client.exe

The application client.exe has been detected as a potentially unwanted program by 6 anti-malware scanners. Additionally, the file is typically installed by a number of programs including Rockettab by Rich River Media, LLC and “RocketTab” by Adknowledge, both potentially unwanted software.
MD5:
0798b1f69a10175534febc3e59782f6e

SHA-1:
6def4a532c5362335c1b11520aef7d17ceb405f1

SHA-256:
fd4b20c20ab988d2b572646c6d371e186a8649453894c88e92b5c99b1e8d99c2

Scanner detections:
6 / 68

Status:
Potentially unwanted

Analysis date:
12/25/2024 4:39:18 PM UTC  (today)

Scan engine
Detection
Engine version

Avira AntiVirus
ADWARE/iBryte.Gen4
7.11.205.122

Baidu Antivirus
Adware.MSIL.iBryte
4.0.3.15129

ESET NOD32
MSIL/Adware.iBryte (variant)
9.11080

Reason Heuristics
Threat.Win.Reputation.IMP
15.1.29.2

Rising Antivirus
PE:Trojan.FakeIcon!1.64A5
23.00.65.15127

Sophos
Mal/Wintrim-A
4.98

File size:
2.5 MB (2,602,496 bytes)

File type:
Executable application (Win32 EXE)

Common path:
C:\Program Files\search extensions\client.exe

File PE Metadata
Compilation timestamp:
1/27/2015 10:33:09 AM

OS version:
5.1

OS bitness:
Win32

Subsystem:
Windows GUI

Linker version:
10.0

CTPH (ssdeep):
24576:mcRblt64QcjqFnEBrnzHHbr4icF9Evg/+rZLYM9judv+txhggwhwakUl0SmeWeBu:hl0qzO/Q28IwaVjhsAnM1kBFh

Entry address:
0xC847

Entry point:
E8, B3, 33, 00, 00, E9, 89, FE, FF, FF, 8B, FF, 55, 8B, EC, 83, 7D, 08, 00, 74, 2D, FF, 75, 08, 6A, 00, FF, 35, 44, A9, 49, 00, FF, 15, 60, 00, 42, 00, 85, C0, 75, 18, 56, E8, 65, 34, 00, 00, 8B, F0, FF, 15, 5C, 00, 42, 00, 50, E8, 15, 34, 00, 00, 59, 89, 06, 5E, 5D, C3, 8B, C1, 83, 60, 04, 00, C7, 00, F8, 43, 49, 00, C6, 40, 08, 00, C3, 8B, FF, 55, 8B, EC, 8B, C1, 8B, 4D, 08, C7, 00, F8, 43, 49, 00, 8B, 09, 89, 48, 04, C6, 40, 08, 00, 5D, C2, 08, 00, 8B, 41, 04, 85, C0, 75, 05, B8, 00, 44, 49, 00, C3, 8B...
 
[+]

Entropy:
6.1269

Code size:
122.5 KB (125,440 bytes)

The file client.exe has been discovered within the following programs.

“RocketTab”  by Adknowledge
RocketTab is a web browser extension that injects display advertising in the user's browser. Ads are displayed in the form of banners and contextual text-links and are both injected in white space areas of the HTML page or over existing ads of the underlying web site.
85% remove it
Rockettab  by Rich River Media, LLC
RocketTab is an adware program that injects advertising in the user's web browser by creating a local proxy server and routing all Internet traffic through that proxy. By re-routing traffic the service will be able to include various ads in the HTML of the displaying web page.
rockettab.com
88% remove it
 
Powered by Should I Remove It?

The executing file has been seen to make the following network communications in live environments.

TCP (HTTP):
Connects to ec2-54-221-254-214.compute-1.amazonaws.com  (54.221.254.214:80)

TCP (HTTP):
Connects to ec2-54-235-170-110.compute-1.amazonaws.com  (54.235.170.110:80)

TCP (HTTP SSL):
Connects to text-lb.ulsfo.wikimedia.org  (198.35.26.96:443)

TCP (HTTP):
Connects to pages.g.ebay.com  (66.135.216.190:80)

TCP (HTTP):
Connects to ju240.jupiter.fastwebserver.de  (89.163.148.240:80)

TCP (HTTP):
Connects to jakarta-10.cdn77.com  (103.60.9.12:80)

TCP (HTTP SSL):
Connects to fm-dyn-111-95-240-208.fast.net.id  (111.95.240.208:443)

TCP (HTTP SSL):
Connects to fm-dyn-111-95-240-174.fast.net.id  (111.95.240.174:443)

TCP (HTTP):
Connects to fm-dyn-111-94-254-93.fast.net.id  (111.94.254.93:80)

TCP (HTTP):
Connects to fm-dyn-111-94-254-77.fast.net.id  (111.94.254.77:80)

TCP (HTTP):
Connects to fm-dyn-111-94-254-31.fast.net.id  (111.94.254.31:80)

TCP (HTTP):
Connects to fm-dyn-111-94-254-24.fast.net.id  (111.94.254.24:80)

TCP (HTTP):
Connects to ec2-50-17-217-59.compute-1.amazonaws.com  (50.17.217.59:80)

TCP (HTTP):
Connects to ec2-23-23-122-91.compute-1.amazonaws.com  (23.23.122.91:80)

TCP (HTTP):
Connects to ec2-23-21-48-109.compute-1.amazonaws.com  (23.21.48.109:80)

TCP (HTTP SSL):
Connects to by3301-g.1drv.com  (134.170.108.96:443)

TCP (HTTP SSL):
Connects to a95-101-158-163.deploy.akamaitechnologies.com  (95.101.158.163:443)

TCP (HTTP SSL):
Connects to a23-43-166-115.deploy.static.akamaitechnologies.com  (23.43.166.115:443)

TCP (HTTP):
Connects to a23-15-149-163.deploy.static.akamaitechnologies.com  (23.15.149.163:80)

TCP (HTTP):
Connects to a173-222-148-8.deploy.static.akamaitechnologies.com  (173.222.148.8:80)

Remove client.exe - Powered by Reason Core Security