client.exe

The application client.exe has been detected as a potentially unwanted program by 14 anti-malware scanners. This executable runs as a local area network (LAN) Internet proxy server listening on port 51784 and has the ability to intercept and modify all inbound and outbound Internet traffic on the local host. Additionally, the file is typically installed by a number of programs including Rockettab by Rich River Media, LLC and “RocketTab” by Adknowledge, both potentially unwanted software.
MD5:
189e2bf9ee10de457959264e6f76096b

SHA-1:
3cba3b343ddc13f50463c3aad43dfef3fe36ebf5

SHA-256:
0a7510e0dc669035d9d7750c29e5b787e3788ad709f7c5bab0fcd94e4b98f7b5

Scanner detections:
14 / 68

Status:
Potentially unwanted

Analysis date:
11/26/2024 11:09:49 PM UTC  (a few moments ago)

Scan engine
Detection
Engine version

Lavasoft Ad-Aware
Gen:Variant.Zusy.128373
687

AhnLab V3 Security
2015.03.19

Avira AntiVirus
ADWARE/iBryte.Gen4
7.11.218.66

avast!
Win32:Dropper-gen [Drp]
2014.9-150319

Baidu Antivirus
Adware.Win32.iBryte
4.0.3.15319

Bitdefender
Gen:Variant.Zusy.128373
1.0.20.390

Emsisoft Anti-Malware
Gen:Variant.Zusy.128373
8.15.03.19.11

ESET NOD32
Win32/Adware.iBryte.CD (variant)
9.11340

F-Secure
Gen:Variant.Zusy.128373
11.2015-19-03_5

G Data
Gen:Variant.Zusy.128373
15.3.25

Kaspersky
not-a-virus:AdWare.Win32.iBryte
14.0.0.2320

MicroWorld eScan
Gen:Variant.Zusy.128373
16.0.0.234

Panda Antivirus
Trj/Genetic.gen
15.03.19.11

Reason Heuristics
Threat.Win.Reputation.IMP
15.3.20.0

File size:
2.5 MB (2,591,232 bytes)

File type:
Executable application (Win32 EXE)

Common path:
C:\Program Files\search extensions\client.exe

File PE Metadata
Compilation timestamp:
3/3/2015 12:33:07 PM

OS version:
5.1

OS bitness:
Win32

Subsystem:
Windows GUI

Linker version:
10.0

CTPH (ssdeep):
24576:jZgkcW6ZyMgWydMpY5MHKetB2ECXLKmKLPnkEmOYllq+o0gmfosdtJQocWwPEhMd:jGg6uXqm1KLPnqjo0y+JKWZMFk7Y4w

Entry address:
0xD637

Entry point:
E8, B3, 33, 00, 00, E9, 89, FE, FF, FF, 8B, FF, 55, 8B, EC, 83, 7D, 08, 00, 74, 2D, FF, 75, 08, 6A, 00, FF, 35, 84, 19, 4A, 00, FF, 15, 60, 10, 42, 00, 85, C0, 75, 18, 56, E8, 65, 34, 00, 00, 8B, F0, FF, 15, 5C, 10, 42, 00, 50, E8, 15, 34, 00, 00, 59, 89, 06, 5E, 5D, C3, 8B, C1, 83, 60, 04, 00, C7, 00, E8, A4, 49, 00, C6, 40, 08, 00, C3, 8B, FF, 55, 8B, EC, 8B, C1, 8B, 4D, 08, C7, 00, E8, A4, 49, 00, 8B, 09, 89, 48, 04, C6, 40, 08, 00, 5D, C2, 08, 00, 8B, 41, 04, 85, C0, 75, 05, B8, F0, A4, 49, 00, C3, 8B...
 
[+]

Entropy:
6.1362

Code size:
126 KB (129,024 bytes)

Local Proxy Server
Proxy for:
Internet Settings

Local host address:
http://127.0.0.1:51784/

Local host port:
51784

Default credentials:
No


The file client.exe has been discovered within the following programs.

“RocketTab”  by Adknowledge
RocketTab is a web browser extension that injects display advertising in the user's browser. Ads are displayed in the form of banners and contextual text-links and are both injected in white space areas of the HTML page or over existing ads of the underlying web site.
85% remove it
Rockettab  by Rich River Media, LLC
RocketTab is an adware program that injects advertising in the user's web browser by creating a local proxy server and routing all Internet traffic through that proxy. By re-routing traffic the service will be able to include various ads in the HTML of the displaying web page.
rockettab.com
88% remove it
RocketTab:  by Adknowledge, Inc.
RocketTab is an advertising supported browser extension also known as adware and is designed to deliver ads to the user's Internet browser as banners, context text-links and transitionals ads. The injected ads are not affiliated with the underlying website on which they appear.
www.adknowledge.com
87% remove it
 
Powered by Should I Remove It?

The executing file has been seen to make the following network communications in live environments.

TCP (HTTP):
Connects to a23-219-107-159.deploy.static.akamaitechnologies.com  (23.219.107.159:80)

TCP (HTTP):
Connects to ec2-54-83-200-155.compute-1.amazonaws.com  (54.83.200.155:80)

TCP (HTTP):
Connects to ec2-54-235-170-110.compute-1.amazonaws.com  (54.235.170.110:80)

TCP (HTTP):
Connects to ec2-54-221-254-214.compute-1.amazonaws.com  (54.221.254.214:80)

TCP (HTTP):
Connects to ec2-50-17-217-59.compute-1.amazonaws.com  (50.17.217.59:80)

TCP (HTTP SSL):
Connects to rtr3.l7.search.vip.bf1.yahoo.com  (63.250.200.63:443)

TCP (HTTP):
Connects to range1-akamai-aanp.enedi.skybroadband.com  (176.255.247.18:80)

TCP (HTTP):
Connects to ec2-54-244-249-173.us-west-2.compute.amazonaws.com  (54.244.249.173:80)

TCP (HTTP):
Connects to ec2-54-243-165-124.compute-1.amazonaws.com  (54.243.165.124:80)

TCP (HTTP):
Connects to ec2-54-225-145-152.compute-1.amazonaws.com  (54.225.145.152:80)

TCP (HTTP SSL):
Connects to bam-7.nr-data.net  (162.247.242.19:443)

TCP (HTTP SSL):
Connects to a23-74-108-176.deploy.static.akamaitechnologies.com  (23.74.108.176:443)

TCP (HTTP SSL):
Connects to a23-65-32-84.deploy.static.akamaitechnologies.com  (23.65.32.84:443)

TCP (HTTP):

TCP (HTTP):
Connects to a23-50-149-163.deploy.static.akamaitechnologies.com  (23.50.149.163:80)

TCP (HTTP):

TCP (HTTP):
Connects to ec2-54-204-8-133.compute-1.amazonaws.com  (54.204.8.133:80)

TCP (HTTP):
Connects to ec2-23-23-209-131.compute-1.amazonaws.com  (23.23.209.131:80)

TCP (HTTP SSL):
Connects to any-in-2014.1e100.net  (216.239.32.20:443)

TCP (HTTP):
Connects to server-54-192-37-44.jfk1.r.cloudfront.net  (54.192.37.44:80)

Remove client.exe - Powered by Reason Core Security