IMAPP.EXE

IncrediMail

Perion Network Ltd.

The application IMAPP.EXE, “IncrediMail Tray Application” by Perion Network has been detected as a potentially unwanted program by 2 anti-malware scanners.
Publisher:
IncrediMail, Ltd.  (signed by Perion Network Ltd.)

Product:
IncrediMail

Description:
IncrediMail Tray Application

Version:
6, 6, 0, 5288

MD5:
50ee17a8c40685c98e3ce23875fffb32

SHA-1:
47f09598356d90c7c99fecfc95d953f10f3ab1ce

SHA-256:
fec8736171039b84f2ec729c49b6cff6b5ac5eec3ae73f3f3978b0feae668c87

Scanner detections:
2 / 68

Status:
Potentially unwanted

Analysis date:
11/29/2016 1:46:04 AM UTC  (eleven months)

Scan engine
Detection
Engine version

Boost by Reason
Adware.PerionNetwork.F
2013.7.26.21

Dr.Web
Adware.IncrediMail.14
9.0.1.05190

File size:
290.4 KB (297,384 bytes)

Product version:
6, 6, 0, 5288

Copyright:
Copyright © 2002 IncrediMail, Ltd.

Original file name:
IMAPP.EXE

File type:
Executable application (Win32 EXE)

Language:
English (United States)

Common path:
C:\Program Files\incredimail\bin\imapp.exe

Digital Signature
Authority:
VeriSign, Inc.

Valid from:
4/24/2012 2:00:00 AM

Valid to:
4/24/2015 1:59:59 AM

Subject:
CN=Perion Network Ltd., OU=Digital ID Class 3 - Microsoft Software Validation v2, O=Perion Network Ltd., L=Tel Aviv, S=Tel Aviv, C=IL

Issuer:
CN=VeriSign Class 3 Code Signing 2010 CA, OU=Terms of use at https://www.verisign.com/rpa (c)10, OU=VeriSign Trust Network, O="VeriSign, Inc.", C=US

Serial number:
45F87694FE8D1984719796AEC8031DF4

File PE Metadata
Compilation timestamp:
10/1/2013 1:44:38 PM

OS version:
4.0

OS bitness:
Win32

Subsystem:
Windows GUI

Linker version:
8.0

CTPH (ssdeep):
3072:BAt0U+mWvvguJFEvEt1bPmdh7VKEkIIgvgJlSoDfacdgu2sQu/OFNOfT9IkKotZ2:6tDYt1Tmh7VKEeSDYD/OHet5VOQy5S8

Entry address:
0x20534

Entry point:
E8, 1F, 07, 00, 00, E9, DA, FC, FF, FF, FF, 25, 10, 68, 42, 00, 3B, 0D, 38, A9, 43, 00, 75, 02, F3, C3, E9, 99, 07, 00, 00, 8B, C1, C7, 00, 58, E1, 42, 00, C2, 04, 00, 53, 8A, 5C, 24, 08, F6, C3, 02, 56, 8B, F1, 74, 24, 57, 68, 26, 0E, 42, 00, 8D, 7E, FC, FF, 37, 6A, 0C, 56, E8, AC, 01, 00, 00, F6, C3, 01, 74, 07, 57, E8, 93, F7, FF, FF, 59, 8B, C7, 5F, EB, 13, E8, 92, 08, 00, 00, F6, C3, 01, 74, 07, 56, E8, 7D, F7, FF, FF, 59, 8B, C6, 5E, 5B, C2, 04, 00, 8B, C1, C2, 04, 00, FF, 25, 28, 68, 42, 00, FF, 25...
 
[+]

Entropy:
5.9754

Code size:
148 KB (151,552 bytes)

The executing file has been seen to make the following network communications in live environments.

TCP (HTTP):
Connects to a72-246-97-24.deploy.akamaitechnologies.com  (72.246.97.24:80)

TCP (HTTP):
Connects to a87-243-6-139.deploy.akamaitechnologies.com  (87.243.6.139:80)

TCP:
Connects to wb-in-f109.1e100.net  (66.102.1.109:993)

TCP (HTTP):
Connects to s2.incredimail.com  (82.80.204.12:80)

TCP (HTTP):
Connects to unassigned-bezeqint.incredimail.com  (82.80.204.63:80)

TCP (POP3):
Connects to slcb747.piensasolutions.com  (217.76.150.234:110)

TCP (HTTP):
Connects to a96-6-123-11.deploy.akamaitechnologies.com  (96.6.123.11:80)

TCP:
Connects to imap18.mail.vip.bf1.yahoo.com  (67.195.236.148:993)

TCP:
Connects to imap12.mail.vip.bf1.yahoo.com  (67.195.236.145:993)

TCP (HTTP):
Connects to 189-76-142-73.ntelecom.com.br  (189.76.142.73:80)

TCP:
Connects to mailhost.kpnmail.nl  (213.75.63.13:587)

TCP:
Connects to imap.gmx.net  (212.227.17.170:993)

TCP (HTTP):
Connects to a92-197-129-33.deploy.akamaitechnologies.com  (92.197.129.33:80)

TCP (HTTP):
Connects to a92-122-214-203.deploy.akamaitechnologies.com  (92.122.214.203:80)

TCP (HTTP):
Connects to www8.incredimail.com  (82.80.204.2:80)

TCP (HTTP):
Connects to www.incredibarvuz1.com  (82.80.204.7:80)

TCP (POP3):
Connects to popproxy1.caiw.net  (62.45.45.190:110)

TCP (POP3):
Connects to pop.embarqmail.com  (205.219.233.11:110)

TCP (POP3):
Connects to mail.tele2.se  (212.247.156.1:110)

TCP:
Connects to imap-a-mtc-b.mx.aol.com  (64.12.88.161:993)

Remove IMAPP.EXE - Powered by Reason Core Security