INCMAIL.EXE

IncrediMail

Perion Network Ltd.

The executable INCMAIL.EXE, “IncrediMail Application” by Perion Network has been known to be a potentially unwanted program that has been detected by 1 anti-malware scanner. It is set to automatically start when a user logs into Windows via the current user run registry key under the display name ‘IncrediMail’. While running, it connects to the Internet address edge-star-shv-02-dft4.facebook.com on port 80 using the HTTP protocol.
Publisher:
IncrediMail, Ltd.  (signed by Perion Network Ltd.)

Product:
IncrediMail

Description:
IncrediMail Application

Version:
6, 3, 9, 5274

MD5:
fc3782f90c014c2d3c920a727d323776

SHA-1:
26283b6ccf5815e4b8598f57e83881826622aee3

SHA-256:
841ddde56552705e14aebc1aece2ea47bfb0ffdfc92c78933e089a04d44fff75

Scanner detections:
1 / 68

Status:
Clean  (1 probable false positive detection)

Explanation:
This is mosty likely a false positive detection, the file is probably clean.

Analysis date:
11/24/2024 5:38:17 PM UTC  (today)

Scan engine
Detection
Engine version

Boost by Reason
Adware.Startup.Perion.H
2013.7.26.22

File size:
358.4 KB (367,016 bytes)

Product version:
6, 3, 9, 5274

Copyright:
Copyright © 2002 IncrediMail, Ltd.

Original file name:
INCMAIL.EXE

File type:
Executable application (Win32 EXE)

Language:
English (United States)

Common path:
C:\Program Files\incredimail\bin\incmail.exe

Digital Signature
Authority:
VeriSign, Inc.

Valid from:
4/24/2012 2:00:00 AM

Valid to:
4/24/2015 1:59:59 AM

Subject:
CN=Perion Network Ltd., OU=Digital ID Class 3 - Microsoft Software Validation v2, O=Perion Network Ltd., L=Tel Aviv, S=Tel Aviv, C=IL

Issuer:
CN=VeriSign Class 3 Code Signing 2010 CA, OU=Terms of use at https://www.verisign.com/rpa (c)10, OU=VeriSign Trust Network, O="VeriSign, Inc.", C=US

Serial number:
45F87694FE8D1984719796AEC8031DF4

File PE Metadata
Compilation timestamp:
7/21/2013 9:58:15 AM

OS version:
4.0

OS bitness:
Win32

Subsystem:
Windows GUI

Linker version:
8.0

CTPH (ssdeep):
6144:Ui9jwYhLIvZRg5vr6KBD1oTbjZtOhTeTfjT/Lvo:jphsZR2DPqrZ9TfjT/Lvo

Entry address:
0x209D8

Entry point:
E8, DB, 07, 00, 00, E9, DA, FC, FF, FF, FF, 25, 04, 79, 42, 00, FF, 25, 08, 79, 42, 00, FF, 25, 0C, 79, 42, 00, FF, 25, 10, 79, 42, 00, FF, 25, 14, 79, 42, 00, FF, 25, 18, 79, 42, 00, FF, 74, 24, 10, FF, 74, 24, 10, FF, 74, 24, 10, FF, 74, 24, 10, 68, 30, 0A, 42, 00, 68, F4, 28, 44, 00, E8, 27, 08, 00, 00, 83, C4, 18, C3, CC, FF, 25, 1C, 79, 42, 00, 3B, 0D, F4, 28, 44, 00, 75, 02, F3, C3, E9, 13, 08, 00, 00, 8B, C1, C7, 00, E4, DE, 42, 00, C2, 04, 00, 53, 8A, 5C, 24, 08, F6, C3, 02, 56, 8B, F1, 74, 24, 57...
 
[+]

Code size:
152 KB (155,648 bytes)

Startup File (User Run)
Registry location:
HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run

Name:
IncrediMail

Command:
C:\Program Files\incredimail\bin\incmail.exe \c


The executing file has been seen to make the following network communications in live environments.

TCP (HTTP):
Connects to e2.ycpi.vip.daa.yahoo.com  (69.147.86.12:80)

TCP (HTTP):
Connects to edge-star-shv-02-dft4.facebook.com  (31.13.66.1:80)

TCP (HTTP SSL):
Connects to edge-star-shv-01-mia1.facebook.com  (31.13.73.1:443)

TCP (HTTP SSL):
Connects to edge-star-shv-01-dft4.facebook.com  (157.240.3.19:443)

TCP (HTTP):
Connects to r1-ha.ycpi.mxa.yahoo.net  (189.247.129.172:80)

TCP (HTTP SSL):
Connects to x5bec7acd.host.myracloud.com  (91.236.122.205:443)

TCP (HTTP SSL):
Connects to server-54-230-9-71.lhr3.r.cloudfront.net  (54.230.9.71:443)

TCP (HTTP):
Connects to e1.ycpi.vip.daa.yahoo.com  (69.147.86.11:80)

TCP (HTTP SSL):
Connects to 149.126.77.5.ip.incapdns.net  (149.126.77.5:443)

TCP (HTTP):
Connects to xpcsp1.xprofiler.ch  (88.86.101.90:80)

TCP (HTTP SSL):
Connects to sslwidget.criteo.com  (178.250.0.82:443)

TCP (HTTP):
Connects to server-54-192-203-25.fra50.r.cloudfront.net  (54.192.203.25:80)

TCP (HTTP SSL):
Connects to rdir.baur.de  (83.220.155.181:443)

TCP (HTTP):
Connects to k2873.ims-firmen.de  (213.174.41.122:80)

TCP (HTTP):
Connects to img.srv8.de  (193.169.180.21:80)

TCP (HTTP):
Connects to gutekabel.de  (217.160.208.9:80)

TCP (HTTP SSL):
Connects to ec2-54-235-209-139.compute-1.amazonaws.com  (54.235.209.139:443)

TCP (HTTP SSL):
Connects to a104-123-234-147.deploy.static.akamaitechnologies.com  (104.123.234.147:443)

TCP (HTTP SSL):
Connects to a104-123-211-231.deploy.static.akamaitechnologies.com  (104.123.211.231:443)

TCP (HTTP):
Connects to e6-ha.ycpi.laa.yahoo.com  (209.73.191.180:80)

Scan INCMAIL.EXE - Powered by Reason Core Security