orbt.ext

ClientConnect LTD

The file belongs to the ClientConnect (Conduit/Perion) platform, a utility that bundles and monetizes search toolbars and browser add-ons. The file orbt.ext by ClientConnect has been detected as adware by 6 anti-malware scanners. The program is a setup application that uses the NSIS (Nullsoft Scriptable Install System) installer.
Publisher:
Client Connect LTD  (signed by ClientConnect LTD)

Description:
Detector

Version:
1.5.6.4

MD5:
fc6173d5047a28f5338346d666d8dfde

SHA-1:
0d47f5bfbec1477b9f7d91483ca6fa7683786b0c

SHA-256:
580caf875785a6c3df682887014663c9e605ac891104d2d5b06b3da36d7e3015

Scanner detections:
6 / 68

Status:
Adware

Explanation:
Bundles the Conduit Toolbar and/or Conduit Search Protect.

Analysis date:
8/13/2020 1:14:41 AM UTC  (today)

Scan engine
Detection
Engine version

AVG
Generic
2016.0.3167

Baidu Antivirus
PUA.Win32.ClientConnect
4.0.3.15317

Dr.Web
Adware.Conduit.164
9.0.1.076

Reason Heuristics
PUP.Installer.Conduit
15.3.17.19

Trend Micro House Call
Suspici.8D175B40
7.2.76

VIPRE Antivirus
Trojan.Win32.Generic
38494

File size:
582.9 KB (596,904 bytes)

Copyright:
(c) 2014 ClientConnect Ltd.

Installer:
NSIS (Nullsoft Scriptable Install System)

Language:
Language Neutral

Common path:
C:\Program Files\orbtr\orbt.ext

Digital Signature
Authority:
Symantec Corporation

Valid from:
7/29/2014 5:00:00 PM

Valid to:
7/30/2016 4:59:59 PM

Subject:
CN=ClientConnect LTD, OU=orbiter, O=ClientConnect LTD, L=Nezz Ziona, S=Israel, C=JP

Issuer:
CN=Symantec Class 3 SHA256 Code Signing CA, OU=Symantec Trust Network, O=Symantec Corporation, C=US

Serial number:
6E08571F7C2C630E2F418F38E3B31674

File PE Metadata
Compilation timestamp:
7/6/2011 7:31:20 AM

OS version:
5.0

OS bitness:
Win32

Subsystem:
Windows GUI

Linker version:
9.0

CTPH (ssdeep):
12288:yzZLEfRZl9cjtIlGxYBxZDjyTHj6u9icpDsr9PeNXUnsWorlRcibuAwcaDA:yzZL6MtIwsxpAV9bOns7lyUaU

Entry address:
0x3415

Entry point:
81, EC, D4, 02, 00, 00, 53, 55, 56, 57, 6A, 20, 33, ED, 5E, 89, 6C, 24, 18, C7, 44, 24, 10, 70, 85, 40, 00, 89, 6C, 24, 14, FF, 15, 30, 80, 40, 00, 68, 01, 80, 00, 00, FF, 15, B4, 80, 40, 00, 55, FF, 15, B0, 82, 40, 00, 6A, 08, A3, 98, B3, 47, 00, E8, 67, 27, 00, 00, 55, 68, B4, 02, 00, 00, A3, B0, B2, 47, 00, 8D, 44, 24, 38, 50, 55, 68, 6C, 85, 40, 00, FF, 15, 80, 81, 40, 00, 68, 54, 85, 40, 00, 68, A0, 32, 47, 00, E8, 35, 26, 00, 00, FF, 15, B0, 80, 40, 00, 50, BF, A0, C0, 4C, 00, 57, E8, 23, 26, 00, 00...
 
[+]

Entropy:
7.9697

Packer / compiler:
Nullsoft install system v2.x

Code size:
26 KB (26,624 bytes)

The executing file has been seen to make the following network communications in live environments.

TCP (HTTP):
Connects to ec2-54-225-182-66.compute-1.amazonaws.com  (54.225.182.66:80)

TCP (HTTP):
Connects to ec2-23-23-99-139.compute-1.amazonaws.com  (23.23.99.139:80)

Remove orbt.ext - Powered by Reason Core Security