home

lsass.exe

excreta da carbon dioxide

excreta da carbon

The executable lsass.exe has been detected as malware by 28 anti-virus scanners. It is set to automatically start when a user logs into Windows via the current user run registry key under the display name ‘199f3d9632906635fe7195e4ca97a467’. The file has been seen being downloaded from www.weebly.com and multiple other hosts.
Publisher:
excreta da carbon

Product:
excreta da carbon dioxide

Description:
wanda yake shi

Version:
7.0.302.0

MD5:
d0d8d32110b96e27bd5d7247d6a281a7

SHA-1:
eef39642ed2cff97208b33eee49f0c80a9693801

SHA-256:
21b06eef904204edb36d2d115321e45c90d0ed3f4ff5ffaa25603eeb3a655900

Scanner detections:
28 / 68

Status:
Malware

Analysis date:
4/26/2024 10:40:41 PM UTC  (today)

Scan engine
Detection
Engine version

Lavasoft Ad-Aware
Gen:Variant.Kazy.644915
396

Agnitum Outpost
Trojan.Zapchast
7.1.1

Avira AntiVirus
TR/Bladabindi.A.8036
8.3.2.4

avast!
Win32:Malware-gen
2014.9-160105

AVG
BackDoor.Generic18
2017.0.2874

Baidu Antivirus
Trojan.MSIL.Zapchast
4.0.3.1615

Bitdefender
Gen:Variant.Kazy.644915
1.0.20.25

Bkav FE
W32.Clod04b.Trojan
1.3.0.7383

Comodo Security
UnclassifiedMalware
23778

Dr.Web
Trojan.DownLoader13.37147
9.0.1.05

Emsisoft Anti-Malware
Gen:Variant.Kazy.644915
8.16.01.05.07

ESET NOD32
Generik.GBUJWNJ (variant)
10.12732

Fortinet FortiGate
W32/Zapchast.ABBKD!tr
1/5/2016

F-Secure
Gen:Variant.Kazy.644915
11.2016-05-01_3

G Data
Gen:Variant.Kazy.644915
16.1.25

IKARUS anti.virus
Backdoor.MSIL.Bladabindi
t3scan.1.9.5.0

K7 AntiVirus
Riskware
13.212.18130

Kaspersky
Trojan.MSIL.Zapchast
14.0.0.864

McAfee
RDN/Generic.bfr!io
5600.6530

Microsoft Security Essentials
Backdoor:MSIL/Bladabindi
1.1.12300.0

MicroWorld eScan
Gen:Variant.Kazy.644915
17.0.0.15

NANO AntiVirus
Trojan.Win32.Zapchast.dtcryu
1.0.10.5081

Panda Antivirus
Trj/CI.A
16.01.05.07

Qihoo 360 Security
Win32/Trojan.477
1.0.0.1077

Quick Heal
Backdoor.BLA.r3
1.16.14.00

Rising Antivirus
PE:Malware.Generic/QRS!1.9E2D [F]
23.00.65.16103

Trend Micro
TROJ_GEN.R021C0CFO15
10.465.05

VIPRE Antivirus
Trojan.Win32.Generic
45884

File size:
147.5 KB (151,040 bytes)

Product version:
7.0.302.0

Copyright:
Copyright © wanda yake shi 2015

Trademarks:
wanda yake shi

Original file name:
anonymos.exe

File type:
Executable application (Win32 EXE)

Language:
Language Neutral

Common path:
C:\users\{user}\appdata\roaming\lsass.exe

File PE Metadata
Compilation timestamp:
6/2/2015 7:14:50 AM

OS version:
4.0

OS bitness:
Win32

Subsystem:
Windows GUI

Linker version:
8.0

.NET CLR dependent:
Yes

CTPH (ssdeep):
3072:JmHKNeUzlNsGy/H1ppM48X2WaPkHONz0u02SPI:wHKNeRGO/bDDSu02uI

Entry address:
0x25B0F

Entry point:
FF, 25, 00, 20, 40, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00...
 
[+]

Entropy:
7.2138

Developed / compiled with:
Microsoft Visual C# / Basic .NET

Code size:
143 KB (146,432 bytes)

Startup File (User Run)
Registry location:
HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run

Name:
199f3d9632906635fe7195e4ca97a467

Command:
"C:\users\{user}\appdata\roaming\lsass.exe"..


The file lsass.exe has been seen being distributed by the following 2 URLs.

http://www.weebly.com/uploads/5/1/7/4/.../lsass-1.exe

http://www.weebly.com/uploads/5/5/8/0/.../lsass-1.exe

Remove lsass.exe - Powered by Reason Core Security
herdProtect is a second line of defense malware removal platform powered by 68 anti-malware engines in the cloud. Since no single anti-malware program is perfect 100% of the time, herdProtect utilizes a 'herd' of multiple engines to guarantee the widest coverage and the earliest possible detection.