Client.exe

The application Client.exe has been detected as a potentially unwanted program by 4 anti-malware scanners. This executable runs as a local area network (LAN) Internet proxy server listening on port 49188 and has the ability to intercept and modify all inbound and outbound Internet traffic on the local host. It will plug into the web browser and display context-based advertisements by overwriting existing ads or by inserting new ones on various web pages.
Version:
1.0.5548.21168

MD5:
77caa4fdb525f618fa6d85845adb120f

SHA-1:
667cd6d9cd0f1543256ef3d883816bbb1aa8cf12

SHA-256:
735257f40cea1e282a52a0367822a397d7804e7ef48c13c66c0df50798e9c110

Scanner detections:
4 / 68

Status:
Potentially unwanted

Explanation:
Injects advertising in the web browser in various formats.

Analysis date:
12/16/2018 5:30:23 PM UTC  (today)

Scan engine
Detection
Engine version

avast!
Win32:IBryte-EP [PUP]
2014.9-150313

Comodo Security
Application.MSIL.BrowseFox.A
21374

ESET NOD32
MSIL/Adware.iBryte (variant)
9.11304

IKARUS anti.virus
Trojan.Msil
t3scan.1.8.6.0

File size:
848 KB (868,352 bytes)

Product version:
1.0.5548.21168

Original file name:
Client.exe

File type:
Executable application (Win32 EXE)

Language:
Language Neutral

Common path:
C:\users\{user}\appdata\local\browser extensions\client.exe

File PE Metadata
Compilation timestamp:
3/11/2015 7:45:54 AM

OS version:
4.0

OS bitness:
Win32

Subsystem:
Windows GUI

Linker version:
8.0

.NET CLR dependent:
Yes

CTPH (ssdeep):
24576:22/CH6B/tpm+evbGhUPyt4wC2i6HSWSzdcv:20g6B/tpm+evbGhUPytzi6HS

Entry address:
0xD550A

Entry point:
FF, 25, 00, 20, 40, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00...
 
[+]

Entropy:
6.3155

Developed / compiled with:
Microsoft Visual C# / Basic .NET

Code size:
845.5 KB (865,792 bytes)

Local Proxy Server
Proxy for:
Internet Settings

Local host address:
http://127.0.0.1:49188/

Local host port:
49188

Default credentials:
No


The executing file has been seen to make the following network communications in live environments.

TCP (HTTP):
Connects to h-207-228-83-33.gen.cadvision.com  (207.228.83.33:80)

TCP (HTTP):
Connects to ec2-54-244-235-122.us-west-2.compute.amazonaws.com  (54.244.235.122:80)

TCP (HTTP):
Connects to any-in-2014.1e100.net  (216.239.32.20:80)

TCP (HTTP):

TCP (HTTP):

TCP (HTTP):
Connects to vip080.ssl.hwcdn.net  (205.185.208.80:80)

TCP (HTTP):
Connects to server-52-84-63-56.ord51.r.cloudfront.net  (52.84.63.56:80)

TCP (HTTP):
Connects to prod-hzeu-exebid-lba-3.dca-ops.tech  (136.243.15.173:80)

TCP (HTTP):
Connects to pr-bh.pbp.vip.gq1.yahoo.com  (74.6.34.27:80)

TCP (HTTP):
Connects to hosted-by.leaseweb.com  (199.58.87.155:80)

TCP (HTTP):
Connects to h-207-228-83-59.gen.cadvision.com  (207.228.83.59:80)

TCP (HTTP):
Connects to h-207-228-83-41.gen.cadvision.com  (207.228.83.41:80)

TCP (HTTP):
Connects to h-207-228-83-18.gen.cadvision.com  (207.228.83.18:80)

TCP (HTTP):
Connects to ghs-vip-any-c340.ghs-ssl.googlehosted.com  (72.14.246.86:80)

TCP (HTTP):
Connects to freeroms.com  (216.108.234.132:80)

TCP (HTTP):
Connects to ec2-54-210-3-196.compute-1.amazonaws.com  (54.210.3.196:80)

TCP (HTTP):
Connects to ec2-54-186-47-57.us-west-2.compute.amazonaws.com  (54.186.47.57:80)

TCP (HTTP):
Connects to ec2-54-186-199-44.us-west-2.compute.amazonaws.com  (54.186.199.44:80)

TCP (HTTP):
Connects to ec2-52-54-208-245.compute-1.amazonaws.com  (52.54.208.245:80)

TCP (HTTP):
Connects to ec2-52-34-184-36.us-west-2.compute.amazonaws.com  (52.34.184.36:80)

Remove Client.exe - Powered by Reason Core Security