» kaeli.exe
Overview
Analysis
File Details
Behaviors (1)
Network (45)

kaeli.exe

Anriel Corporatu

The application kaeli.exe, “Anriel Visatl Studie 2020” has been detected as adware by 26 anti-malware scanners. It runs as a scheduled task under the Windows Task Scheduler triggered daily at a specified time. Accoriding to the detections, it is a variant of Zbot (Zeus), a trojan that attempts to steal confidential information (online credentials, and banking details) from a compromised computer and send it to online criminals via a command-and-control server. While running, it connects to the Internet address server-54-192-6-140.dfw3.r.cloudfront.net on port 80 using the HTTP protocol.

File name:

kaeli.exe

Publisher:

Anriel Corporatu

Description:

Anriel Visatl Studie 2020

Version:

7.40.28444.34216

MD5:

868e17da23c21eff7593f4f9c59a09d1

SHA-1:

eb7707f53787524ea31653c6db09f89cd3e3e107

SHA-256:

1b85d675d1c8f46e9de2fe01456f76470a3f25e7d5e5e6474d773154a964c11f

Scanner detections:

26 / 68

Status:

Adware

Analysis date:

4/24/2024 7:15:06 AM UTC (today)

Scan engine

Detection

Engine version

Lavasoft Ad-Aware

Trojan.Generic.12281622

6103425

Agnitum Outpost

Trojan.Kryptik

7.1.1

AhnLab V3 Security

Trojan/Win32.Necurs

2014.12.10

Avira AntiVirus

TR/Dropper.Gen

7.11.194.0

avast!

Win32:Dropper-gen [Drp]

141130-1

AVG

SHeur4

2015.0.3265

Bitdefender

Trojan.Generic.12281622

1.0.20.1720

Emsisoft Anti-Malware

Trojan.Generic.12281622

9.0.0.4668

ESET NOD32

Win32/Kryptik.CRZJ trojan

7.0.302.0

Fortinet FortiGate

W32/Kryptik.CRBX!tr

12/10/2014

F-Secure

Trojan.Generic.12281622

5.13.68

G Data

Trojan.Generic.12281622

14.12.24

K7 AntiVirus

Riskware

13.186.14280

Kaspersky

Trojan-Spy.Win32.Zbot

15.0.0.543

Malwarebytes

Trojan.Zemot

v2014.12.10.03

McAfee

Trojan.MysticCompressor!868E17DA23C2

16.8.708.2

Microsoft Security Essentials

Threat.Undefined

1.189.1703.0

MicroWorld eScan

Trojan.Generic.12281622

15.0.0.1032

NANO AntiVirus

Trojan.Win32.Zbot.djynqr

0.28.6.63850

Norman

Trojan.Generic.12281622

04.12.2014 14:30:06

nProtect

Trojan.Generic.12281622

14.12.09.01

Panda Antivirus

Trj/Genetic.gen

14.12.10.03

Qihoo 360 Security

Malware.QVM20.Gen

1.0.0.1015

Reason Heuristics

PUP.Task.AnrielCorporatu

15.3.1.16

Total Defense

Win32/Zbot.fJARBWB

37.0.11321

VIPRE Antivirus

Threat.4150696

35418

File size:

261.2 KB (267,506 bytes)

Product version:

7.40.28444.34216

Original file name:

biash.exe

File type:

Executable application (Win32 EXE)

Language:

English (United States)

Common path:

C:\users\{user}\appdata\roaming\kiecupu\kaeli.exe

File PE Metadata

Compilation timestamp:

4/3/2010 4:20:48 AM

OS version:

5.1

OS bitness:

Win32

Subsystem:

Windows GUI

Linker version:

10.0

CTPH (ssdeep):

6144:sYX8gzTUn6hah/VlRYbt6mBaC+g/ro8Spk8i+lZ1o38m:xXlc6h2/et6mNz/rMk8i+b4

Entry address:

0x34D9

Entry point:

55, 8B, EC, 81, EC, 70, 01, 00, 00, BA, F7, 00, 00, 00, 83, F2, B6, 89, 95, C8, FE, FF, FF, 53, B9, E2, 00, 00, 00, 83, F1, C6, 89, 95, C8, FE, FF, FF, 89, 8D, C8, FE, FF, FF, 56, 83, F1, 78, 8B, 9D, C8, FE, FF, FF, 83, FB, 75, 75, 57, 83, F3, 2A, 8B, 85, C8, FE, FF, FF, 89, 9D, C8, FE, FF, FF, A9, D5, 00, 00, 00, 74, 41, 2B, C8, 8B, 35, 50, 60, 40, 00, 89, 95, C8, FE, FF, FF, 89, 95, C8, FE, FF, FF, 89, B5, 3C, FF, FF, FF, 89, 45, E0, 83, F9, F6, 75, 1F, 83, E1, 9F, 8B, 95, C8, FE, FF, FF, 83, FA, 09, 74... 
[+]

Entropy:

7.8985

Developed / compiled with:

Microsoft Visual C++

Code size:

15 KB (15,360 bytes)

Scheduled Task

Task name:

Security Center Update - 2367710105

Trigger:

Daily (Runs daily at 1:00 AM)

Description:

Keeps your Security Center software up to date. If this task is disabled or stopped, your Security Center software will not be kept up to date, meanin

The executing file has been seen to make the following network communications in live environments.

TCP (HTTP):

Connects to yk-in-f141.1e100.net (74.125.196.141:80)

TCP (HTTP):

Connects to yk-in-f138.1e100.net (74.125.196.138:80)

TCP (HTTP):

Connects to yk-in-f120.1e100.net (74.125.196.120:80)

TCP (HTTP):

Connects to yk-in-f113.1e100.net (74.125.196.113:80)

TCP (HTTP):

Connects to yk-in-f103.1e100.net (74.125.196.103:80)

TCP (HTTP SSL):

Connects to yk-in-f102.1e100.net (74.125.196.102:443)

TCP (HTTP):

Connects to yh-in-f154.1e100.net (74.125.137.154:80)

TCP (HTTP SSL):

Connects to yh-in-f149.1e100.net (74.125.137.149:443)

TCP (HTTP):

Connects to tps.sj2.fastclick.net (64.156.167.98:80)

TCP (HTTP):

Connects to static-ip-37-221-168-59.inaddr.eu-dedicated.net (37.221.168.59:80)

TCP (HTTP):

Connects to server-54-230-5-31.dfw3.r.cloudfront.net (54.230.5.31:80)

TCP (HTTP):

Connects to server-54-192-6-140.dfw3.r.cloudfront.net (54.192.6.140:80)

TCP (HTTP):

Connects to server-54-192-4-2.dfw3.r.cloudfront.net (54.192.4.2:80)

TCP (HTTP):

Connects to server-54-192-138-114.lax1.r.cloudfront.net (54.192.138.114:80)

TCP (HTTP):

Connects to server-216-137-45-223.lax1.r.cloudfront.net (216.137.45.223:80)

TCP (HTTP SSL):

Connects to r-199-59-149-200.twttr.com (199.59.149.200:443)

TCP (HTTP SSL):

Connects to r-199-59-148-11.twttr.com (199.59.148.11:443)

TCP (HTTP):

Connects to mpr2.ngd.vip.gq1.yahoo.com (216.39.55.13:80)

TCP (HTTP):

Connects to mpr1.ngd.vip.ne1.yahoo.com (98.138.49.42:80)

TCP (HTTP):

Connects to media.sj2.vcmedia.com (64.156.167.95:80)

Remove kaeli.exe - Powered by Reason Core Security

herdProtect is a second line of defense malware removal platform powered by 68 anti-malware engines in the cloud. Since no single anti-malware program is perfect 100% of the time, herdProtect utilizes a 'herd' of multiple engines to guarantee the widest coverage and the earliest possible detection.