» client.exe
Overview
Analysis
File Details
Programs (2)
Network (49)

client.exe

The application client.exe has been detected as a potentially unwanted program by 14 anti-malware scanners. Additionally, the file is typically installed by a number of programs including Rockettab by Rich River Media, LLC and “RocketTab” by Adknowledge, both potentially unwanted software.

File name:

client.exe

MD5:

503ec5820ea124c9c96ef5241c7056b7

SHA-1:

99d73d5eebad4267bd18a43ed4b6d994c36694f2

SHA-256:

57b66304b4c797fc37c9c1d9e6468011419252aedb295afe98cb373bc9d7e082

Scanner detections:

14 / 68

Status:

Potentially unwanted

Analysis date:

4/19/2024 6:09:11 PM UTC (today)

Scan engine

Detection

Engine version

Lavasoft Ad-Aware

Gen:Variant.Adware.Graftor.164387

5821412

avast!

Win32:Adware-CBG [PUP]

2014.9-141130

Bitdefender

Gen:Variant.Adware.Graftor.164387

1.0.20.1625

Emsisoft Anti-Malware

Gen:Variant.Adware.Graftor.164387

9.0.0.4570

F-Secure

Gen:Variant.Adware.Graftor.164387

11.2014-21-11_6

G Data

Gen:Variant.Adware.Graftor.164387

14.11.24

McAfee

Artemis!45804C006E6C

5600.6931

MicroWorld eScan

Gen:Variant.Adware.Graftor.164387

15.0.0.975

Panda Antivirus

Trj/Genetic.gen

14.11.30.12

Qihoo 360 Security

HEUR/QVM10.1.Malware.Gen

1.0.0.1015

Reason Heuristics

Threat.Win.Reputation.IMP

14.11.30.0

Sophos

iBryte Desktop

4.98

Trend Micro House Call

TROJ_GEN.R047H09KS14

7.2.334

VIPRE Antivirus

Trojan.Win32.Generic

35260

File size:

5.5 MB (5,812,224 bytes)

File type:

Executable application (Win32 EXE)

Common path:

C:\Program Files\search extensions\client.exe

File PE Metadata

Compilation timestamp:

11/21/2014 5:36:38 PM

OS version:

5.1

OS bitness:

Win32

Subsystem:

Windows GUI

Linker version:

10.0

CTPH (ssdeep):

12288:GRbbbExHT9rbOU6vajfauQ23GkYk9Oh0qS4:obbbExJCU6va7auQ23GkYk900qp

Entry address:

0x1E9F

Entry point:

E8, 3B, 27, 00, 00, E9, 89, FE, FF, FF, 8B, FF, 55, 8B, EC, 83, 7D, 08, 00, 74, 2D, FF, 75, 08, 6A, 00, FF, 35, AC, 87, 98, 00, FF, 15, 3C, 80, 40, 00, 85, C0, 75, 18, 56, E8, ED, 27, 00, 00, 8B, F0, FF, 15, 38, 80, 40, 00, 50, E8, 9D, 27, 00, 00, 59, 89, 06, 5E, 5D, C3, 6A, 0C, 68, B0, A4, 40, 00, E8, 01, 25, 00, 00, 6A, 0E, E8, ED, 2A, 00, 00, 59, 83, 65, FC, 00, 8B, 75, 08, 8B, 4E, 04, 85, C9, 74, 2F, A1, 00, 7C, 98, 00, BA, FC, 7B, 98, 00, 89, 45, E4, 85, C0, 74, 11, 39, 08, 75, 2C, 8B, 48, 04, 89, 4A... 
[+]

Code size:

25.5 KB (26,112 bytes)

The file client.exe has been discovered within the following programs.

“RocketTab” by Adknowledge

RocketTab is a web browser extension that injects display advertising in the user's browser. Ads are displayed in the form of banners and contextual text-links and are both injected in white space areas of the HTML page or over existing ads of the underlying web site.

85% remove it

Rockettab by Rich River Media, LLC

RocketTab is an adware program that injects advertising in the user's web browser by creating a local proxy server and routing all Internet traffic through that proxy. By re-routing traffic the service will be able to include various ads in the HTML of the displaying web page.

rockettab.com

88% remove it

Powered by Should I Remove It?

The executing file has been seen to make the following network communications in live environments.

TCP (HTTP SSL):

Connects to a23-194-84-166.deploy.static.akamaitechnologies.com (23.194.84.166:443)

TCP (HTTP):

Connects to ec2-54-235-170-110.compute-1.amazonaws.com (54.235.170.110:80)

TCP (HTTP):

Connects to ec2-50-17-224-168.compute-1.amazonaws.com (50.17.224.168:80)

TCP (HTTP SSL):

Connects to a23-194-104-20.deploy.static.akamaitechnologies.com (23.194.104.20:443)

TCP (HTTP SSL):

Connects to yts2.yql.vip.ne1.yahoo.com (98.138.243.53:443)

TCP (HTTP):

Connects to sfo-mta-31.taggedmail.com (67.221.174.31:80)

TCP (HTTP):

Connects to sfo-mta-24.taggedmail.com (67.221.174.24:80)

TCP (HTTP SSL):

Connects to sea15s01-in-f0.1e100.net (216.58.216.128:443)

TCP (HTTP SSL):

Connects to sea09s18-in-f0.1e100.net (173.194.33.160:443)

TCP (HTTP SSL):

Connects to s3-1-w.amazonaws.com (54.231.33.73:443)

TCP (HTTP):

Connects to r1.ycpi.vip.sjb.yahoo.net (206.190.61.106:80)

TCP (HTTP SSL):

Connects to r1.ycpi.vip.ne1.yahoo.net (98.138.81.72:443)

TCP (HTTP SSL):

Connects to r1.ycpi.vip.lax.yahoo.net (216.115.107.206:443)

TCP (HTTP SSL):

Connects to pr.pbp.vip.gq1.yahoo.com (216.39.54.212:443)

TCP (HTTP SSL):

Connects to pr.comet.vip.ne1.yahoo.com (98.138.79.73:443)

TCP (HTTP):

Connects to pprd1-rtr1.manhattan.vip.gq1.yahoo.com (98.136.223.38:80)

TCP (HTTP):

Connects to mpr2.ngd.vip.ne1.yahoo.com (98.138.49.43:80)

TCP (HTTP SSL):

Connects to mpr1.ngd.vip.ne1.yahoo.com (98.138.49.42:443)

TCP (HTTP SSL):

Connects to l3.ycs.vip.sjb.yahoo.com (206.190.60.139:443)

TCP (HTTP SSL):

Connects to l1.ycs.vip.sjb.yahoo.com (206.190.60.138:443)

Remove client.exe - Powered by Reason Core Security

herdProtect is a second line of defense malware removal platform powered by 68 anti-malware engines in the cloud. Since no single anti-malware program is perfect 100% of the time, herdProtect utilizes a 'herd' of multiple engines to guarantee the widest coverage and the earliest possible detection.