LSM.exe

The executable LSM.exe has been detected as malware by 9 anti-virus scanners. While running, it connects to the Internet address hosted-by.netdirekt.com.tr on port 80 using the HTTP protocol.
Version:
1.0.0.0

MD5:
43875a67d66e19ef298d8de0acd57311

SHA-1:
815f83d7b82a4730fdf8f781e6416f534608cc3f

SHA-256:
403a264f028f3dee37628edb5e7ad2ac85eb8f0af44a858e24ef3d0f37df485f

Scanner detections:
9 / 68

Status:
Malware

Analysis date:
12/12/2018 1:38:28 PM UTC  (today)

Scan engine
Detection
Engine version

Lavasoft Ad-Aware
Gen:Variant.Zusy.115814
774

Avira AntiVirus
TR/ATRAPS.Gen
7.11.195.208

avast!
Win32:Malware-gen
2014.9-141223

AVG
MSIL6
2015.0.3252

Bitdefender
Gen:Variant.Zusy.115814
1.0.20.1785

Emsisoft Anti-Malware
Gen:Variant.Zusy.115814
8.14.12.23.09

ESET NOD32
MSIL/TrojanClicker.Agent.NIQ (variant)
8.10879

G Data
Gen:Variant.Zusy.115814
14.12.24

MicroWorld eScan
Gen:Variant.Zusy.115814
15.0.0.1071

File size:
131 KB (134,144 bytes)

Product version:
1.0.0.0

Original file name:
LSM.exe

File type:
Executable application (Win32 EXE)

Language:
Turkish (Turkey)

Common path:
C:\ProgramData\lsm.exe

File PE Metadata
Compilation timestamp:
12/14/2014 6:29:39 PM

OS version:
4.0

OS bitness:
Win32

Subsystem:
Windows GUI

Linker version:
6.0

.NET CLR dependent:
Yes

CTPH (ssdeep):
1536:6gxv9SxoR91sqfmRPkRzU7SpaEHZmHFslfz9leQbzNzuy4YS11uvh4aKH:68v8xcPsQYPDdEoHFwfzPeQ5uZuWa2

Entry address:
0x21F3E

Entry point:
FF, 25, 00, 20, 40, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00...
 
[+]

Developed / compiled with:
Microsoft Visual C# / Basic .NET

Code size:
128 KB (131,072 bytes)

The executing file has been seen to make the following network communications in live environments.

TCP (HTTP):
Connects to x.ligatus.com  (81.26.166.11:80)

TCP (HTTP):
Connects to www.turktelekom.com.tr  (195.175.116.185:80)

TCP (HTTP):
Connects to static-251-147-132-188.sadecehosting.net  (188.132.147.251:80)

TCP (HTTP):
Connects to static-163-244-132-188.sadecehosting.net  (188.132.244.163:80)

TCP (HTTP):
Connects to static-117-148-132-188.sadecehosting.net  (188.132.148.117:80)

TCP (HTTP):
Connects to static.doratelekom.com  (95.128.60.150:80)

TCP (HTTP):
Connects to sof01s11-in-f3.1e100.net  (216.58.208.99:80)

TCP (HTTP):
Connects to sof01s11-in-f2.1e100.net  (216.58.208.98:80)

TCP (HTTP SSL):
Connects to sof01s11-in-f13.1e100.net  (216.58.208.109:443)

TCP (HTTP):
Connects to sof01s11-in-f1.1e100.net  (216.58.208.97:80)

TCP (HTTP SSL):
Connects to sof01s11-in-f0.1e100.net  (216.58.208.96:443)

TCP (HTTP):
Connects to server-54-230-82-86.mia50.r.cloudfront.net  (54.230.82.86:80)

TCP (HTTP):
Connects to server-54-230-118-146.sfo9.r.cloudfront.net  (54.230.118.146:80)

TCP (HTTP SSL):
Connects to server-54-192-231-14.waw50.r.cloudfront.net  (54.192.231.14:443)

TCP (HTTP SSL):
Connects to server-54-192-231-111.waw50.r.cloudfront.net  (54.192.231.111:443)

TCP (HTTP):
Connects to server-54-192-137-121.lax1.r.cloudfront.net  (54.192.137.121:80)

TCP (HTTP):
Connects to pagetracking.popmarker.com  (198.199.91.250:80)

TCP (HTTP):
Connects to muc03s14-in-f14.1e100.net  (216.58.211.46:80)

TCP (HTTP):
Connects to mc.yandex.ru  (93.158.134.119:80)

TCP (HTTP):
Connects to hosted-by.netdirekt.com.tr  (195.244.35.3:80)

Remove LSM.exe - Powered by Reason Core Security