Client.exe

Inertware

This adware bundler is distributed through Adknowledge's advertising supported software managers. The application Client.exe by Inertware has been detected as adware by 2 anti-malware scanners. The program is a setup application that uses the Adknowledge Fusion installer. Additionally, the file is typically installed by a number of programs including Rockettab by Rich River Media, LLC and “RocketTab” by Adknowledge, both potentially unwanted software. While running, it connects to the Internet address get-du1.adobe.com on port 443.
Publisher:
Inertware  (signed and verified)

Version:
1.0.5361.16138

MD5:
a244d628e61b320d3e2ac0086ea3bc19

SHA-1:
fd5b122c0b574f1b2fb0119e48632d019eefe335

SHA-256:
3ff457ec1aefe9547ce672f952cf2bb0b64344971d6bd2524d15213829d84d08

Scanner detections:
2 / 68

Status:
Adware

Explanation:
This installer bundles various adware prorgams that may include toolbars and web browser advertising injectors/extensions.

Description:
This is also known as bundleware, or downloadware, which is an downloader designed to simply deliver ad-supported offers in the setup routine of an otherwise legitimate software.

Analysis date:
11/22/2017 11:57:18 AM UTC  (today)

Scan engine
Detection
Engine version

ESET NOD32
MSIL/Adware.iBryte (variant)
8.10372

Reason Heuristics
Adware.RocketTab.Adknowledge
15.2.10.11

File size:
1.4 MB (1,420,512 bytes)

Product version:
1.0.5361.16138

Original file name:
Client.exe

File type:
Executable application (Win32 EXE)

Bundler/Installer:
Adknowledge Fusion

Language:
Language Neutral

Common path:
C:\Program Files\rockettab\client.exe

Digital Signature
Signed by:

Authority:
COMODO CA Limited

Valid from:
7/13/2014 8:00:00 PM

Valid to:
7/14/2015 7:59:59 PM

Subject:
CN=Inertware, O=Inertware, STREET=4600 Madison Ave FL 10, L=Kansas City, S=Missouri, PostalCode=64112, C=US

Issuer:
CN=COMODO Code Signing CA 2, O=COMODO CA Limited, L=Salford, S=Greater Manchester, C=GB

Serial number:
00B17D2DC81A4AB47B03A1531303433731

File PE Metadata
Compilation timestamp:
9/5/2014 5:58:15 AM

OS version:
4.0

OS bitness:
Win32

Subsystem:
Windows GUI

Linker version:
8.0

.NET CLR dependent:
Yes

CTPH (ssdeep):
24576:fLjpt6nCBcp2y5rNsq6SSIiTAqW6dJEgf5+XK0Ih7uV3n3xXQWjieocUg:hQjc296SSRANL2p0g7udNQ4IM

Entry address:
0x15136A

Entry point:
FF, 25, 00, 20, 40, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00...
 
[+]

Entropy:
7.1022

Developed / compiled with:
Microsoft Visual C# / Basic .NET

Code size:
1.3 MB (1,373,184 bytes)

The file Client.exe has been discovered within the following programs.

“RocketTab”  by Adknowledge
RocketTab is a web browser extension that injects display advertising in the user's browser. Ads are displayed in the form of banners and contextual text-links and are both injected in white space areas of the HTML page or over existing ads of the underlying web site.
85% remove it
Rockettab  by Rich River Media, LLC
RocketTab is an adware program that injects advertising in the user's web browser by creating a local proxy server and routing all Internet traffic through that proxy. By re-routing traffic the service will be able to include various ads in the HTML of the displaying web page.
rockettab.com
88% remove it
RocketTab:  by Adknowledge, Inc.
RocketTab is an advertising supported browser extension also known as adware and is designed to deliver ads to the user's Internet browser as banners, context text-links and transitionals ads. The injected ads are not affiliated with the underlying website on which they appear.
www.adknowledge.com
87% remove it
 
Powered by Should I Remove It?

The executing file has been seen to make the following network communications in live environments.

TCP (HTTP):
Connects to ec2-54-208-30-101.compute-1.amazonaws.com  (54.208.30.101:80)

TCP (HTTP):
Connects to map2.hwcdn.net  (205.185.216.10:80)

TCP (HTTP SSL):
Connects to get-du1.adobe.com  (193.104.215.66:443)

TCP (HTTP):
Connects to ec2-54-243-234-140.compute-1.amazonaws.com  (54.243.234.140:80)

TCP (HTTP):
Connects to ec2-35-166-79-8.us-west-2.compute.amazonaws.com  (35.166.79.8:80)

TCP (HTTP SSL):
Connects to ec2-34-192-150-200.compute-1.amazonaws.com  (34.192.150.200:443)

TCP (HTTP):
Connects to cf-199-27-134-48.cloudflare.com  (199.27.134.48:8080)

TCP (HTTP):
Connects to a92-123-194-156.deploy.akamaitechnologies.com  (92.123.194.156:80)

TCP (HTTP):
Connects to 174.127.102.227.static.midphase.com  (174.127.102.227:80)

TCP (HTTP):
Connects to wordpress.com  (76.74.255.117:80)

TCP (HTTP):
Connects to video.sj2.vcmedia.com  (64.156.167.69:80)

TCP (HTTP):
Connects to snt-re4-10c.sjc.dropbox.com  (108.160.163.115:80)

TCP (HTTP):
Connects to snt-re3-10b.sjc.dropbox.com  (108.160.162.114:80)

TCP (HTTP):
Connects to sjd-rd12-5b.sjc.dropbox.com  (108.160.167.166:80)

TCP (HTTP):
Connects to server-54-230-87-192.lax3.r.cloudfront.net  (54.230.87.192:80)

TCP (HTTP):
Connects to server-54-230-7-195.dfw3.r.cloudfront.net  (54.230.7.195:80)

TCP (HTTP):
Connects to server-54-230-6-97.dfw3.r.cloudfront.net  (54.230.6.97:80)

TCP (HTTP):
Connects to server-54-230-5-161.dfw3.r.cloudfront.net  (54.230.5.161:80)

TCP (HTTP):
Connects to server-54-230-45-63.fra6.r.cloudfront.net  (54.230.45.63:80)

TCP (HTTP):
Connects to server-54-230-225-2.gig50.r.cloudfront.net  (54.230.225.2:80)

Remove Client.exe - Powered by Reason Core Security