client.exe

The application client.exe has been detected as a potentially unwanted program by 13 anti-malware scanners. This executable runs as a local area network (LAN) Internet proxy server listening on port 57056 and has the ability to intercept and modify all inbound and outbound Internet traffic on the local host. Additionally, the file is typically installed by a number of programs including RocketTab: by Adknowledge, Inc. and Rockettab by Rich River Media, LLC, both potentially unwanted software.
MD5:
99bf249b308b7f3c654e3604631951ee

SHA-1:
7809ca7266cef97b23e5ce1e15d4aa99fd58308c

SHA-256:
9c054aa7a7d5d5012034716b714b8d15439754d361273998ad2edd55e0e89f1f

Scanner detections:
13 / 68

Status:
Potentially unwanted

Analysis date:
12/27/2024 5:01:44 AM UTC  (today)

Scan engine
Detection
Engine version

Lavasoft Ad-Aware
Gen:Variant.Adware.iBryte.8
751

Avira AntiVirus
ADWARE/iBryte.Gen4
7.11.201.100

avast!
Win32:Dropper-gen [Drp]
2014.9-150114

Baidu Antivirus
Adware.MSIL.iBryte
4.0.3.15114

Bitdefender
Gen:Variant.Adware.iBryte.8
1.0.20.70

Comodo Security
TrojWare.Win32.Injector.ABIP
20621

Emsisoft Anti-Malware
Gen:Variant.Adware.iBryte
8.15.01.14.11

ESET NOD32
MSIL/Adware.iBryte.S application
7.0.302.0

F-Secure
Gen:Variant.Adware.iBryte.8
11.2015-14-01_4

G Data
Gen:Variant.Adware.iBryte
15.1.24

MicroWorld eScan
Gen:Variant.Adware.iBryte.8
16.0.0.42

Reason Heuristics
Threat.Win.Reputation.IMP
15.1.14.23

Sophos
Virus 'Mal/Wintrim-A'
5.09

File size:
2.5 MB (2,633,728 bytes)

File type:
Executable application (Win32 EXE)

Common path:
C:\Program Files\search extensions\client.exe

File PE Metadata
Compilation timestamp:
1/14/2015 10:32:05 AM

OS version:
5.1

OS bitness:
Win32

Subsystem:
Windows GUI

Linker version:
10.0

CTPH (ssdeep):
24576:S09JWFDlOhsu0IJfWp7zfmvhvAwHOMwSx8kTgzisPuDzZIg4A2Tmx1KQRg8PHe0f:FSzwWtfa1UffGzC1Tm55lxvrDBlE

Entry address:
0xD467

Entry point:
E8, B3, 33, 00, 00, E9, 89, FE, FF, FF, 8B, FF, 55, 8B, EC, 83, 7D, 08, 00, 74, 2D, FF, 75, 08, 6A, 00, FF, 35, 84, 2E, 4A, 00, FF, 15, 60, 10, 42, 00, 85, C0, 75, 18, 56, E8, 65, 34, 00, 00, 8B, F0, FF, 15, 5C, 10, 42, 00, 50, E8, 15, 34, 00, 00, 59, 89, 06, 5E, 5D, C3, 8B, C1, 83, 60, 04, 00, C7, 00, 74, BC, 49, 00, C6, 40, 08, 00, C3, 8B, FF, 55, 8B, EC, 8B, C1, 8B, 4D, 08, C7, 00, 74, BC, 49, 00, 8B, 09, 89, 48, 04, C6, 40, 08, 00, 5D, C2, 08, 00, 8B, 41, 04, 85, C0, 75, 05, B8, 7C, BC, 49, 00, C3, 8B...
 
[+]

Entropy:
6.1189

Code size:
125.5 KB (128,512 bytes)

Local Proxy Server
Proxy for:
Internet Settings

Local host address:
http://127.0.0.1:57056/

Local host port:
57056

Default credentials:
No


The file client.exe has been discovered within the following programs.

Rockettab  by Rich River Media, LLC
RocketTab is an adware program that injects advertising in the user's web browser by creating a local proxy server and routing all Internet traffic through that proxy. By re-routing traffic the service will be able to include various ads in the HTML of the displaying web page.
rockettab.com
88% remove it
RocketTab:  by Adknowledge, Inc.
RocketTab is an advertising supported browser extension also known as adware and is designed to deliver ads to the user's Internet browser as banners, context text-links and transitionals ads. The injected ads are not affiliated with the underlying website on which they appear.
www.adknowledge.com
87% remove it
 
Powered by Should I Remove It?

The executing file has been seen to make the following network communications in live environments.

TCP (HTTP):
Connects to s3-1-w.amazonaws.com  (54.231.13.233:80)

TCP (HTTP SSL):
Connects to qh-in-f113.1e100.net  (74.125.22.113:443)

TCP (HTTP SSL):
Connects to qh-in-f103.1e100.net  (74.125.22.103:443)

TCP (HTTP SSL):
Connects to ord31s22-in-f1.1e100.net  (216.58.216.225:443)

TCP (HTTP):
Connects to ec2-54-243-116-117.compute-1.amazonaws.com  (54.243.116.117:80)

TCP (HTTP):
Connects to ec2-54-225-130-198.compute-1.amazonaws.com  (54.225.130.198:80)

TCP (HTTP):
Connects to ec2-54-208-30-101.compute-1.amazonaws.com  (54.208.30.101:80)

TCP (HTTP SSL):
Connects to 68-65-49-95.airstreamcomm.net  (68.65.49.95:443)

TCP (HTTP SSL):
Connects to 68-65-49-106.airstreamcomm.net  (68.65.49.106:443)

TCP (HTTP):
Connects to 184.172.26.52-static.reverse.softlayer.com  (184.172.26.52:80)

Remove client.exe - Powered by Reason Core Security