home

Magentic_Install.exe

Magentic Installer

IncrediMail Ltd.

The application Magentic_Install.exe by IncrediMail has been detected as a potentially unwanted program by 2 anti-malware scanners. This is a setup and installation application and has been known to bundle potentially unwanted software. The file has been seen being downloaded from www.magentic.com and multiple other hosts. While running, it connects to the Internet address media.iad.ask.com on port 80 using the HTTP protocol.
Publisher:
IncrediMail Ltd.  (signed and verified)

Product:
Magentic Installer

Version:
8, 0, 0, 1006

MD5:
585ff363dbabf45fe15be33e14740e47

SHA-1:
7d5b0b4c3ecaea54e61d18c782fdce70f77939db

SHA-256:
29aa45edc04a141c94352c6058e006891d9c2d68dd5f969b66683b11174f3512

Scanner detections:
2 / 68

Status:
Potentially unwanted

Analysis date:
11/28/2024 12:26:07 AM UTC  (today)

Scan engine
Detection
Engine version

Dr.Web
Trojan.DownLoader8.28131
9.0.1.0208

Reason Heuristics
PUP.inCrediBar.Installer
16.2.13.18

File size:
441.8 KB (452,432 bytes)

Product version:
8, 0, 0, 1006

Copyright:
Copyright (C) 2010

Original file name:
Magentic_Install.exe

File type:
Executable application (Win32 EXE)

Language:
Hebrew (Israel)

Common path:
C:\users\{user}\downloads\magentic_install.exe

Digital Signature
Signed by:
IncrediMail Ltd.

Authority:
VeriSign, Inc.

Valid from:
8/16/2009 5:00:00 PM

Valid to:
9/5/2012 4:59:59 PM

Subject:
CN=IncrediMail Ltd., OU=R&D, OU=Digital ID Class 3 - Microsoft Software Validation v2, O=IncrediMail Ltd., L=Tel-Aviv, S=Israel, C=IL

Issuer:
CN=VeriSign Class 3 Code Signing 2009-2 CA, OU=Terms of use at https://www.verisign.com/rpa (c)09, OU=VeriSign Trust Network, O="VeriSign, Inc.", C=US

Serial number:
2DA9DB2D3D256C114685CBB35C1B551D

File PE Metadata
Compilation timestamp:
3/16/2011 4:24:34 AM

OS version:
4.0

OS bitness:
Win32

Subsystem:
Windows GUI

Linker version:
8.0

CTPH (ssdeep):
6144:rQis/5Q9HWEBhfZiEqrOybSfPLgh7rsW0L0n4kmcCVifGCibhEdxY1:BQU24HwOysszY04pcCaPOhWY1

Entry address:
0x78C5

Entry point:
6A, 0C, 68, 90, 8D, 40, 00, E8, 53, 14, 00, 00, 83, 65, E4, 00, 83, 65, FC, 00, E8, 65, FC, FF, FF, 89, 45, E4, EB, 07, 33, C0, 40, C3, 8B, 65, E8, 83, 4D, FC, FF, FF, 75, E4, FF, 15, 50, 10, 40, 00, CC, 55, 8B, EC, 8B, 45, 10, 56, FF, 75, 0C, 8B, F1, FF, 75, 08, 83, 26, 00, 50, 89, 46, 04, FF, 15, 54, 10, 40, 00, 89, 06, 8B, C6, 5E, 5D, C2, 0C, 00, FF, 31, FF, 71, 04, FF, 15, 58, 10, 40, 00, C3, 55, 8B, EC, 51, 51, 53, 56, 8B, F1, FF, 36, FF, 76, 04, FF, 15, 68, 10, 40, 00, 33, DB, 3B, C3, 75, 0A, FF, 15...
 
[+]

Developed / compiled with:
Microsoft Visual C++ v7.1

Code size:
33.5 KB (34,304 bytes)

The file Magentic_Install.exe has been seen being distributed by the following 8 URLs.

http://www.magentic.com/download_client.aspx?setup_id=9&version_id=1310837&id=10237

http://dw.uptodown.com/dwn/ErP7Z9cafqzRXGaOW0i-y981p7hOMExwOQsO4x4G2ZXaLq5J34vJvw1yOZ3R-eQtyCt8qDZewnnVYCK2c_hXRLezZ8GCHKhLQdxo0LhwsndWPITp5zzxKLSieu-6YfHx/6r1TOpBEbE800jput0Sb_38l8Dk_Dfd9-02AfvlVG4cj0f-I_CnCs_uUDw2Mc7gdrtwnPQ3uchcJDrrpP9HxrgASlx8PnlfjjYKHoEQIlMUQk5SI60MN3_ffXVvQ8Y9t/.../

http://download.freewarefiles.net/.../magentic_install.exe

http://magentic.com/download_client.aspx?setup_id=9&version_id=1310955&id=10009

http://magentic.com/download_client.aspx?setup_id=9&version_id=1310955&id=10549

http://www.magentic.com/download_client.aspx?setup_id=9&version_id=1310955&id=10549

http://www5l.magentic.com/neo/mgsetup/201104260001/default/.../magentic_install.exe

http://www.magentic.com/download_client.aspx?setup_id=9&id=11474&filename=magentic_installer.exe

The executing file has been seen to make the following network communications in live environments.

TCP (HTTP):
Connects to cen.incredimail.com  (82.80.204.5:80)

TCP (HTTP):
Connects to media.iad.ask.com  (66.235.120.109:80)

Remove Magentic_Install.exe - Powered by Reason Core Security
herdProtect is a second line of defense malware removal platform powered by 68 anti-malware engines in the cloud. Since no single anti-malware program is perfect 100% of the time, herdProtect utilizes a 'herd' of multiple engines to guarantee the widest coverage and the earliest possible detection.