» client.exe
Overview
Analysis
File Details
Programs (2)
Network (39)

client.exe

The application client.exe has been detected as a potentially unwanted program by 14 anti-malware scanners. Additionally, the file is typically installed by a number of programs including “RocketTab” by Adknowledge and Rockettab by Rich River Media, LLC, both potentially unwanted software. While running, it connects to the Internet address msnbot-65-55-252-15.search.msn.com on port 80 using the HTTP protocol.

File name:

client.exe

MD5:

45804c006e6c305d2cd356292fd1c2b9

SHA-1:

1d45c5c8145015656184cbb18dfc6bcf94976bda

SHA-256:

324efca88f9ee16d568312aec68f9801d6e24836145b9e41d930de0b7c2da6c2

Scanner detections:

14 / 68

Status:

Potentially unwanted

Analysis date:

4/25/2024 7:44:50 PM UTC (today)

Scan engine

Detection

Engine version

Lavasoft Ad-Aware

Gen:Variant.Adware.Graftor.164387

797

avast!

Win32:Adware-CBG [PUP]

2014.9-141129

Bitdefender

Gen:Variant.Adware.Graftor.164387

1.0.20.1665

Emsisoft Anti-Malware

Gen:Variant.Adware.Graftor.164387

8.14.11.29.06

F-Secure

Gen:Variant.Adware.Graftor.164387

11.2014-29-11_7

G Data

Gen:Variant.Adware.Graftor.164387

14.11.24

McAfee

Artemis!45804C006E6C

5600.6931

MicroWorld eScan

Gen:Variant.Adware.Graftor.164387

15.0.0.999

Panda Antivirus

Trj/Genetic.gen

14.11.29.06

Qihoo 360 Security

HEUR/QVM10.1.Malware.Gen

1.0.0.1015

Reason Heuristics

Threat.Win.Reputation.IMP

14.11.30.0

Sophos

iBryte Desktop

4.98

Trend Micro House Call

TROJ_GEN.R047H09KS14

7.2.333

VIPRE Antivirus

Trojan.Win32.Generic

35260

File size:

5.5 MB (5,812,224 bytes)

File type:

Executable application (Win32 EXE)

Common path:

C:\Program Files\search extensions\client.exe

File PE Metadata

Compilation timestamp:

11/28/2014 4:08:41 PM

OS version:

5.1

OS bitness:

Win32

Subsystem:

Windows GUI

Linker version:

10.0

CTPH (ssdeep):

49152:Rh/G4OxeRIqDhFcVht5BFEDgm5OWFkERHDF/lh6jjkl4eFS2wkSIQGUHYCpo:EfB2DgxWJDZlhOBeg/kSKCG

Entry address:

0x1E9F

Entry point:

E8, 3B, 27, 00, 00, E9, 89, FE, FF, FF, 8B, FF, 55, 8B, EC, 83, 7D, 08, 00, 74, 2D, FF, 75, 08, 6A, 00, FF, 35, AC, 87, 98, 00, FF, 15, 3C, 80, 40, 00, 85, C0, 75, 18, 56, E8, ED, 27, 00, 00, 8B, F0, FF, 15, 38, 80, 40, 00, 50, E8, 9D, 27, 00, 00, 59, 89, 06, 5E, 5D, C3, 6A, 0C, 68, B0, A4, 40, 00, E8, 01, 25, 00, 00, 6A, 0E, E8, ED, 2A, 00, 00, 59, 83, 65, FC, 00, 8B, 75, 08, 8B, 4E, 04, 85, C9, 74, 2F, A1, 00, 7C, 98, 00, BA, FC, 7B, 98, 00, 89, 45, E4, 85, C0, 74, 11, 39, 08, 75, 2C, 8B, 48, 04, 89, 4A... 
[+]

Entropy:

4.5107

Code size:

25.5 KB (26,112 bytes)

The file client.exe has been discovered within the following programs.

“RocketTab” by Adknowledge

RocketTab is a web browser extension that injects display advertising in the user's browser. Ads are displayed in the form of banners and contextual text-links and are both injected in white space areas of the HTML page or over existing ads of the underlying web site.

85% remove it

Rockettab by Rich River Media, LLC

RocketTab is an adware program that injects advertising in the user's web browser by creating a local proxy server and routing all Internet traffic through that proxy. By re-routing traffic the service will be able to include various ads in the HTML of the displaying web page.

rockettab.com

88% remove it

Powered by Should I Remove It?

The executing file has been seen to make the following network communications in live environments.

TCP (HTTP):

Connects to ec2-50-17-224-168.compute-1.amazonaws.com (50.17.224.168:80)

TCP (HTTP):

Connects to ec2-54-221-254-214.compute-1.amazonaws.com (54.221.254.214:80)

TCP (HTTP):

Connects to ec2-54-235-170-110.compute-1.amazonaws.com (54.235.170.110:80)

TCP (HTTP):

Connects to server-52-84-239-154.sfo5.r.cloudfront.net (52.84.239.154:80)

TCP (HTTP SSL):

Connects to server-52-84-239-153.sfo5.r.cloudfront.net (52.84.239.153:443)

TCP (HTTP):

Connects to server-52-84-239-106.sfo5.r.cloudfront.net (52.84.239.106:80)

TCP (HTTP SSL):

Connects to server-52-84-133-151.atl52.r.cloudfront.net (52.84.133.151:443)

TCP (HTTP):

Connects to sage.parklogic.com (69.39.236.56:80)

TCP (HTTP SSL):

Connects to new-york-20.cdn77.com (185.59.223.29:443)

TCP (HTTP):

Connects to msnbot-65-55-252-15.search.msn.com (65.55.252.15:80)

TCP (HTTP):

Connects to li491-84.members.linode.com (50.116.29.84:80)

TCP (HTTP):

Connects to li355-175.members.linode.com (178.79.186.175:80)

TCP (HTTP SSL):

Connects to ec2-54-200-62-216.us-west-2.compute.amazonaws.com (54.200.62.216:443)

TCP (HTTP):

Connects to ec2-54-197-250-127.compute-1.amazonaws.com (54.197.250.127:80)

TCP (HTTP SSL):

Connects to ec2-54-186-22-115.us-west-2.compute.amazonaws.com (54.186.22.115:443)

TCP (HTTP SSL):

Connects to ec2-54-148-76-131.us-west-2.compute.amazonaws.com (54.148.76.131:443)

TCP (HTTP):

Connects to ec2-52-55-209-160.compute-1.amazonaws.com (52.55.209.160:80)

TCP (HTTP SSL):

Connects to ec2-52-2-10-61.compute-1.amazonaws.com (52.2.10.61:443)

TCP (HTTP):

Connects to ec2-50-19-82-224.compute-1.amazonaws.com (50.19.82.224:80)

TCP (HTTP):

Connects to ec2-50-17-217-59.compute-1.amazonaws.com (50.17.217.59:80)

Remove client.exe - Powered by Reason Core Security

herdProtect is a second line of defense malware removal platform powered by 68 anti-malware engines in the cloud. Since no single anti-malware program is perfect 100% of the time, herdProtect utilizes a 'herd' of multiple engines to guarantee the widest coverage and the earliest possible detection.