IncrediMail_Install.exe

IncrediMail Installer

Perion Network Ltd.

The application IncrediMail_Install.exe by Perion Network has been detected as a potentially unwanted program by 1 anti-malware scanner with very strong indications that the file is a potential threat. This is a setup and installation application and has been known to bundle potentially unwanted software. While running, it connects to the Internet address ude.databssint.com on port 80 using the HTTP protocol.
Publisher:
Perion Network Ltd.  (signed and verified)

Product:
IncrediMail Installer

Version:
8, 0, 0, 1354

MD5:
2e49811bb2bd98ff3aceea555274f705

SHA-1:
ea6bbe7a74415736542280e42bc1ad2e7e7dcf61

SHA-256:
6faf58dfef2122a8351a9fb61f3ee5c7426b6b42ae4018878e8e648b0213e791

Scanner detections:
1 / 68

Status:
Potentially unwanted

Note:
Our current pool of anti-malware engines have not currently detected this file, however based on our own detection heuristics we feel that this file is unwanted.

Analysis date:
12/23/2024 11:26:39 PM UTC  (a few moments ago)

Scan engine
Detection
Engine version

Reason Heuristics
PUP.Perion (M)
17.3.16.12

File size:
477.8 KB (489,288 bytes)

Product version:
8, 0, 0, 1354

Copyright:
Copyright (C) 2010

Original file name:
IncrediMail_Install.exe

File type:
Executable application (Win32 EXE)

Language:
Hebraico (Israel)

Common path:
C:\users\{user}\downloads\incredimail_install.exe

Digital Signature
Authority:
VeriSign, Inc.

Valid from:
4/24/2012 1:00:00 AM

Valid to:
4/24/2015 12:59:59 AM

Subject:
CN=Perion Network Ltd., OU=Digital ID Class 3 - Microsoft Software Validation v2, O=Perion Network Ltd., L=Tel Aviv, S=Tel Aviv, C=IL

Issuer:
CN=VeriSign Class 3 Code Signing 2010 CA, OU=Terms of use at https://www.verisign.com/rpa (c)10, OU=VeriSign Trust Network, O="VeriSign, Inc.", C=US

Serial number:
45F87694FE8D1984719796AEC8031DF4

File PE Metadata
Compilation timestamp:
7/23/2012 4:34:42 PM

OS version:
4.0

OS bitness:
Win32

Subsystem:
Windows GUI

Linker version:
8.0

Entry address:
0x78C5

Entry point:
6A, 0C, 68, 90, 8D, 40, 00, E8, 53, 14, 00, 00, 83, 65, E4, 00, 83, 65, FC, 00, E8, 65, FC, FF, FF, 89, 45, E4, EB, 07, 33, C0, 40, C3, 8B, 65, E8, 83, 4D, FC, FF, FF, 75, E4, FF, 15, 50, 10, 40, 00, CC, 55, 8B, EC, 8B, 45, 10, 56, FF, 75, 0C, 8B, F1, FF, 75, 08, 83, 26, 00, 50, 89, 46, 04, FF, 15, 54, 10, 40, 00, 89, 06, 8B, C6, 5E, 5D, C2, 0C, 00, FF, 31, FF, 71, 04, FF, 15, 58, 10, 40, 00, C3, 55, 8B, EC, 51, 51, 53, 56, 8B, F1, FF, 36, FF, 76, 04, FF, 15, 68, 10, 40, 00, 33, DB, 3B, C3, 75, 0A, FF, 15...
 
[+]

Developed / compiled with:
Microsoft Visual C++ v7.1

Code size:
33.5 KB (34,304 bytes)

The executing file has been seen to make the following network communications in live environments.

TCP (HTTP):
Connects to ude.databssint.com  (107.22.223.150:80)

TCP (HTTP):
Connects to storage.stgbssint.com  (172.229.236.170:80)

Remove IncrediMail_Install.exe - Powered by Reason Core Security