» okapa.exe
Overview
Analysis
File Details
Behaviors (1)
Network (28)

okapa.exe

Eraem Corniratu

The executable okapa.exe, “Eraem Vire Studaa 2021” has been detected as malware by 22 anti-virus scanners. It runs as a scheduled task under the Windows Task Scheduler triggered daily at a specified time. Accoriding to the detections, it is a variant of Zbot (Zeus), a trojan that attempts to steal confidential information (online credentials, and banking details) from a compromised computer and send it to online criminals via a command-and-control server.

File name:

okapa.exe

Publisher:

Eraem Corniratu

Description:

Eraem Vire Studaa 2021

Version:

4.1.55867.13743

MD5:

4c3be8ffccf685a5c616fc3b1ee8e615

SHA-1:

fc6cf747e661713aa95b6be6318c595fdac3d8b2

SHA-256:

f31ab25ce0925c7c7d3334bbf69c618e799fa589d6b2ac5dc49d41c544fecf20

Scanner detections:

22 / 68

Status:

Malware

Analysis date:

4/26/2024 2:50:00 AM UTC (today)

Scan engine

Detection

Engine version

Lavasoft Ad-Aware

Backdoor.Bot.80215

6360186

Avira AntiVirus

TR/Dropper.Gen

7.11.199.42

avast!

Win32:Malware-gen

150101-1

AVG

Win32/Cryptor

2014.0.4253

Bitdefender

Backdoor.Bot.80215

1.0.20.10

Bkav FE

HW32.Packed

1.3.0.6267

Dr.Web

Trojan.PWS.Panda.7719

9.0.1.05190

Emsisoft Anti-Malware

Backdoor.Bot.80215

9.0.0.4799

ESET NOD32

Win32/Kryptik.CUMZ trojan

7.0.302.0

F-Secure

Backdoor.Bot.80215

5.13.68

G Data

Backdoor.Bot.80215

15.1.24

Kaspersky

Trojan-Spy.Win32.Zbot

15.0.0.543

Malwarebytes

Trojan.Agent

v2015.01.02.09

McAfee

MysticCompressor!4C3BE8FFCCF6

5600.6897

MicroWorld eScan

Backdoor.Bot.80215

16.0.0.6

Norman

Backdoor.Bot.80215

29.12.2014 07:19:03

Panda Antivirus

Trj/Genetic.gen

15.01.02.09

Qihoo 360 Security

Malware.QVM20.Gen

1.0.0.1015

Reason Heuristics

Threat.Win.Reputation.IMP

15.1.5.22

Rising Antivirus

PE:Malware.XPACK-HIE/Heur!1.9C48

23.00.65.141231

Trend Micro House Call

TSPY_ZBOT.SMAC

7.2.2

Trend Micro

TSPY_ZBOT.SMAC

10.465.02

File size:

493.6 KB (505,448 bytes)

Product version:

4.1.55867.13743

Original file name:

lbale.exe

File type:

Executable application (Win32 EXE)

Language:

English (United States)

Common path:

C:\users\{user}\appdata\roaming\ysxyixz\okapa.exe

File PE Metadata

Compilation timestamp:

6/22/2010 6:03:49 AM

OS version:

5.1

OS bitness:

Win32

Subsystem:

Windows GUI

Linker version:

9.0

CTPH (ssdeep):

12288:kKo0aMXJR8QxHf/aoQfJCvW8/8iazdczq+x4:EMPCfKL/QZqx4

Entry address:

0x27308

Entry point:

55, 8B, EC, 81, EC, 1C, 01, 00, 00, 8B, 0D, C0, 20, 46, 00, 89, 4D, 98, 53, 89, 4D, 98, 56, 8B, F1, 89, 4D, 98, 89, 4D, 98, 89, 75, 98, 57, 23, CE, 8B, 45, 98, 83, F8, D3, 75, 23, 83, E8, DC, 89, 4D, 98, 8B, 7D, 98, 3B, C6, 75, 16, 8B, 5D, 98, 03, D8, 89, 5D, D4, 3B, 3D, C0, 20, 46, 00, 75, 06, 83, CF, 2F, 89, 7D, 98, 8B, 05, 5C, 20, 46, 00, 03, C0, F7, C7, 46, 00, 00, 00, 74, 0F, 81, C6, 00, 00, 98, 1A, 8B, 45, 98, 89, 75, 8C, 89, 45, 98, FF, 15, 74, 15, 46, 00, 2B, F8, 8B, 5D, 98, 89, 7D, 98, 3B, 1D, 5C... 
[+]

Developed / compiled with:

Microsoft Visual C++

Code size:

326 KB (333,824 bytes)

Scheduled Task

Task name:

Security Center Update - 245744808

Trigger:

Daily (Runs daily at 3:00)

Description:

Keeps your Security Center software up to date. If this task is disabled or stopped, your Security Center software will not be kept up to date, meanin

The executing file has been seen to make the following network communications in live environments.

TCP (HTTP):

Connects to wg-in-f157.1e100.net (173.194.78.157:80)

TCP (HTTP):

Connects to we-in-f94.1e100.net (173.194.66.94:80)

TCP (HTTP):

Connects to static-ip-37-221-168-39.inaddr.eu-dedicated.net (37.221.168.39:80)

TCP (HTTP):

Connects to prg02s12-in-f26.1e100.net (173.194.122.26:80)

TCP (HTTP):

Connects to prg02s12-in-f24.1e100.net (173.194.122.24:80)

TCP (HTTP):

Connects to prg02s12-in-f18.1e100.net (173.194.122.18:80)

TCP (HTTP):

Connects to prg02s12-in-f15.1e100.net (173.194.122.15:80)

TCP (HTTP):

Connects to prg02s12-in-f13.1e100.net (173.194.122.13:80)

TCP (HTTP):

Connects to prg02s11-in-f25.1e100.net (173.194.116.249:80)

TCP (HTTP):

Connects to prg02s11-in-f17.1e100.net (173.194.116.241:80)

TCP (HTTP):

Connects to prg02s11-in-f16.1e100.net (173.194.116.240:80)

TCP (HTTP):

Connects to prg02s11-in-f13.1e100.net (173.194.116.237:80)

TCP (HTTP):

Connects to paladius.miob.sk (185.66.200.105:80)

TCP (HTTP):

Connects to ovh2.host.hit.gemius.pl (37.187.168.56:80)

TCP (HTTP):

Connects to ovh1.host.hit.gemius.pl (37.187.165.184:80)

TCP (HTTP):

Connects to miob.sk (185.66.200.32:80)

TCP (HTTP):

Connects to hosted-by.leaseweb.com (162.210.193.233:80)

TCP (HTTP):

Connects to eu-94.sociomantic.com (176.9.128.204:80)

TCP (HTTP):

Connects to eu-66.sociomantic.com (78.46.128.235:80)

TCP (HTTP):

Connects to edge-star-shv-01-fra3.facebook.com (31.13.93.3:80)

Remove okapa.exe - Powered by Reason Core Security

herdProtect is a second line of defense malware removal platform powered by 68 anti-malware engines in the cloud. Since no single anti-malware program is perfect 100% of the time, herdProtect utilizes a 'herd' of multiple engines to guarantee the widest coverage and the earliest possible detection.