home

client.exe

The application client.exe has been detected as a potentially unwanted program by 13 anti-malware scanners. Additionally, the file is typically installed by a number of programs including Rockettab by Rich River Media, LLC and “RocketTab” by Adknowledge, both potentially unwanted software. While running, it connects to the Internet address server-54-192-48-60.jfk5.r.cloudfront.net on port 443.
MD5:
1293d402f9d1273506a08544bff2448c

SHA-1:
9ed9991bfa5648fe3107f4d8967fca07c5e1ffac

SHA-256:
f5c5a8912ab94f186db4e8224007d40c98eedaed206281cf76c62c72fc1cdd44

Scanner detections:
13 / 68

Status:
Potentially unwanted

Analysis date:
4/25/2024 6:44:20 PM UTC  (today)

Scan engine
Detection
Engine version

Lavasoft Ad-Aware
Gen:Variant.Adware.iBryte.8
766

avast!
Win32:Dropper-gen [Drp]
2014.9-150114

Baidu Antivirus
Adware.MSIL.iBryte
4.0.3.141231

Bitdefender
Gen:Variant.Adware.iBryte.8
1.0.20.1825

Comodo Security
TrojWare.Win32.Injector.ABIP
20621

Emsisoft Anti-Malware
Gen:Variant.Adware.iBryte
8.14.12.31.03

ESET NOD32
MSIL/Adware.iBryte (variant)
8.10946

F-Secure
Gen:Variant.Adware.iBryte.8
11.2015-14-01_4

G Data
Gen:Variant.Adware.iBryte
14.12.24

MicroWorld eScan
Gen:Variant.Adware.iBryte.8
15.0.0.1095

Reason Heuristics
Threat.Win.Reputation.IMP
15.1.14.23

Rising Antivirus
PE:Trojan.FakeIcon!1.64A5
23.00.65.141229

Sophos
Mal/Wintrim-A
4.98

File size:
2.5 MB (2,643,456 bytes)

File type:
Executable application (Win32 EXE)

Common path:
C:\Program Files\search extensions\client.exe

File PE Metadata
Compilation timestamp:
12/31/2014 5:37:54 AM

OS version:
5.1

OS bitness:
Win32

Subsystem:
Windows GUI

Linker version:
10.0

CTPH (ssdeep):
49152:G/Rt3Ek0LyG/pWuY620mL4ud/qavlygXwvh:G/R

Entry address:
0xBEB7

Entry point:
E8, A3, 32, 00, 00, E9, 89, FE, FF, FF, 8B, FF, 55, 8B, EC, 83, 7D, 08, 00, 74, 2D, FF, 75, 08, 6A, 00, FF, 35, E4, 56, 4A, 00, FF, 15, 60, F0, 41, 00, 85, C0, 75, 18, 56, E8, 55, 33, 00, 00, 8B, F0, FF, 15, 5C, F0, 41, 00, 50, E8, 05, 33, 00, 00, 59, 89, 06, 5E, 5D, C3, 8B, C1, 83, 60, 04, 00, C7, 00, 54, EE, 49, 00, C6, 40, 08, 00, C3, 8B, FF, 55, 8B, EC, 8B, C1, 8B, 4D, 08, C7, 00, 54, EE, 49, 00, 8B, 09, 89, 48, 04, C6, 40, 08, 00, 5D, C2, 08, 00, 8B, 41, 04, 85, C0, 75, 05, B8, 5C, EE, 49, 00, C3, 8B...
 
[+]

Entropy:
6.0664

Code size:
119 KB (121,856 bytes)

The file client.exe has been discovered within the following programs.

“RocketTab”  by Adknowledge
RocketTab is a web browser extension that injects display advertising in the user's browser. Ads are displayed in the form of banners and contextual text-links and are both injected in white space areas of the HTML page or over existing ads of the underlying web site.
85% remove it
Rockettab  by Rich River Media, LLC
RocketTab is an adware program that injects advertising in the user's web browser by creating a local proxy server and routing all Internet traffic through that proxy. By re-routing traffic the service will be able to include various ads in the HTML of the displaying web page.
rockettab.com
88% remove it
RocketTab:  by Adknowledge, Inc.
RocketTab is an advertising supported browser extension also known as adware and is designed to deliver ads to the user's Internet browser as banners, context text-links and transitionals ads. The injected ads are not affiliated with the underlying website on which they appear.
www.adknowledge.com
87% remove it
 
Powered by Should I Remove It?

The executing file has been seen to make the following network communications in live environments.

TCP (HTTP):
Connects to ec2-107-22-245-216.compute-1.amazonaws.com  (107.22.245.216:80)

TCP (HTTP SSL):
Connects to msnbot-65-55-252-43.search.msn.com  (65.55.252.43:443)

TCP (HTTP):
Connects to 107248HD10100.ikexpress.com  (109.238.10.100:80)

TCP (HTTP):
Connects to smooch.com  (162.13.67.32:80)

TCP (HTTP):
Connects to server-54-230-138-9.lax1.r.cloudfront.net  (54.230.138.9:80)

TCP (HTTP SSL):
Connects to server-54-192-48-60.jfk5.r.cloudfront.net  (54.192.48.60:443)

TCP (HTTP):
Connects to server-54-192-138-231.lax1.r.cloudfront.net  (54.192.138.231:80)

TCP (HTTP SSL):
Connects to r2.ycpi.vip.ir2.yahoo.net  (217.12.13.41:443)

TCP (HTTP):
Connects to par08s10-in-f19.1e100.net  (74.125.230.243:80)

TCP (HTTP SSL):
Connects to edge-star-shv-03-lhr3.facebook.com  (31.13.90.33:443)

TCP (HTTP SSL):
Connects to edge-star-shv-02-lhr3.facebook.com  (31.13.90.17:443)

TCP (HTTP):
Connects to ec2-54-77-222-74.eu-west-1.compute.amazonaws.com  (54.77.222.74:80)

TCP (HTTP SSL):
Connects to ec2-54-244-23-154.us-west-2.compute.amazonaws.com  (54.244.23.154:443)

TCP (HTTP):
Connects to ec2-54-243-247-40.compute-1.amazonaws.com  (54.243.247.40:80)

TCP (HTTP):
Connects to ec2-54-221-193-35.compute-1.amazonaws.com  (54.221.193.35:80)

TCP (HTTP):
Connects to ec2-54-194-28-61.eu-west-1.compute.amazonaws.com  (54.194.28.61:80)

TCP (HTTP):
Connects to ec2-50-16-190-190.compute-1.amazonaws.com  (50.16.190.190:80)

TCP (HTTP):
Connects to ec2-107-21-119-179.compute-1.amazonaws.com  (107.21.119.179:80)

TCP (HTTP SSL):
Connects to cloud.gti.mcafee.com  (8.21.161.6:443)

TCP (HTTP SSL):
Connects to bay404-m.hotmail.com  (207.46.11.151:443)

Remove client.exe - Powered by Reason Core Security
herdProtect is a second line of defense malware removal platform powered by 68 anti-malware engines in the cloud. Since no single anti-malware program is perfect 100% of the time, herdProtect utilizes a 'herd' of multiple engines to guarantee the widest coverage and the earliest possible detection.