client.exe

The application client.exe has been detected as a potentially unwanted program by 16 anti-malware scanners. Additionally, the file is typically installed by a number of programs including “RocketTab” by Adknowledge and Rockettab by Rich River Media, LLC, both potentially unwanted software. While running, it connects to the Internet address msnbot-65-55-252-15.search.msn.com on port 80 using the HTTP protocol.
MD5:
45804c006e6c305d2cd356292fd1c2b9

SHA-1:
1d45c5c8145015656184cbb18dfc6bcf94976bda

SHA-256:
324efca88f9ee16d568312aec68f9801d6e24836145b9e41d930de0b7c2da6c2

Scanner detections:
16 / 68

Status:
Potentially unwanted

Analysis date:
12/18/2017 11:50:38 AM UTC  (today)

Scan engine
Detection
Engine version

Lavasoft Ad-Aware
Gen:Variant.Adware.Graftor.164387
797

avast!
Win32:Adware-CBG [PUP]
2014.9-141129

Bitdefender
Gen:Variant.Adware.Graftor.164387
1.0.20.1665

Emsisoft Anti-Malware
Gen:Variant.Adware.Graftor.164387
8.14.11.29.06

F-Secure
Gen:Variant.Adware.Graftor.164387
11.2014-29-11_7

G Data
Gen:Variant.Adware.Graftor.164387
14.11.24

K7 Gateway Antivirus
Riskware
13.186.14186

McAfee
Artemis!45804C006E6C
5600.6931

McAfee Web Gateway
Artemis
7.6931

MicroWorld eScan
Gen:Variant.Adware.Graftor.164387
15.0.0.999

Panda Antivirus
Trj/Genetic.gen
14.11.29.06

Qihoo 360 Security
HEUR/QVM10.1.Malware.Gen
1.0.0.1015

Reason Heuristics
Threat.Win.Reputation.IMP
14.11.30.0

Sophos
iBryte Desktop
4.98

Trend Micro House Call
TROJ_GEN.R047H09KS14
7.2.333

VIPRE Antivirus
Trojan.Win32.Generic
35260

File size:
5.5 MB (5,812,224 bytes)

File type:
Executable application (Win32 EXE)

Common path:
C:\Program Files\search extensions\client.exe

File PE Metadata
Compilation timestamp:
11/28/2014 4:08:41 PM

OS version:
5.1

OS bitness:
Win32

Subsystem:
Windows GUI

Linker version:
10.0

CTPH (ssdeep):
49152:Rh/G4OxeRIqDhFcVht5BFEDgm5OWFkERHDF/lh6jjkl4eFS2wkSIQGUHYCpo:EfB2DgxWJDZlhOBeg/kSKCG

Entry address:
0x1E9F

Entry point:
E8, 3B, 27, 00, 00, E9, 89, FE, FF, FF, 8B, FF, 55, 8B, EC, 83, 7D, 08, 00, 74, 2D, FF, 75, 08, 6A, 00, FF, 35, AC, 87, 98, 00, FF, 15, 3C, 80, 40, 00, 85, C0, 75, 18, 56, E8, ED, 27, 00, 00, 8B, F0, FF, 15, 38, 80, 40, 00, 50, E8, 9D, 27, 00, 00, 59, 89, 06, 5E, 5D, C3, 6A, 0C, 68, B0, A4, 40, 00, E8, 01, 25, 00, 00, 6A, 0E, E8, ED, 2A, 00, 00, 59, 83, 65, FC, 00, 8B, 75, 08, 8B, 4E, 04, 85, C9, 74, 2F, A1, 00, 7C, 98, 00, BA, FC, 7B, 98, 00, 89, 45, E4, 85, C0, 74, 11, 39, 08, 75, 2C, 8B, 48, 04, 89, 4A...
 
[+]

Entropy:
4.5107

Code size:
25.5 KB (26,112 bytes)

The file client.exe has been discovered within the following programs.

“RocketTab”  by Adknowledge
RocketTab is a web browser extension that injects display advertising in the user's browser. Ads are displayed in the form of banners and contextual text-links and are both injected in white space areas of the HTML page or over existing ads of the underlying web site.
85% remove it
Rockettab  by Rich River Media, LLC
RocketTab is an adware program that injects advertising in the user's web browser by creating a local proxy server and routing all Internet traffic through that proxy. By re-routing traffic the service will be able to include various ads in the HTML of the displaying web page.
rockettab.com
88% remove it
 
Powered by Should I Remove It?

The executing file has been seen to make the following network communications in live environments.

TCP (HTTP):
Connects to ec2-50-17-224-168.compute-1.amazonaws.com  (50.17.224.168:80)

TCP (HTTP):
Connects to ec2-54-221-254-214.compute-1.amazonaws.com  (54.221.254.214:80)

TCP (HTTP):
Connects to ec2-54-235-170-110.compute-1.amazonaws.com  (54.235.170.110:80)

TCP (HTTP):
Connects to server-52-84-239-154.sfo5.r.cloudfront.net  (52.84.239.154:80)

TCP (HTTP SSL):
Connects to server-52-84-239-153.sfo5.r.cloudfront.net  (52.84.239.153:443)

TCP (HTTP):
Connects to server-52-84-239-106.sfo5.r.cloudfront.net  (52.84.239.106:80)

TCP (HTTP SSL):
Connects to server-52-84-133-151.atl52.r.cloudfront.net  (52.84.133.151:443)

TCP (HTTP):
Connects to sage.parklogic.com  (69.39.236.56:80)

TCP (HTTP SSL):
Connects to new-york-20.cdn77.com  (185.59.223.29:443)

TCP (HTTP):
Connects to msnbot-65-55-252-15.search.msn.com  (65.55.252.15:80)

TCP (HTTP):
Connects to li491-84.members.linode.com  (50.116.29.84:80)

TCP (HTTP):
Connects to li355-175.members.linode.com  (178.79.186.175:80)

TCP (HTTP SSL):
Connects to ec2-54-200-62-216.us-west-2.compute.amazonaws.com  (54.200.62.216:443)

TCP (HTTP):
Connects to ec2-54-197-250-127.compute-1.amazonaws.com  (54.197.250.127:80)

TCP (HTTP SSL):
Connects to ec2-54-186-22-115.us-west-2.compute.amazonaws.com  (54.186.22.115:443)

TCP (HTTP SSL):
Connects to ec2-54-148-76-131.us-west-2.compute.amazonaws.com  (54.148.76.131:443)

TCP (HTTP):
Connects to ec2-52-55-209-160.compute-1.amazonaws.com  (52.55.209.160:80)

TCP (HTTP SSL):
Connects to ec2-52-2-10-61.compute-1.amazonaws.com  (52.2.10.61:443)

TCP (HTTP):
Connects to ec2-50-19-82-224.compute-1.amazonaws.com  (50.19.82.224:80)

TCP (HTTP):
Connects to ec2-50-17-217-59.compute-1.amazonaws.com  (50.17.217.59:80)

Remove client.exe - Powered by Reason Core Security