incredimailsetup2.5.exe

Perion Network Ltd.

The application incredimailsetup2.5.exe by Perion Network has been detected as a potentially unwanted program by 1 anti-malware scanner with very strong indications that the file is a potential threat. This is a setup program which is used to install the application. It is also typically executed from the user's temporary directory. The file has been seen being downloaded from filehippo.com and multiple other hosts. While running, it connects to the Internet address ude.databssint.com on port 80 using the HTTP protocol.
Publisher:
Perion Network Ltd.  (signed and verified)

MD5:
995f81dc0c63548d1912acf25a4eff7b

SHA-1:
d65a790c65b2060ea2d4cfe0af8aa22e91904cf9

SHA-256:
5c13be9fccdf47e902ec80791b0f68c8b5d8ce686dafb7c6019402f53fb070b6

Scanner detections:
1 / 68

Status:
Potentially unwanted

Note:
Our current pool of anti-malware engines have not currently detected this file, however based on our own detection heuristics we feel that this file is unwanted.

Analysis date:
12/26/2024 1:04:49 AM UTC  (today)

Scan engine
Detection
Engine version

Reason Heuristics
PUP.Installer.Perion.S
14.2.24.15

File size:
12.5 MB (13,078,440 bytes)

File type:
Executable application (Win32 EXE)

Common path:
C:\users\{user}\appdata\local\temp\{random}.tmp\autoplay\docs\incredimailsetup2.5.exe

Digital Signature
Authority:
VeriSign, Inc.

Valid from:
4/24/2012 2:00:00 AM

Valid to:
4/24/2015 1:59:59 AM

Subject:
CN=Perion Network Ltd., OU=Digital ID Class 3 - Microsoft Software Validation v2, O=Perion Network Ltd., L=Tel Aviv, S=Tel Aviv, C=IL

Issuer:
CN=VeriSign Class 3 Code Signing 2010 CA, OU=Terms of use at https://www.verisign.com/rpa (c)10, OU=VeriSign Trust Network, O="VeriSign, Inc.", C=US

Serial number:
45F87694FE8D1984719796AEC8031DF4

File PE Metadata
Compilation timestamp:
8/28/2013 3:30:06 PM

OS version:
4.0

OS bitness:
Win32

Subsystem:
Windows GUI

Linker version:
8.0

CTPH (ssdeep):
196608:ksDM6fYf5DUtWV3QsnhJCkTPnwhqhdxDZIqfwFas5J6qZMHS:3DM6MUtW9QshJnphdF+qIFHDMS

Entry address:
0x78F9

Entry point:
6A, 0C, 68, 60, 8B, 40, 00, E8, EF, 11, 00, 00, 83, 65, E4, 00, 83, 65, FC, 00, E8, 71, FC, FF, FF, 89, 45, E4, EB, 07, 33, C0, 40, C3, 8B, 65, E8, 83, 4D, FC, FF, FF, 75, E4, FF, 15, 50, 10, 40, 00, CC, 55, 8B, EC, 8B, 45, 10, 56, FF, 75, 0C, 8B, F1, FF, 75, 08, 83, 26, 00, 50, 89, 46, 04, FF, 15, 54, 10, 40, 00, 89, 06, 8B, C6, 5E, 5D, C2, 0C, 00, FF, 31, FF, 71, 04, FF, 15, 58, 10, 40, 00, C3, 55, 8B, EC, 51, 51, 53, 56, 8B, F1, FF, 36, FF, 76, 04, FF, 15, 68, 10, 40, 00, 33, DB, 3B, C3, 75, 0A, FF, 15...
 
[+]

Developed / compiled with:
Microsoft Visual C++ v7.1

Code size:
33 KB (33,792 bytes)

The file incredimailsetup2.5.exe has been seen being distributed by the following 36 URLs.

http://filehippo.com/download/file/.../

http://filehippo.com/download/file/.../

http://dl2.filehippo.com/.../IncrediMailSetup.exe

http://filehippo.com/download/file/.../

http://dw.html.it/index.php?softname=IncrediMailSetup.exe&code=1480970619&q=ODI2NjN8aW5jcmVkaW1haWwtMi01

http://down.filepuma.com/files/e-mail/.../IncrediMail_v2.5.exe

http://filehippo.com/download/file/.../

http://filehippo.com/download/file/.../

http://filehippo.com/download/file/.../

http://filehippo.com/es/download/file/.../

http://filehippo.com/es/download/file/.../

http://filehippo.com/download/file/.../

http://dl1.filehippo.com/.../IncrediMailSetup.exe

http://filehippo.com/it/download/file/.../

Latest 30 of 36 download URLs

The executing file has been seen to make the following network communications in live environments.

TCP (HTTP):
Connects to ude.databssint.com  (107.22.223.150:80)

TCP (HTTP):
Connects to storage.stgbssint.com  (172.229.236.170:80)

Remove incredimailsetup2.5.exe - Powered by Reason Core Security