client.exe

Fileprotected

This is published and distributed via an Adknowledge's advertising supported (adware) software installer. The application client.exe by Fileprotected has been detected as adware by 7 anti-malware scanners. This executable runs as a local area network (LAN) Internet proxy server listening on port 49431 and has the ability to intercept and modify all inbound and outbound Internet traffic on the local host.
Publisher:
Fileprotected  (signed and verified)

MD5:
d5fde3b5f4413f4780dab8155bca46a8

SHA-1:
2c3e5636a72ce5b3baac69af1ddcc0723263f44c

SHA-256:
24c219f025dda2717341b9571f93192942eb7ae347681ec0f6b3150f5aaa3867

Scanner detections:
7 / 68

Status:
Adware

Explanation:
This installer bundles various adware prorgams that may include toolbars and web browser advertising injectors/extensions.

Analysis date:
11/15/2024 6:12:25 AM UTC  (today)

Scan engine
Detection
Engine version

Dr.Web
Adware.iBryte.539
9.0.1.0337

ESET NOD32
MSIL/Adware.iBryte (variant)
8.10798

McAfee
Artemis!9C7EA571A48D
5600.6928

Panda Antivirus
Trj/Genetic.gen
14.12.03.12

Reason Heuristics
PUP.Fileprotected.G
14.11.21.23

Trend Micro House Call
Suspicious_GEN.F47V1127
7.2.337

VIPRE Antivirus
AdKnowledge
34260

File size:
3.3 MB (3,477,224 bytes)

File type:
Executable application (Win32 EXE)

Common path:
C:\users\{user}\appdata\local\geniusbox\client.exe

Digital Signature
Signed by:

Authority:
COMODO CA Limited

Valid from:
7/13/2014 7:00:00 PM

Valid to:
7/14/2015 6:59:59 PM

Subject:
CN=Fileprotected, O=Fileprotected, STREET=4600 Madison Ave FL 10, L=Kansas City, S=Missouri, PostalCode=64112, C=US

Issuer:
CN=COMODO Code Signing CA 2, O=COMODO CA Limited, L=Salford, S=Greater Manchester, C=GB

Serial number:
00EFEBA775B69C3717980399C96E5323EC

File PE Metadata
Compilation timestamp:
10/21/2014 9:35:23 AM

OS version:
5.1

OS bitness:
Win32

Subsystem:
Windows GUI

Linker version:
10.0

CTPH (ssdeep):
12288:JGJJYxZJ8P1wa63zH59sm7B5wx0PClutGC/gGoLgQjVSW8GUnvKu16EfhRB1EWdn:19UAV3zBfX

Entry address:
0x1D53

Entry point:
E8, 77, 26, 00, 00, E9, 89, FE, FF, FF, 8B, FF, 55, 8B, EC, 83, 7D, 08, 00, 74, 2D, FF, 75, 08, 6A, 00, FF, 35, AC, EF, 74, 00, FF, 15, 38, 80, 40, 00, 85, C0, 75, 18, 56, E8, 29, 27, 00, 00, 8B, F0, FF, 15, 34, 80, 40, 00, 50, E8, D9, 26, 00, 00, 59, 89, 06, 5E, 5D, C3, 6A, 0C, 68, 50, A4, 40, 00, E8, 3D, 24, 00, 00, 6A, 0E, E8, 29, 2A, 00, 00, 59, 83, 65, FC, 00, 8B, 75, 08, 8B, 4E, 04, 85, C9, 74, 2F, A1, 00, E4, 74, 00, BA, FC, E3, 74, 00, 89, 45, E4, 85, C0, 74, 11, 39, 08, 75, 2C, 8B, 48, 04, 89, 4A...
 
[+]

Entropy:
3.9387

Code size:
25.5 KB (26,112 bytes)

Local Proxy Server
Proxy for:
Internet Settings

Local host address:
http://127.0.0.1:49431/

Local host port:
49431

Default credentials:
No


The executing file has been seen to make the following network communications in live environments.

TCP (HTTP):
Connects to ec2-54-208-30-101.compute-1.amazonaws.com  (54.208.30.101:80)

TCP (HTTP SSL):
Connects to xx-fbcdn-shv-01-ams2.fbcdn.net  (31.13.64.7:443)

TCP (HTTP):
Connects to snt-re4-6a.sjc.dropbox.com  (108.160.163.97:80)

TCP (HTTP):
Connects to sjd-rf15-7c.sjc.dropbox.com  (108.160.167.35:80)

TCP (HTTP):
Connects to sjd-rf15-6c.sjc.dropbox.com  (108.160.167.39:80)

TCP (HTTP SSL):
Connects to pr.comet.vip.bf1.yahoo.com  (66.196.116.112:443)

TCP (HTTP SSL):
Connects to edge-star-shv-01-ash5.facebook.com  (173.252.101.48:443)

TCP (HTTP):
Connects to ec2-54-235-185-31.compute-1.amazonaws.com  (54.235.185.31:80)

TCP (HTTP):
Connects to ec2-54-210-116-218.compute-1.amazonaws.com  (54.210.116.218:80)

TCP (HTTP):
Connects to ec2-50-17-197-47.compute-1.amazonaws.com  (50.17.197.47:80)

TCP (HTTP):
Connects to ec2-23-23-137-215.compute-1.amazonaws.com  (23.23.137.215:80)

TCP (HTTP):
Connects to ec2-23-21-54-14.compute-1.amazonaws.com  (23.21.54.14:80)

TCP (HTTP):
Connects to ash-rc1-4c.sjc.dropbox.com  (108.160.169.175:80)

TCP (HTTP):
Connects to ash-rb4-13b.sjc.dropbox.com  (108.160.170.50:80)

TCP (HTTP):
Connects to a72-247-9-34.deploy.akamaitechnologies.com  (72.247.9.34:80)

TCP (HTTP):

TCP (HTTP SSL):
Connects to a23-62-7-65.deploy.static.akamaitechnologies.com  (23.62.7.65:443)

TCP (HTTP SSL):
Connects to a23-62-7-49.deploy.static.akamaitechnologies.com  (23.62.7.49:443)

TCP (HTTP):

TCP (HTTP SSL):
Connects to a23-212-53-151.deploy.static.akamaitechnologies.com  (23.212.53.151:443)

Remove client.exe - Powered by Reason Core Security