okapa.exe

Eraem Corniratu

The executable okapa.exe, “Eraem Vire Studaa 2021” has been detected as malware by 22 anti-virus scanners. It runs as a scheduled task under the Windows Task Scheduler triggered daily at a specified time. Accoriding to the detections, it is a variant of Zbot (Zeus), a trojan that attempts to steal confidential information (online credentials, and banking details) from a compromised computer and send it to online criminals via a command-and-control server.
Publisher:
Eraem Corniratu

Description:
Eraem Vire Studaa 2021

Version:
4.1.55867.13743

MD5:
4c3be8ffccf685a5c616fc3b1ee8e615

SHA-1:
fc6cf747e661713aa95b6be6318c595fdac3d8b2

SHA-256:
f31ab25ce0925c7c7d3334bbf69c618e799fa589d6b2ac5dc49d41c544fecf20

Scanner detections:
22 / 68

Status:
Malware

Analysis date:
12/25/2024 6:21:23 PM UTC  (today)

Scan engine
Detection
Engine version

Lavasoft Ad-Aware
Backdoor.Bot.80215
6360186

Avira AntiVirus
TR/Dropper.Gen
7.11.199.42

avast!
Win32:Malware-gen
150101-1

AVG
Win32/Cryptor
2014.0.4253

Bitdefender
Backdoor.Bot.80215
1.0.20.10

Bkav FE
HW32.Packed
1.3.0.6267

Dr.Web
Trojan.PWS.Panda.7719
9.0.1.05190

Emsisoft Anti-Malware
Backdoor.Bot.80215
9.0.0.4799

ESET NOD32
Win32/Kryptik.CUMZ trojan
7.0.302.0

F-Secure
Backdoor.Bot.80215
5.13.68

G Data
Backdoor.Bot.80215
15.1.24

Kaspersky
Trojan-Spy.Win32.Zbot
15.0.0.543

Malwarebytes
Trojan.Agent
v2015.01.02.09

McAfee
MysticCompressor!4C3BE8FFCCF6
5600.6897

MicroWorld eScan
Backdoor.Bot.80215
16.0.0.6

Norman
Backdoor.Bot.80215
29.12.2014 07:19:03

Panda Antivirus
Trj/Genetic.gen
15.01.02.09

Qihoo 360 Security
Malware.QVM20.Gen
1.0.0.1015

Reason Heuristics
Threat.Win.Reputation.IMP
15.1.5.22

Rising Antivirus
PE:Malware.XPACK-HIE/Heur!1.9C48
23.00.65.141231

Trend Micro House Call
TSPY_ZBOT.SMAC
7.2.2

Trend Micro
TSPY_ZBOT.SMAC
10.465.02

File size:
493.6 KB (505,448 bytes)

Product version:
4.1.55867.13743

Original file name:
lbale.exe

File type:
Executable application (Win32 EXE)

Language:
English (United States)

Common path:
C:\users\{user}\appdata\roaming\ysxyixz\okapa.exe

File PE Metadata
Compilation timestamp:
6/22/2010 6:03:49 AM

OS version:
5.1

OS bitness:
Win32

Subsystem:
Windows GUI

Linker version:
9.0

CTPH (ssdeep):
12288:kKo0aMXJR8QxHf/aoQfJCvW8/8iazdczq+x4:EMPCfKL/QZqx4

Entry address:
0x27308

Entry point:
55, 8B, EC, 81, EC, 1C, 01, 00, 00, 8B, 0D, C0, 20, 46, 00, 89, 4D, 98, 53, 89, 4D, 98, 56, 8B, F1, 89, 4D, 98, 89, 4D, 98, 89, 75, 98, 57, 23, CE, 8B, 45, 98, 83, F8, D3, 75, 23, 83, E8, DC, 89, 4D, 98, 8B, 7D, 98, 3B, C6, 75, 16, 8B, 5D, 98, 03, D8, 89, 5D, D4, 3B, 3D, C0, 20, 46, 00, 75, 06, 83, CF, 2F, 89, 7D, 98, 8B, 05, 5C, 20, 46, 00, 03, C0, F7, C7, 46, 00, 00, 00, 74, 0F, 81, C6, 00, 00, 98, 1A, 8B, 45, 98, 89, 75, 8C, 89, 45, 98, FF, 15, 74, 15, 46, 00, 2B, F8, 8B, 5D, 98, 89, 7D, 98, 3B, 1D, 5C...
 
[+]

Developed / compiled with:
Microsoft Visual C++

Code size:
326 KB (333,824 bytes)

Scheduled Task
Task name:
Security Center Update - 245744808

Trigger:
Daily (Runs daily at 3:00)

Description:
Keeps your Security Center software up to date. If this task is disabled or stopped, your Security Center software will not be kept up to date, meanin


The executing file has been seen to make the following network communications in live environments.

TCP (HTTP):
Connects to wg-in-f157.1e100.net  (173.194.78.157:80)

TCP (HTTP):
Connects to we-in-f94.1e100.net  (173.194.66.94:80)

TCP (HTTP):
Connects to static-ip-37-221-168-39.inaddr.eu-dedicated.net  (37.221.168.39:80)

TCP (HTTP):
Connects to prg02s12-in-f26.1e100.net  (173.194.122.26:80)

TCP (HTTP):
Connects to prg02s12-in-f24.1e100.net  (173.194.122.24:80)

TCP (HTTP):
Connects to prg02s12-in-f18.1e100.net  (173.194.122.18:80)

TCP (HTTP):
Connects to prg02s12-in-f15.1e100.net  (173.194.122.15:80)

TCP (HTTP):
Connects to prg02s12-in-f13.1e100.net  (173.194.122.13:80)

TCP (HTTP):
Connects to prg02s11-in-f25.1e100.net  (173.194.116.249:80)

TCP (HTTP):
Connects to prg02s11-in-f17.1e100.net  (173.194.116.241:80)

TCP (HTTP):
Connects to prg02s11-in-f16.1e100.net  (173.194.116.240:80)

TCP (HTTP):
Connects to prg02s11-in-f13.1e100.net  (173.194.116.237:80)

TCP (HTTP):
Connects to paladius.miob.sk  (185.66.200.105:80)

TCP (HTTP):
Connects to ovh2.host.hit.gemius.pl  (37.187.168.56:80)

TCP (HTTP):
Connects to ovh1.host.hit.gemius.pl  (37.187.165.184:80)

TCP (HTTP):
Connects to miob.sk  (185.66.200.32:80)

TCP (HTTP):
Connects to hosted-by.leaseweb.com  (162.210.193.233:80)

TCP (HTTP):
Connects to eu-94.sociomantic.com  (176.9.128.204:80)

TCP (HTTP):
Connects to eu-66.sociomantic.com  (78.46.128.235:80)

TCP (HTTP):
Connects to edge-star-shv-01-fra3.facebook.com  (31.13.93.3:80)

Remove okapa.exe - Powered by Reason Core Security