client.exe

ClientWrapper

The executable client.exe has been detected as malware by 4 anti-virus scanners. This executable runs as a local area network (LAN) Internet proxy server listening on port 54642 and has the ability to intercept and modify all inbound and outbound Internet traffic on the local host.
Product:
ClientWrapper

Version:
1.0.5683.20527

MD5:
fe8ad0c7c420989f6c41bac48bc03bf8

SHA-1:
fa38ebf45a0e636c21ae603328b678c211d80895

SHA-256:
aecefab83300642f135d850f420da2b99feed8b67b9968eaa70749173417211a

Scanner detections:
4 / 68

Status:
Malware

Analysis date:
11/20/2018 11:24:09 PM UTC  (today)

Scan engine
Detection
Engine version

avast!
Win32:Malware-gen
150717-0

McAfee
GeniusBox!FE8AD0C7C420
5600.6694

VIPRE Antivirus
Threat.5219553
41608

File size:
75 KB (76,800 bytes)

Product version:
1.0.5683.20527

Copyright:
Copyright © 2015

Original file name:
ClientWrapper.exe

File type:
Executable application (Win32 EXE)

Language:
Language Neutral

Common path:
C:\Program Files\user extensions\client.exe

File PE Metadata
Compilation timestamp:
7/24/2015 6:24:57 AM

OS version:
4.0

OS bitness:
Win32

Subsystem:
Windows GUI

Linker version:
8.0

.NET CLR dependent:
Yes

CTPH (ssdeep):
1536:0gKmmMRfEwO9gLY4OfK6emUrzIPZYWhYY0R:0gKmmMT44oK6xK4GWhk

Entry address:
0x14146

Entry point:
FF, 25, 00, 20, 40, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00...
 
[+]

Entropy:
5.9583

Developed / compiled with:
Microsoft Visual C# / Basic .NET

Code size:
72.5 KB (74,240 bytes)

Local Proxy Server
Proxy for:
Internet Settings

Local host address:
http://127.0.0.1:54642/

Local host port:
54642

Default credentials:
No


The executing file has been seen to make the following network communications in live environments.

TCP (HTTP SSL):
Connects to ec2-34-192-150-200.compute-1.amazonaws.com  (34.192.150.200:443)

TCP (HTTP):
Connects to yx-in-f95.1e100.net  (64.233.177.95:80)

TCP (HTTP):
Connects to yx-in-f128.1e100.net  (64.233.177.128:80)

TCP (HTTP):
Connects to yv-in-f95.1e100.net  (74.125.21.95:80)

TCP (HTTP):
Connects to yv-in-f128.1e100.net  (74.125.21.128:80)

TCP (HTTP):
Connects to yk-in-f95.1e100.net  (74.125.196.95:80)

TCP (HTTP):
Connects to www.whitepages.com  (64.124.61.10:80)

TCP (HTTP):
Connects to www.trustlogo.com  (199.66.205.226:80)

TCP (HTTP):
Connects to www.elabs10.com  (74.116.232.10:80)

TCP (HTTP):
Connects to w05.ttms.eu  (46.105.156.77:80)

TCP (HTTP):
Connects to vip1.g5.cachefly.net  (205.234.175.175:80)

TCP (HTTP):
Connects to vip026.ssl.hwcdn.net  (205.185.208.26:80)

TCP (HTTP):
Connects to va.v.liveperson.net  (208.89.12.87:80)

TCP (HTTP):
Connects to streamerapi1.finance.vip.bf1.yahoo.com  (69.147.76.93:80)

TCP (HTTP):
Connects to spdc.pbp.vip.bf1.yahoo.com  (98.139.225.35:80)

TCP (HTTP):
Connects to sh4.sidushost.com  (66.101.196.216:80)

TCP (HTTP):
Connects to server-54-230-55-223.jfk6.r.cloudfront.net  (54.230.55.223:80)

TCP (HTTP):
Connects to server-54-230-55-171.jfk6.r.cloudfront.net  (54.230.55.171:80)

TCP (HTTP):
Connects to server-54-230-52-171.jfk6.r.cloudfront.net  (54.230.52.171:80)

TCP (HTTP):
Connects to server-54-230-51-146.jfk5.r.cloudfront.net  (54.230.51.146:80)

Remove client.exe - Powered by Reason Core Security