INCMAIL.EXE

IncrediMail

Perion Network Ltd.

The executable INCMAIL.EXE, “IncrediMail Application” by Perion Network has been known to be a potentially unwanted program that has been detected by 1 anti-malware scanner. It is set to automatically start when a user logs into Windows via the current user run registry key under the display name ‘IncrediMail’. While running, it connects to the Internet address e2.ycpi.vip.bra.yahoo.com on port 80 using the HTTP protocol.
Publisher:
IncrediMail, Ltd.  (signed by Perion Network Ltd.)

Product:
IncrediMail

Description:
IncrediMail Application

Version:
6, 3, 9, 5260

MD5:
d645b082e49f8655f14c61db4eebba1d

SHA-1:
47915c6c5fee968a89d6876facf0ee1164ec7a78

SHA-256:
67a32ba3771b332ed41112b291c53772be80e6d1bae5c2d7b04d11cccd5ff276

Scanner detections:
1 / 68

Status:
Clean  (1 probable false positive detection)

Explanation:
This is mosty likely a false positive detection, the file is probably clean.

Analysis date:
12/25/2024 1:28:25 PM UTC  (today)

Scan engine
Detection
Engine version

Boost by Reason
Adware.Startup.Perion.H
2013.7.26.22

File size:
358.4 KB (367,016 bytes)

Product version:
6, 3, 9, 5260

Copyright:
Copyright © 2002 IncrediMail, Ltd.

Original file name:
INCMAIL.EXE

File type:
Executable application (Win32 EXE)

Language:
English (United States)

Common path:
C:\Program Files\incredimail\bin\incmail.exe

Digital Signature
Authority:
VeriSign, Inc.

Valid from:
4/23/2012 5:00:00 PM

Valid to:
4/23/2015 4:59:59 PM

Subject:
CN=Perion Network Ltd., OU=Digital ID Class 3 - Microsoft Software Validation v2, O=Perion Network Ltd., L=Tel Aviv, S=Tel Aviv, C=IL

Issuer:
CN=VeriSign Class 3 Code Signing 2010 CA, OU=Terms of use at https://www.verisign.com/rpa (c)10, OU=VeriSign Trust Network, O="VeriSign, Inc.", C=US

Serial number:
45F87694FE8D1984719796AEC8031DF4

File PE Metadata
Compilation timestamp:
1/23/2013 5:24:02 AM

OS version:
4.0

OS bitness:
Win32

Subsystem:
Windows GUI

Linker version:
8.0

CTPH (ssdeep):
6144:Xi9jwYhLIvZRgRvr6KBDToTfjZtOhTeifjr/Lvn:AphsZRiDPMnZ9ifjr/Lvn

Entry address:
0x209D8

Entry point:
E8, DB, 07, 00, 00, E9, DA, FC, FF, FF, FF, 25, 04, 79, 42, 00, FF, 25, 08, 79, 42, 00, FF, 25, 0C, 79, 42, 00, FF, 25, 10, 79, 42, 00, FF, 25, 14, 79, 42, 00, FF, 25, 18, 79, 42, 00, FF, 74, 24, 10, FF, 74, 24, 10, FF, 74, 24, 10, FF, 74, 24, 10, 68, 30, 0A, 42, 00, 68, F4, 28, 44, 00, E8, 27, 08, 00, 00, 83, C4, 18, C3, CC, FF, 25, 1C, 79, 42, 00, 3B, 0D, F4, 28, 44, 00, 75, 02, F3, C3, E9, 13, 08, 00, 00, 8B, C1, C7, 00, E4, DE, 42, 00, C2, 04, 00, 53, 8A, 5C, 24, 08, F6, C3, 02, 56, 8B, F1, 74, 24, 57...
 
[+]

Code size:
152 KB (155,648 bytes)

Startup File (User Run)
Registry location:
HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run

Name:
IncrediMail

Command:
C:\Program Files\incredimail\bin\incmail.exe \c


The executing file has been seen to make the following network communications in live environments.

TCP (HTTP SSL):
Connects to edge-star-shv-01-cdg2.facebook.com  (179.60.192.3:443)

TCP (HTTP):
Connects to e2.ycpi.vip.bra.yahoo.com  (200.152.162.161:80)

TCP (HTTP):
Connects to e2.ycpi.vip.lob.yahoo.com  (87.248.114.12:80)

TCP (HTTP SSL):
Connects to edge-star-shv-01-frt3.facebook.com  (31.13.92.10:443)

TCP (HTTP):
Connects to e2.ycpi.vip.mib.yahoo.com  (68.180.134.8:80)

TCP (HTTP):
Connects to e2.ycpi.vip.fra.yahoo.com  (77.238.180.12:80)

TCP (HTTP SSL):
Connects to edge-star-shv-01-mia1.facebook.com  (31.13.73.1:443)

TCP (HTTP):
Connects to edge-star-shv-01-fra3.facebook.com  (31.13.93.3:80)

TCP (HTTP):
Connects to e1.ycpi.vip.amb.yahoo.com  (87.248.116.11:80)

TCP (HTTP):
Connects to a92-122-180-144.deploy.akamaitechnologies.com  (92.122.180.144:80)

TCP (HTTP):
Connects to edge-star-shv-02-mia1.facebook.com  (157.240.0.17:80)

TCP (HTTP):
Connects to e1.ycpi.vip.lob.yahoo.com  (87.248.114.11:80)

TCP (HTTP):
Connects to e1.ycpi.vip.deb.yahoo.com  (87.248.118.22:80)

TCP (HTTP):
Connects to e2.ycpi.vip.amb.yahoo.com  (87.248.116.12:80)

TCP (HTTP SSL):
Connects to www.allianz.de  (194.127.81.87:443)

TCP (HTTP):
Connects to microsites7.pearl.de  (92.51.187.230:80)

TCP (HTTP):
Connects to hawkemail.g.ebay.com  (66.135.220.34:80)

TCP (HTTP SSL):
Connects to edge-star-shv-01-lht6.facebook.com  (157.240.1.18:443)

TCP (HTTP SSL):
Connects to edge-star-shv-01-ams3.facebook.com  (31.13.91.2:443)

TCP (HTTP):
Connects to e2.ycpi.vip.deb.yahoo.com  (87.248.118.23:80)

Scan INCMAIL.EXE - Powered by Reason Core Security