sysad.exe

The application sysad.exe has been detected as a potentially unwanted program by 26 anti-malware scanners. It runs as a scheduled task under the Windows Task Scheduler named RunTool triggered by a time event. This file is typically installed with the program Rockettab by Rich River Media, LLC which is a potentially unwanted software program. While running, it connects to the Internet address host-197.199.253.53.etisalat.com.eg on port 443.
MD5:
c387a73359542aab558445aed3d951fb

SHA-1:
a7a5041852579bed585c1a99c181d9a85026fc7e

SHA-256:
2a87c95925b96b84a6a305c6dd009e9a85f1335130e5378bc53ae2f1bc3bdbe7

Scanner detections:
26 / 68

Status:
Potentially unwanted

Analysis date:
12/25/2024 2:20:10 PM UTC  (today)

Scan engine
Detection
Engine version

Lavasoft Ad-Aware
Adware.IBryte.BI
643

Agnitum Outpost
Trojan.iBryte
7.1.1

AhnLab V3 Security
2015.04.28

Avira AntiVirus
ADWARE/iBryte.Gen7
7.11.204.50

avast!
Win32:Malware-gen
2014.9-150122

Bitdefender
Adware.IBryte.BI
1.0.20.615

Comodo Security
ApplicUnwnt
21917

Dr.Web
Trojan.iBryte.301
9.0.1.0123

Emsisoft Anti-Malware
Adware.IBryte.BI
8.15.05.03.05

Fortinet FortiGate
W32/Hra.CE!tr
5/3/2015

F-Secure
Adware.IBryte.BI
11.2015-03-05_1

G Data
Adware.IBryte.BI
15.5.25

K7 AntiVirus
Riskware
13.203.15726

McAfee
RDN/Generic.hra!ce
5600.6777

MicroWorld eScan
Adware.IBryte.BI
16.0.0.369

NANO AntiVirus
Trojan.Win32.IBryte.dmxhpb
0.30.20.1219

Norman
Suspicious_Gen2.WBPLL
11.20150503

nProtect
Adware.IBryte.BI
15.04.27.01

Panda Antivirus
Trj/CI.A
15.05.03.05

Qihoo 360 Security
Win32/Virus.Adware.d4f
1.0.0.1015

Reason Heuristics
Threat.Win.Reputation.IMP
15.5.9.13

Sophos
iBryte Desktop
4.98

Trend Micro House Call
Suspicious_GEN.F47V0121
7.2.22

Trend Micro
ADW_IBRYTE
10.465.03

VIPRE Antivirus
Trojan.Win32.Generic
39728

ViRobot
Trojan.Win32.A.Autoit.701952[h]
2014.3.20.0

File size:
685.5 KB (701,952 bytes)

File type:
Executable application (Win32 EXE)

Common path:
C:\users\{user}\appdata\local\dd5e2287-e217-4205-aaad-52dfa35f31ee\sysad.exe

File PE Metadata
Compilation timestamp:
1/21/2015 11:01:54 AM

OS version:
5.1

OS bitness:
Win32

Subsystem:
Windows GUI

Linker version:
10.0

CTPH (ssdeep):
12288:txop/Pf0Gv7jN6la2wrllFyy6+yNw7IzNDMf0Gv7jNTIdmrH8MpUUCjS7uWoMes7:txoBPf0GnN/oZ4f0GnNNVvMcx

Entry address:
0x3CB7

Entry point:
E8, E3, 20, 00, 00, E9, 89, FE, FF, FF, 8B, FF, 55, 8B, EC, 83, 7D, 08, 00, 74, 2D, FF, 75, 08, 6A, 00, FF, 35, 2C, C1, 4A, 00, FF, 15, 58, 80, 41, 00, 85, C0, 75, 18, 56, E8, 95, 21, 00, 00, 8B, F0, FF, 15, 54, 80, 41, 00, 50, E8, 45, 21, 00, 00, 59, 89, 06, 5E, 5D, C3, 8B, FF, 55, 8B, EC, 81, EC, 28, 03, 00, 00, A3, 88, B6, 4A, 00, 89, 0D, 84, B6, 4A, 00, 89, 15, 80, B6, 4A, 00, 89, 1D, 7C, B6, 4A, 00, 89, 35, 78, B6, 4A, 00, 89, 3D, 74, B6, 4A, 00, 66, 8C, 15, A0, B6, 4A, 00, 66, 8C, 0D, 94, B6, 4A, 00...
 
[+]

Entropy:
6.2753

Code size:
88.5 KB (90,624 bytes)

Scheduled Task
Task name:
RunTool

Trigger:
Time

Description:
RunTool


The file sysad.exe has been discovered within the following program.

Rockettab  by Rich River Media, LLC
RocketTab is an adware program that injects advertising in the user's web browser by creating a local proxy server and routing all Internet traffic through that proxy. By re-routing traffic the service will be able to include various ads in the HTML of the displaying web page.
rockettab.com
88% remove it
 
Powered by Should I Remove It?

The executing file has been seen to make the following network communications in live environments.

TCP (HTTP):
Connects to ec2-54-221-254-214.compute-1.amazonaws.com  (54.221.254.214:80)

TCP (HTTP SSL):
Connects to host-197.199.253.53.etisalat.com.eg  (197.199.253.53:443)

TCP (HTTP):
Connects to ec2-54-235-115-165.compute-1.amazonaws.com  (54.235.115.165:80)

TCP (HTTP SSL):
Connects to mx-ll-110.164.10-24.static.3bb.co.th  (110.164.10.24:443)

TCP (HTTP):
Connects to ec2-23-23-200-28.compute-1.amazonaws.com  (23.23.200.28:80)

TCP (HTTP):
Connects to ec2-54-235-170-110.compute-1.amazonaws.com  (54.235.170.110:80)

TCP (HTTP):
Connects to ec2-50-17-218-85.compute-1.amazonaws.com  (50.17.218.85:80)

TCP (HTTP SSL):
Connects to BHE200150004216.redeinfovias.net.br  (200.150.4.216:443)

TCP (HTTP SSL):
Connects to mx-ll-110.164.6-152.static.3bb.co.th  (110.164.6.152:443)

TCP (HTTP):
Connects to ec2-54-243-184-36.compute-1.amazonaws.com  (54.243.184.36:80)

TCP (HTTP):
Connects to ec2-54-243-115-164.compute-1.amazonaws.com  (54.243.115.164:80)

TCP (HTTP):
Connects to ec2-54-235-216-26.compute-1.amazonaws.com  (54.235.216.26:80)

Remove sysad.exe - Powered by Reason Core Security