home

IMAPP.EXE

IncrediMail

Perion Network Ltd.

The executable IMAPP.EXE, “IncrediMail Tray Application” by Perion Network has been known to be a potentially unwanted program that has been detected by 1 anti-malware scanner. It is also typically executed from the user's temporary directory. While running, it connects to the Internet address in.aliceposta.it on port 110.
Publisher:
IncrediMail, Ltd.  (signed by Perion Network Ltd.)

Product:
IncrediMail

Description:
IncrediMail Tray Application

Version:
6, 6, 0, 5282

MD5:
bad378e315e138995a7ed7ec589f5572

SHA-1:
493f953b1eb6dfe942793a11d69f548d4e513904

SHA-256:
74393ee36a855cea9890fe3203049b63fd26e71b0355e66edc5cd25b384b6d55

Scanner detections:
1 / 68

Status:
Clean  (1 probable false positive detection)

Explanation:
This is mosty likely a false positive detection, the file is probably clean.

Analysis date:
4/26/2024 8:16:31 AM UTC  (today)

Scan engine
Detection
Engine version

Boost by Reason
Adware.PerionNetwork.F
2013.7.26.21

File size:
290.4 KB (297,384 bytes)

Product version:
6, 6, 0, 5282

Copyright:
Copyright © 2002 IncrediMail, Ltd.

Original file name:
IMAPP.EXE

File type:
Executable application (Win32 EXE)

Language:
English (United States)

Common path:
C:\users\{user}\appdata\local\temp\{random}.tmp\Program Files\incredimail\bin\imapp.exe

Digital Signature
Signed by:
Perion Network Ltd.

Authority:
VeriSign, Inc.

Valid from:
4/24/2012 2:00:00 AM

Valid to:
4/24/2015 1:59:59 AM

Subject:
CN=Perion Network Ltd., OU=Digital ID Class 3 - Microsoft Software Validation v2, O=Perion Network Ltd., L=Tel Aviv, S=Tel Aviv, C=IL

Issuer:
CN=VeriSign Class 3 Code Signing 2010 CA, OU=Terms of use at https://www.verisign.com/rpa (c)10, OU=VeriSign Trust Network, O="VeriSign, Inc.", C=US

Serial number:
45F87694FE8D1984719796AEC8031DF4

File PE Metadata
Compilation timestamp:
8/28/2013 2:36:24 PM

OS version:
4.0

OS bitness:
Win32

Subsystem:
Windows GUI

Linker version:
8.0

CTPH (ssdeep):
3072:hAt0U+mWvvguJFEvEt1bPmdh7VKEkIIgvgJlSoDfacdgu2sQu/OFNOfT90kKotZF:atDYt1Tmh7VKEeSDYD/OHehNVOQyWSO

Entry address:
0x20534

Entry point:
E8, 1F, 07, 00, 00, E9, DA, FC, FF, FF, FF, 25, 10, 68, 42, 00, 3B, 0D, 38, A9, 43, 00, 75, 02, F3, C3, E9, 99, 07, 00, 00, 8B, C1, C7, 00, 58, E1, 42, 00, C2, 04, 00, 53, 8A, 5C, 24, 08, F6, C3, 02, 56, 8B, F1, 74, 24, 57, 68, 26, 0E, 42, 00, 8D, 7E, FC, FF, 37, 6A, 0C, 56, E8, AC, 01, 00, 00, F6, C3, 01, 74, 07, 57, E8, 93, F7, FF, FF, 59, 8B, C7, 5F, EB, 13, E8, 92, 08, 00, 00, F6, C3, 01, 74, 07, 56, E8, 7D, F7, FF, FF, 59, 8B, C6, 5E, 5B, C2, 04, 00, 8B, C1, C2, 04, 00, FF, 25, 28, 68, 42, 00, FF, 25...
 
[+]

Entropy:
5.9756

Code size:
148 KB (151,552 bytes)

The executing file has been seen to make the following network communications in live environments.

TCP (HTTP):
Connects to s2.incredimail.com  (82.80.204.12:80)

TCP (POP3):
Connects to in.aliceposta.it  (82.57.200.129:110)

TCP (HTTP):
Connects to www8.incredimail.com  (82.80.204.2:80)

TCP (HTTP):
Connects to unassigned-bezeqint.incredimail.com  (82.80.204.63:80)

TCP (HTTP):
Connects to a88-221-145-49.deploy.akamaitechnologies.com  (88.221.145.49:80)

TCP (HTTP):
Connects to ppp-35-122.29-151.wind.it  (151.29.122.35:80)

TCP (POP3):
Connects to pop.tiscali.it  (213.205.33.11:110)

TCP (POP3):
Connects to pop.menara.ma  (81.192.22.11:110)

TCP:
Connects to pop.gmx.net  (212.227.17.185:995)

TCP (HTTP):
Connects to a80-228-45-35.deploy.akamai.com  (80.228.45.35:80)

TCP (HTTP):
Connects to a80-228-45-24.deploy.akamai.com  (80.228.45.24:80)

TCP (HTTP):
Connects to www.incredibarvuz1.com  (82.80.204.7:80)

TCP (HTTP):
Connects to static.ill.117.239.91.48/24.bsnl.in  (117.239.91.48:80)

TCP (HTTP):
Connects to static.ill.117.239.91.34/24.bsnl.in  (117.239.91.34:80)

TCP (HTTP):
Connects to static.ill.117.239.240.17/24.bsnl.in  (117.239.240.17:80)

TCP (HTTP):
Connects to static.ill.117.239.240.16/24.bsnl.in  (117.239.240.16:80)

TCP (HTTP):
Connects to ppp-72-208.21-151.wind.it  (151.21.208.72:80)

TCP (HTTP):
Connects to ppp-34-122.29-151.wind.it  (151.29.122.34:80)

TCP (HTTP):
Connects to ppp-147-209.21-151.wind.it  (151.21.209.147:80)

TCP (HTTP):
Connects to ppp-115-209.21-151.wind.it  (151.21.209.115:80)

Scan IMAPP.EXE - Powered by Reason Core Security
herdProtect is a second line of defense malware removal platform powered by 68 anti-malware engines in the cloud. Since no single anti-malware program is perfect 100% of the time, herdProtect utilizes a 'herd' of multiple engines to guarantee the widest coverage and the earliest possible detection.