Client.exe

Secureencoded

This adware bundler is distributed through Adknowledge's advertising supported software managers. The application Client.exe by Secureencoded has been detected as adware by 19 anti-malware scanners. The program is a setup application that uses the Adknowledge Fusion installer. Additionally, the file is typically installed by a number of programs including Rockettab by Rich River Media, LLC and “RocketTab” by Adknowledge, both potentially unwanted software.
Publisher:
Secureencoded  (signed and verified)

Version:
1.0.5392.12650

MD5:
60f51c1c88151017b67bc336b3b40218

SHA-1:
81f6c90cc887a362753d9aa2e24e32b021221807

SHA-256:
f07ad6483e05840baaef2189179ba6c9e78d203739915893a811b6bdefe2dd1d

Scanner detections:
19 / 68

Status:
Adware

Explanation:
This installer bundles various adware prorgams that may include toolbars and web browser advertising injectors/extensions.

Description:
This is also known as bundleware, or downloadware, which is an downloader designed to simply deliver ad-supported offers in the setup routine of an otherwise legitimate software.

Analysis date:
12/24/2024 4:44:26 PM UTC  (today)

Scan engine
Detection
Engine version

avast!
Win32:IBryte-FV [PUP]
2014.9-141115

AVG
Securee
2015.0.3289

Baidu Antivirus
Adware.Win32.RocketTab
4.0.3.141115

Comodo Security
ApplicUnwnt
20073

ESET NOD32
MSIL/Adware.iBryte (variant)
8.10721

Fortinet FortiGate
Adware/RocketTab
11/15/2014

F-Prot
W32/A-425915ce
v6.4.7.1.166

IKARUS anti.virus
not-a-virus:AdWare.MSIL.RocketTab
t3scan.1.8.3.0

K7 AntiVirus
Adware
13.185.14007

Kaspersky
not-a-virus:AdWare.MSIL.RocketTab
14.0.0.2940

McAfee
Adware-RocketTab
5600.6945

Panda Antivirus
Trj/Chgt.I
14.11.15.11

Qihoo 360 Security
HEUR/QVM03.0.Malware.Gen
1.0.0.1015

Quick Heal
AdWare.MSIL.g3 (Not a Virus)
11.14.14.00

Reason Heuristics
PUP.Secureencoded.G
14.11.15.23

Sophos
Generic PUA IB
4.98

Trend Micro House Call
TROJ_GEN.R047C0EJS14
7.2.319

Trend Micro
TROJ_GEN.R047C0EJS14
10.465.15

VIPRE Antivirus
AdKnowledge
34770

File size:
1.4 MB (1,424,616 bytes)

Product version:
1.0.5392.12650

Original file name:
Client.exe

File type:
Executable application (Win32 EXE)

Bundler/Installer:
Adknowledge Fusion

Language:
Language Neutral

Common path:
C:\users\{user}\appdata\local\search extensions\client.exe

Digital Signature
Signed by:

Authority:
COMODO CA Limited

Valid from:
7/13/2014 8:00:00 PM

Valid to:
7/14/2015 7:59:59 PM

Subject:
CN=Secureencoded, O=Secureencoded, STREET=4600 Madison Ave FL 10, L=Kansas City, S=Missouri, PostalCode=64112, C=US

Issuer:
CN=COMODO Code Signing CA 2, O=COMODO CA Limited, L=Salford, S=Greater Manchester, C=GB

Serial number:
008A9DE5BF6D7E4070873AB08E9304F7FA

File PE Metadata
Compilation timestamp:
10/6/2014 4:02:27 AM

OS version:
4.0

OS bitness:
Win32

Subsystem:
Windows GUI

Linker version:
8.0

.NET CLR dependent:
Yes

CTPH (ssdeep):
24576:Rc8onSv5i46JSEseLNVhIeoG0MrHRXd6ZpBg8zs65:R19f6JSoNVh+ytt6Zp3wy

Entry address:
0x1522EA

Entry point:
FF, 25, 00, 20, 40, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00...
 
[+]

Entropy:
7.0980

Developed / compiled with:
Microsoft Visual C# / Basic .NET

Code size:
1.3 MB (1,377,280 bytes)

The file Client.exe has been discovered within the following programs.

“RocketTab”  by Adknowledge
RocketTab is a web browser extension that injects display advertising in the user's browser. Ads are displayed in the form of banners and contextual text-links and are both injected in white space areas of the HTML page or over existing ads of the underlying web site.
85% remove it
Rockettab  by Rich River Media, LLC
RocketTab is an adware program that injects advertising in the user's web browser by creating a local proxy server and routing all Internet traffic through that proxy. By re-routing traffic the service will be able to include various ads in the HTML of the displaying web page.
rockettab.com
88% remove it
 
Powered by Should I Remove It?

The executing file has been seen to make the following network communications in live environments.

TCP (HTTP SSL):
Connects to server-54-230-37-157.jfk1.r.cloudfront.net  (54.230.37.157:443)

TCP (HTTP SSL):
Connects to server-54-230-205-250.atl50.r.cloudfront.net  (54.230.205.250:443)

TCP (HTTP SSL):
Connects to server-54-192-207-116.atl50.r.cloudfront.net  (54.192.207.116:443)

TCP (HTTP):
Connects to server-52-84-79-233.atl52.r.cloudfront.net  (52.84.79.233:80)

TCP (HTTP SSL):
Connects to server-52-84-133-35.atl52.r.cloudfront.net  (52.84.133.35:443)

TCP (HTTP SSL):
Connects to s3-1.amazonaws.com  (54.231.1.232:443)

TCP (HTTP SSL):
Connects to qa-in-f147.1e100.net  (173.194.68.147:443)

TCP (HTTP):
Connects to ip-23-229-146-44.ip.secureserver.net  (23.229.146.44:80)

TCP (HTTP):
Connects to ip-107-180-34-192.ip.secureserver.net  (107.180.34.192:80)

TCP (HTTP):
Connects to fineous.shoeboxtech.com  (66.7.197.146:80)

TCP (HTTP):
Connects to ec2-54-243-90-89.compute-1.amazonaws.com  (54.243.90.89:80)

TCP (HTTP):
Connects to ec2-54-243-102-68.compute-1.amazonaws.com  (54.243.102.68:80)

TCP (HTTP SSL):
Connects to ec2-54-225-190-65.compute-1.amazonaws.com  (54.225.190.65:443)

TCP (HTTP):
Connects to ec2-54-173-56-234.compute-1.amazonaws.com  (54.173.56.234:80)

TCP (HTTP SSL):
Connects to ec2-52-6-82-78.compute-1.amazonaws.com  (52.6.82.78:443)

TCP (HTTP):
Connects to ec2-50-17-224-168.compute-1.amazonaws.com  (50.17.224.168:80)

TCP (HTTP):
Connects to ec2-50-16-138-48.compute-1.amazonaws.com  (50.16.138.48:80)

TCP (HTTP SSL):
Connects to ec2-184-72-49-212.us-west-1.compute.amazonaws.com  (184.72.49.212:443)

TCP (HTTP SSL):
Connects to ec2-184-72-45-10.us-west-1.compute.amazonaws.com  (184.72.45.10:443)

Remove Client.exe - Powered by Reason Core Security