Client.exe

Secureencoded

This adware bundler is distributed through Adknowledge's advertising supported software managers. The application Client.exe by Secureencoded has been detected as adware by 4 anti-malware scanners. The program is a setup application that uses the Adknowledge Fusion installer. This file is typically installed with the program Rockettab by Rich River Media, LLC which is a potentially unwanted software program. While running, it connects to the Internet address snt404-m.hotmail.com on port 443.
Publisher:
Secureencoded  (signed and verified)

Version:
1.0.5389.17654

MD5:
c362bbc2d45134fea7d98d03e5876c9c

SHA-1:
3ffab3a1f2f0ba9e0d9b113c406c847ed4e89e2b

SHA-256:
a2c25e02b3d3d1fc17c1b2900fa15e4a4e07d1155ef2372af39ddd006065dfbf

Scanner detections:
4 / 68

Status:
Adware

Explanation:
This installer bundles various adware prorgams that may include toolbars and web browser advertising injectors/extensions.

Description:
This is also known as bundleware, or downloadware, which is an downloader designed to simply deliver ad-supported offers in the setup routine of an otherwise legitimate software.

Analysis date:
11/23/2024 2:21:08 AM UTC  (today)

Scan engine
Detection
Engine version

Baidu Antivirus
Adware.MSIL.iBryte
4.0.3.14104

Kaspersky
not-a-virus:AdWare.MSIL.RocketTab
14.0.0.3153

Reason Heuristics
PUP.Secureencoded.G
14.10.4.11

VIPRE Antivirus
AdKnowledge
33646

File size:
1.4 MB (1,424,616 bytes)

Product version:
1.0.5389.17654

Original file name:
Client.exe

File type:
Executable application (Win32 EXE)

Bundler/Installer:
Adknowledge Fusion

Language:
Language Neutral

Common path:
C:\Program Files\search extensions\client.exe

Digital Signature
Signed by:

Authority:
COMODO CA Limited

Valid from:
7/13/2014 7:00:00 PM

Valid to:
7/14/2015 6:59:59 PM

Subject:
CN=Secureencoded, O=Secureencoded, STREET=4600 Madison Ave FL 10, L=Kansas City, S=Missouri, PostalCode=64112, C=US

Issuer:
CN=COMODO Code Signing CA 2, O=COMODO CA Limited, L=Salford, S=Greater Manchester, C=GB

Serial number:
008A9DE5BF6D7E4070873AB08E9304F7FA

File PE Metadata
Compilation timestamp:
10/3/2014 5:48:46 AM

OS version:
4.0

OS bitness:
Win32

Subsystem:
Windows GUI

Linker version:
8.0

.NET CLR dependent:
Yes

CTPH (ssdeep):
24576:Pj3RIPuI5i66JSAOYZQk2lspIoZA86TNYMrFSlLfF9DvMFJ:PTtC6JS2ZzVpIo2NaqFkLfbD4

Entry address:
0x1522EA

Entry point:
FF, 25, 00, 20, 40, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00...
 
[+]

Entropy:
7.0968

Developed / compiled with:
Microsoft Visual C# / Basic .NET

Code size:
1.3 MB (1,377,280 bytes)

The file Client.exe has been discovered within the following program.

Rockettab  by Rich River Media, LLC
RocketTab is an adware program that injects advertising in the user's web browser by creating a local proxy server and routing all Internet traffic through that proxy. By re-routing traffic the service will be able to include various ads in the HTML of the displaying web page.
rockettab.com
88% remove it
 
Powered by Should I Remove It?

The executing file has been seen to make the following network communications in live environments.

TCP (HTTP):
Connects to ec2-107-21-97-137.compute-1.amazonaws.com  (107.21.97.137:80)

TCP (HTTP):
Connects to ec2-54-208-30-101.compute-1.amazonaws.com  (54.208.30.101:80)

TCP (HTTP SSL):
Connects to webmailer.hosteurope.de  (80.237.128.167:443)

TCP (HTTP SSL):
Connects to snt404-m.hotmail.com  (65.55.68.119:443)

TCP (HTTP):
Connects to sjd-rd12-3d.sjc.dropbox.com  (108.160.167.160:80)

TCP (HTTP):
Connects to sjd-rc1-1a.sjc.dropbox.com  (108.160.165.181:80)

TCP (HTTP SSL):
Connects to server-54-230-199-13.lhr50.r.cloudfront.net  (54.230.199.13:443)

TCP (HTTP SSL):
Connects to server-54-230-198-114.lhr50.r.cloudfront.net  (54.230.198.114:443)

TCP (HTTP):
Connects to server-54-230-198-10.lhr50.r.cloudfront.net  (54.230.198.10:80)

TCP (HTTP SSL):
Connects to server-54-230-197-98.lhr50.r.cloudfront.net  (54.230.197.98:443)

TCP (HTTP):
Connects to server-54-230-196-198.lhr50.r.cloudfront.net  (54.230.196.198:80)

TCP (HTTP SSL):
Connects to server-54-230-196-168.lhr50.r.cloudfront.net  (54.230.196.168:443)

TCP (HTTP SSL):
Connects to server-54-230-196-11.lhr50.r.cloudfront.net  (54.230.196.11:443)

TCP (HTTP SSL):
Connects to server-54-192-197-51.lhr50.r.cloudfront.net  (54.192.197.51:443)

TCP (HTTP SSL):
Connects to s3-1.amazonaws.com  (54.240.235.12:443)

TCP (HTTP SSL):
Connects to platform-api.newrelic.com  (50.31.164.166:443)

TCP (HTTP SSL):
Connects to par08s10-in-f6.1e100.net  (74.125.230.230:443)

TCP (HTTP SSL):
Connects to par08s10-in-f4.1e100.net  (74.125.230.228:443)

TCP (HTTP SSL):
Connects to par08s10-in-f24.1e100.net  (74.125.230.248:443)

TCP (HTTP SSL):
Connects to par08s10-in-f23.1e100.net  (74.125.230.247:443)

Remove Client.exe - Powered by Reason Core Security