home

incredimail_install.exe

IncrediMail Installer

IncrediMail Ltd.

The executable incredimail_install.exe has been detected as malware by 13 anti-virus scanners. This is a self-extracting archive and installer and has been known to bundle potentially unwanted software. It is set to automatically execute when any user logs into Windows (through the local user run registry setting) with the name ‘ImInstaller_IncrediMail’.
Publisher:
IncrediMail Ltd.  (signed and verified)

Product:
IncrediMail Installer

Version:
4, 0, 0, 1

MD5:
466866846a20c61aa99aef3ba1f80414

SHA-1:
16ed4dcda317e803577a702f74635688d8014ab4

SHA-256:
9639afe2547806b1d9c9ba132a1c5b5514430055972a0a4769e7b3fe76c4a3bf

Scanner detections:
13 / 68

Status:
Malware

Analysis date:
11/5/2024 12:47:28 PM UTC  (today)

Scan engine
Detection
Engine version

Lavasoft Ad-Aware
Trojan.Generic.1976438
228

Avira AntiVirus
SPR/Dldr.ImLoader.G.2
7.11.118.170

Baidu Antivirus
Trojan.Win32.Downloader
4.0.3.16620

Bitdefender
Trojan.Generic.1976438
1.0.20.860

Comodo Security
ApplicUnsaf.Win32.Downloader.ImLoader.~R
17411

Emsisoft Anti-Malware
Trojan.Generic.1976438
8.16.06.20.02

F-Secure
Trojan.Generic.1976438
11.2016-20-06_2

G Data
Trojan.Generic.1976438
16.6.22

IKARUS anti.virus
Trojan.SuspectCRC
t3scan.2.2.29

McAfee
Artemis!466866846A20
5600.6362

MicroWorld eScan
Trojan.Generic.1976438
17.0.0.516

Norman
Suspicious_Gen2.ORKSI
11.20160620

Panda Antivirus
Trj/CI.A
16.06.20.02

File size:
393.1 KB (402,552 bytes)

Product version:
4, 0, 0, 1

Copyright:
Copyright © 2003 IncrediMail, Ltd.

Original file name:
imloader.exe

File type:
Executable application (Win32 EXE)

Language:
English (United States)

Digital Signature
Signed by:
IncrediMail Ltd.

Authority:
VeriSign, Inc.

Valid from:
6/15/2004 2:00:00 AM

Valid to:
7/20/2005 1:59:59 AM

Subject:
CN=IncrediMail Ltd., OU=R&D, OU=Digital ID Class 3 - Microsoft Software Validation v2, O=IncrediMail Ltd., L=Tel-Aviv, S=Israel, C=IL

Issuer:
CN=VeriSign Class 3 Code Signing 2001 CA, OU=Terms of use at https://www.verisign.com/rpa (c)01, OU=VeriSign Trust Network, O="VeriSign, Inc."

Serial number:
36B8745B1A0C35CA624EBDF38650DD2F

File PE Metadata
Compilation timestamp:
4/25/2005 2:40:24 PM

OS version:
4.0

OS bitness:
Win32

Subsystem:
Windows GUI

Linker version:
6.0

CTPH (ssdeep):
6144:N+liK7oK21HVJdhySlVSiJdonJdH2j+zp/5s1tbYQU8zHz:N+05hrhoH2jyxs7ETYHz

Entry address:
0x2BB45

Entry point:
55, 8B, EC, 6A, FF, 68, 48, 64, 43, 00, 68, A0, BC, 42, 00, 64, A1, 00, 00, 00, 00, 50, 64, 89, 25, 00, 00, 00, 00, 83, EC, 58, 53, 56, 57, 89, 65, E8, FF, 15, 14, 52, 43, 00, 33, D2, 8A, D4, 89, 15, 70, FD, 43, 00, 8B, C8, 81, E1, FF, 00, 00, 00, 89, 0D, 6C, FD, 43, 00, C1, E1, 08, 03, CA, 89, 0D, 68, FD, 43, 00, C1, E8, 10, A3, 64, FD, 43, 00, 6A, 01, E8, A7, 02, 00, 00, 59, 85, C0, 75, 08, 6A, 1C, E8, C3, 00, 00, 00, 59, E8, 91, 15, 00, 00, 85, C0, 75, 08, 6A, 10, E8, B2, 00, 00, 00, 59, 33, F6, 89, 75...
 
[+]

Developed / compiled with:
Microsoft Visual C++ v6.0

Code size:
208 KB (212,992 bytes)

Startup File (All Users Run)
Registry location:
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run

Name:
ImInstaller_IncrediMail

Command:
C:\users\{user}\appdata\local\temp\{random}.tmp\incredimail\incredimail_install.exe -startup -product incredimail


Remove incredimail_install.exe - Powered by Reason Core Security
herdProtect is a second line of defense malware removal platform powered by 68 anti-malware engines in the cloud. Since no single anti-malware program is perfect 100% of the time, herdProtect utilizes a 'herd' of multiple engines to guarantee the widest coverage and the earliest possible detection.