Client.exe

The application Client.exe has been detected as adware by 3 anti-malware scanners. This executable runs as a local area network (LAN) Internet proxy server listening on port 49641 and has the ability to intercept and modify all inbound and outbound Internet traffic on the local host. Additionally, the file is typically installed by a number of programs including RocketTab: by Adknowledge, Inc. and Rockettab by Rich River Media, LLC, both potentially unwanted software.
Version:
1.0.5352.12596

MD5:
f68b3199ef59df540d88c93ab03127f7

SHA-1:
7ab07f1939278796c12999a49e4b9b1f2d5e9a71

SHA-256:
546d7db5238fea1c5ac071be903ba45f5835d4257f1b15397c8652f23f4d5d3c

Scanner detections:
3 / 68

Status:
Adware

Analysis date:
11/23/2024 3:20:29 PM UTC  (today)

Scan engine
Detection
Engine version

Baidu Antivirus
Adware.MSIL.iBryte
4.0.3.14827

ESET NOD32
MSIL/Adware.iBryte.F application
7.0.302.0

Reason Heuristics
Adware.RocketTab.G
14.9.10.17

File size:
1.4 MB (1,417,216 bytes)

Product version:
1.0.5352.12596

Original file name:
Client.exe

File type:
Executable application (Win32 EXE)

Language:
Language Neutral

Common path:
C:\Program Files\rockettab\client.exe

File PE Metadata
Compilation timestamp:
8/27/2014 4:00:11 AM

OS version:
4.0

OS bitness:
Win32

Subsystem:
Windows GUI

Linker version:
8.0

.NET CLR dependent:
Yes

CTPH (ssdeep):
24576:LFTH64aX7eSy5rNs56SSEiRQNm/K0elIubstudf3HkYCgZU2a:B5SX2C6SS6L9IuLNHLj

Entry address:
0x151362

Entry point:
FF, 25, 00, 20, 40, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00...
 
[+]

Entropy:
7.1004

Developed / compiled with:
Microsoft Visual C# / Basic .NET

Code size:
1.3 MB (1,373,184 bytes)

Local Proxy Server
Proxy for:
Internet Settings

Local host address:
http://127.0.0.1:49641/

Local host port:
49641

Default credentials:
No


The file Client.exe has been discovered within the following programs.

Rockettab  by Rich River Media, LLC
RocketTab is an adware program that injects advertising in the user's web browser by creating a local proxy server and routing all Internet traffic through that proxy. By re-routing traffic the service will be able to include various ads in the HTML of the displaying web page.
rockettab.com
88% remove it
RocketTab:  by Adknowledge, Inc.
RocketTab is an advertising supported browser extension also known as adware and is designed to deliver ads to the user's Internet browser as banners, context text-links and transitionals ads. The injected ads are not affiliated with the underlying website on which they appear.
www.adknowledge.com
87% remove it
 
Powered by Should I Remove It?

The executing file has been seen to make the following network communications in live environments.

TCP (HTTP):
Connects to yv-in-f141.1e100.net  (74.125.21.141:80)

TCP (HTTP):
Connects to web14.appliedi.net  (216.167.204.214:80)

TCP (HTTP):
Connects to server-54-230-205-159.atl50.r.cloudfront.net  (54.230.205.159:80)

TCP (HTTP):
Connects to server-54-230-205-104.atl50.r.cloudfront.net  (54.230.205.104:80)

TCP (HTTP):
Connects to presentation-atl1.turn.com  (50.116.194.21:80)

TCP (HTTP SSL):
Connects to pb-in-f189.1e100.net  (173.194.79.189:443)

TCP (HTTP):
Connects to pages-wildcard.weebly.com  (199.34.228.104:80)

TCP (HTTP):
Connects to lb  (207.178.57.59:80)

TCP (HTTP):
Connects to lax04s09-in-f25.1e100.net  (74.125.239.25:80)

TCP (HTTP SSL):
Connects to lax02s20-in-f9.1e100.net  (74.125.224.137:443)

TCP (HTTP):
Connects to lax02s20-in-f26.1e100.net  (74.125.224.154:80)

TCP (HTTP):
Connects to lax02s20-in-f25.1e100.net  (74.125.224.153:80)

TCP (HTTP):
Connects to lax02s20-in-f24.1e100.net  (74.125.224.152:80)

TCP (HTTP):
Connects to lax02s20-in-f23.1e100.net  (74.125.224.151:80)

TCP (HTTP):
Connects to lax02s20-in-f20.1e100.net  (74.125.224.148:80)

TCP (HTTP):
Connects to lax02s20-in-f15.1e100.net  (74.125.224.143:80)

TCP (HTTP):
Connects to lax02s20-in-f13.1e100.net  (74.125.224.141:80)

TCP (HTTP SSL):
Connects to lax02s20-in-f1.1e100.net  (74.125.224.129:443)

TCP (HTTP):
Connects to float.1404.bm-impbus.prod.lax1.adnexus.net  (68.67.128.7:80)

TCP (HTTP):
Connects to float.1399.bm-impbus.prod.lax1.adnexus.net  (68.67.128.2:80)

Remove Client.exe - Powered by Reason Core Security