ATZXfib

17.3.25

IKARUS anti.virus

Trojan-Spy.Win32.KeyLogger

t3scan.2.0.9.0

K7 AntiVirus

Trojan

13.222.19406

Kaspersky

IM-Worm.Win32.Sohanad

14.0.0.-1294

Malwarebytes

Trojan.Agent

v2017.03.11.05

McAfee

Artemis!254CFB57481D

5600.6098

Microsoft Security Essentials

Worm:AutoIt/Autorun.AN

1.1.12603.0

MicroWorld eScan

Gen:Trojan.Heur.kzGfr9ATZXfib

18.0.0.210

NANO AntiVirus

Trojan.Win32.Sohanad.dfjtgm

1.0.30.8000

Panda Antivirus

Trj/Genetic.gen

17.03.11.05

Qihoo 360 Security

Win32/Worm.IM.a4d

1.0.0.1120

Quick Heal

Worm.Autoit.Sohanad.A4

3.17.14.00

Rising Antivirus

PE:Win32.KUKU.kj!1522176 [F]

23.00.65.17309

Sophos

FamilyKeylogger (PUA)

4.98

Total Defense

Win32/SillyAutorun.FUH

37.1.62.1

Trend Micro House Call

Mal_OtorunO

7.2.70

Trend Micro

Mal_OtorunO

10.465.11

Vba32 AntiVirus

Trojan.Autoit.Injcrypt

3.12.26.4

VIPRE Antivirus

Trojan.Win32.Generic!SB.0

48892

Zillya! Antivirus

Worm.AutoItGen.Win32.483

2.0.0.2810

File size:

1.2 MB (1,215,744 bytes)

File type:

Executable application (Win32 EXE)

Common path:

C:\Documents and Settings\{user}\Application data\lsass.exe

File PE Metadata

Compilation timestamp:

5/5/1999 4:57:00 PM

OS version:

5.0

OS bitness:

Win32

Subsystem:

Windows GUI

Linker version:

9.0

Entry address:

0xB2B50

Entry point:

60, BE, 00, D0, 45, 00, 8D, BE, 00, 40, FA, FF, 57, 83, CD, FF, EB, 10, 90, 90, 90, 90, 90, 90, 8A, 06, 46, 88, 07, 47, 01, DB, 75, 07, 8B, 1E, 83, EE, FC, 11, DB, 72, ED, B8, 01, 00, 00, 00, 01, DB, 75, 07, 8B, 1E, 83, EE, FC, 11, DB, 11, C0, 01, DB, 73, EF, 75, 09, 8B, 1E, 83, EE, FC, 11, DB, 73, E4, 31, C9, 83, E8, 03, 72, 0D, C1, E0, 08, 8A, 06, 46, 83, F0, FF, 74, 74, 89, C5, 01, DB, 75, 07, 8B, 1E, 83, EE, FC, 11, DB, 11, C9, 01, DB, 75, 07, 8B, 1E, 83, EE, FC, 11, DB, 11, C9, 75, 20, 41, 01, DB, 75... 
[+]

Entropy:

6.4478

Packer / compiler:

UPX 2.90LZMA

Code size:

344 KB (352,256 bytes)

Startup File (All Users Run)

Registry location:

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run

Name:

lsass

Command:

C:\Documents and Settings\{user}\Application data\lsass.exe

The executing file has been seen to make the following network communication in live environments.

TCP (HTTP):

Connects to ip-184-168-221-36.ip.secureserver.net (184.168.221.36:80)

Remove lsass.exe - Powered by Reason Core Security

herdProtect is a second line of defense malware removal platform powered by 68 anti-malware engines in the cloud. Since no single anti-malware program is perfect 100% of the time, herdProtect utilizes a 'herd' of multiple engines to guarantee the widest coverage and the earliest possible detection.