» client.exe
Overview
Analysis
File Details
Behaviors (1)
Programs (2)
Network (24)

client.exe

The application client.exe has been detected as a potentially unwanted program by 18 anti-malware scanners. This executable runs as a local area network (LAN) Internet proxy server listening on port 49233 and has the ability to intercept and modify all inbound and outbound Internet traffic on the local host. Additionally, the file is typically installed by a number of programs including “RocketTab” by Adknowledge and Rockettab by Rich River Media, LLC, both potentially unwanted software. While running, it connects to the Internet address a-0011.a-msedge.net on port 443.

File name:

client.exe

MD5:

5bbc4441997c84cb0e93b2c02831db1a

SHA-1:

7f0a8b2f9cde78f87c9f70d4642c2194f5b4986d

SHA-256:

9170bed3a8b64d110a0b01353d75a70631f67fb474d0a60b4df5dd0d3ee57ef7

Scanner detections:

18 / 68

Status:

Potentially unwanted

Analysis date:

4/24/2024 12:29:32 PM UTC (today)

Scan engine

Detection

Engine version

Lavasoft Ad-Aware

Gen:Variant.Zusy.128373

699

Avira AntiVirus

ADWARE/iBryte.Gen4

7.11.213.54

Baidu Antivirus

Adware.MSIL.iBryte

4.0.3.1537

Bitdefender

Gen:Variant.Zusy.128373

1.0.20.330

Emsisoft Anti-Malware

Gen:Variant.Zusy.128373

8.15.03.07.05

ESET NOD32

Win32/Adware.iBryte.CD (variant)

9.11259

Fortinet FortiGate

MSIL/IBryte.A

3/7/2015

G Data

Gen:Variant.Zusy.128373

15.3.25

IKARUS anti.virus

PUA.Downloader

t3scan.1.8.6.0

K7 AntiVirus

Adware

13.200.15136

Kaspersky

not-a-virus:AdWare.Win32.iBryte

14.0.0.2381

McAfee

Artemis!5BBC4441997C

5600.6833

MicroWorld eScan

Gen:Variant.Zusy.128373

16.0.0.198

Norman

Troj_Generic.YXDSB

11.20150307

Qihoo 360 Security

HEUR/QVM10.1.Malware.Gen

1.0.0.1015

Reason Heuristics

Threat.Win.Reputation.IMP

15.3.7.17

Rising Antivirus

PE:Trojan.FakeIcon!1.64A5

23.00.65.15305

Sophos

Mal/Wintrim-A

4.98

File size:

2.5 MB (2,599,424 bytes)

File type:

Executable application (Win32 EXE)

Common path:

C:\Program Files\search extensions\client.exe

File PE Metadata

Compilation timestamp:

2/26/2015 1:08:33 PM

OS version:

5.1

OS bitness:

Win32

Subsystem:

Windows GUI

Linker version:

10.0

CTPH (ssdeep):

24576:jEZaWQ8k5hW1b00klTOobokuHjmZk1oE9l4xHDweng+024+pEe0WCBlO4AWp4Z9H:jUjf4dTR723TQ0ELCBlOJuzBtAv

Entry address:

0xD007

Entry point:

E8, B3, 33, 00, 00, E9, 89, FE, FF, FF, 8B, FF, 55, 8B, EC, 83, 7D, 08, 00, 74, 2D, FF, 75, 08, 6A, 00, FF, 35, 24, 3F, 4A, 00, FF, 15, 60, 10, 42, 00, 85, C0, 75, 18, 56, E8, 65, 34, 00, 00, 8B, F0, FF, 15, 5C, 10, 42, 00, 50, E8, 15, 34, 00, 00, 59, 89, 06, 5E, 5D, C3, 8B, C1, 83, 60, 04, 00, C7, 00, C4, CF, 49, 00, C6, 40, 08, 00, C3, 8B, FF, 55, 8B, EC, 8B, C1, 8B, 4D, 08, C7, 00, C4, CF, 49, 00, 8B, 09, 89, 48, 04, C6, 40, 08, 00, 5D, C2, 08, 00, 8B, 41, 04, 85, C0, 75, 05, B8, CC, CF, 49, 00, C3, 8B... 
[+]

Entropy:

6.1292

Code size:

124.5 KB (127,488 bytes)

Local Proxy Server

Proxy for:

Internet Settings

Local host address:

http://127.0.0.1:49233/

Local host port:

49233

Default credentials:

The file client.exe has been discovered within the following programs.

“RocketTab” by Adknowledge

RocketTab is a web browser extension that injects display advertising in the user's browser. Ads are displayed in the form of banners and contextual text-links and are both injected in white space areas of the HTML page or over existing ads of the underlying web site.

85% remove it

Rockettab by Rich River Media, LLC

RocketTab is an adware program that injects advertising in the user's web browser by creating a local proxy server and routing all Internet traffic through that proxy. By re-routing traffic the service will be able to include various ads in the HTML of the displaying web page.

rockettab.com

88% remove it

The executing file has been seen to make the following network communications in live environments.

TCP (HTTP SSL):

Connects to a104-79-219-19.deploy.static.akamaitechnologies.com (104.79.219.19:443)

TCP (HTTP):

Connects to ec2-54-235-170-110.compute-1.amazonaws.com (54.235.170.110:80)

TCP (HTTP SSL):

Connects to ec2-52-73-109-231.compute-1.amazonaws.com (52.73.109.231:443)

TCP (HTTP):

Connects to ec2-54-221-254-214.compute-1.amazonaws.com (54.221.254.214:80)

TCP (HTTP SSL):

Connects to a92-122-137-102.deploy.akamaitechnologies.com (92.122.137.102:443)

TCP (HTTP SSL):

Connects to a-0011.a-msedge.net (204.79.197.213:443)

TCP (HTTP SSL):

Connects to by3302-g.1drv.com (134.170.108.224:443)

TCP (HTTP SSL):

Connects to a104-79-224-123.deploy.static.akamaitechnologies.com (104.79.224.123:443)

TCP (HTTP SSL):

Connects to a104-79-212-223.deploy.static.akamaitechnologies.com (104.79.212.223:443)

TCP (HTTP SSL):

Connects to ec2-52-20-120-15.compute-1.amazonaws.com (52.20.120.15:443)

TCP (HTTP):

Connects to ec2-54-83-200-155.compute-1.amazonaws.com (54.83.200.155:80)

TCP (HTTP):

Connects to ec2-23-21-48-109.compute-1.amazonaws.com (23.21.48.109:80)

TCP (HTTP SSL):

Connects to ec2-176-34-97-186.eu-west-1.compute.amazonaws.com (176.34.97.186:443)

TCP (HTTP SSL):

Connects to ch1-cor001.api.p001.1drv.com (40.77.224.2:443)

TCP (HTTP SSL):

Connects to by3301-e.1drv.com (134.170.108.72:443)

TCP (HTTP SSL):

Connects to blu402-m.hotmail.com (134.170.0.199:443)

TCP (HTTP):

Connects to a72-246-151-9.deploy.akamaitechnologies.com (72.246.151.9:80)

TCP (HTTP):

Connects to a72-246-151-11.deploy.akamaitechnologies.com (72.246.151.11:80)

TCP (HTTP SSL):

Connects to a104-79-233-204.deploy.static.akamaitechnologies.com (104.79.233.204:443)

TCP (HTTP):

Connects to ec2-54-204-8-133.compute-1.amazonaws.com (54.204.8.133:80)

Remove client.exe - Powered by Reason Core Security

herdProtect is a second line of defense malware removal platform powered by 68 anti-malware engines in the cloud. Since no single anti-malware program is perfect 100% of the time, herdProtect utilizes a 'herd' of multiple engines to guarantee the widest coverage and the earliest possible detection.