home

INCMAIL.EXE

IncrediMail

Perion Network Ltd.

The executable INCMAIL.EXE, “IncrediMail Application” by Perion Network has been known to be a potentially unwanted program that has been detected by 1 anti-malware scanner. It is also typically executed from the user's temporary directory. While running, it connects to the Internet address edge-star-shv-01-mxp1.facebook.com on port 443.
Publisher:
IncrediMail, Ltd.  (signed by Perion Network Ltd.)

Product:
IncrediMail

Description:
IncrediMail Application

Version:
6, 6, 0, 5282

MD5:
c979b1c481657829fd3be6de1c17a43a

SHA-1:
3acf7177a0363fafc19610c9caf4522ec33767c9

SHA-256:
988ec7eff911fe60e2ad0549069b976fc2204594ef32feffe220730667defa10

Scanner detections:
1 / 68

Status:
Clean  (1 probable false positive detection)

Explanation:
This is mosty likely a false positive detection, the file is probably clean.

Analysis date:
4/25/2024 12:46:52 PM UTC  (today)

Scan engine
Detection
Engine version

Boost by Reason
Adware.Startup.Perion.H
2013.7.26.22

File size:
434.4 KB (444,840 bytes)

Product version:
6, 6, 0, 5282

Copyright:
Copyright © 2002 IncrediMail, Ltd.

Original file name:
INCMAIL.EXE

File type:
Executable application (Win32 EXE)

Language:
English (United States)

Common path:
C:\users\{user}\appdata\local\temp\{random}.tmp\Program Files\incredimail\bin\incmail.exe

Digital Signature
Signed by:
Perion Network Ltd.

Authority:
VeriSign, Inc.

Valid from:
4/24/2012 2:00:00 AM

Valid to:
4/24/2015 1:59:59 AM

Subject:
CN=Perion Network Ltd., OU=Digital ID Class 3 - Microsoft Software Validation v2, O=Perion Network Ltd., L=Tel Aviv, S=Tel Aviv, C=IL

Issuer:
CN=VeriSign Class 3 Code Signing 2010 CA, OU=Terms of use at https://www.verisign.com/rpa (c)10, OU=VeriSign Trust Network, O="VeriSign, Inc.", C=US

Serial number:
45F87694FE8D1984719796AEC8031DF4

File PE Metadata
Compilation timestamp:
8/28/2013 2:54:06 PM

OS version:
4.0

OS bitness:
Win32

Subsystem:
Windows GUI

Linker version:
8.0

CTPH (ssdeep):
6144:J4GX9oNsj4wWMSahvFXyRTT7NlOh5s1fjuBJc:uQzj4wliRnh91fj5

Entry address:
0x2A20E

Entry point:
E8, 15, 08, 00, 00, E9, DA, FC, FF, FF, FF, 25, 6C, 39, 43, 00, FF, 25, 74, 39, 43, 00, FF, 25, 78, 39, 43, 00, FF, 25, 7C, 39, 43, 00, FF, 25, 80, 39, 43, 00, FF, 25, 84, 39, 43, 00, FF, 74, 24, 10, FF, 74, 24, 10, FF, 74, 24, 10, FF, 74, 24, 10, 68, 66, A2, 42, 00, 68, 04, 46, 45, 00, E8, 61, 08, 00, 00, 83, C4, 18, C3, CC, FF, 25, 88, 39, 43, 00, 3B, 0D, 04, 46, 45, 00, 75, 02, F3, C3, E9, 4D, 08, 00, 00, 8B, C1, C7, 00, 34, B5, 43, 00, C2, 04, 00, 53, 8A, 5C, 24, 08, F6, C3, 02, 56, 8B, F1, 74, 24, 57...
 
[+]

Entropy:
6.1061

Code size:
200 KB (204,800 bytes)

The executing file has been seen to make the following network communications in live environments.

TCP (HTTP SSL):
Connects to edge-star-shv-01-mxp1.facebook.com  (31.13.86.8:443)

TCP (HTTP):
Connects to r1.ycpi.vip.inc.yahoo.net  (203.84.220.151:80)

TCP (HTTP):
Connects to e2.ycpi.vip.lob.yahoo.com  (87.248.114.12:80)

TCP (HTTP SSL):
Connects to srv21.mailer-service.de  (217.115.153.221:443)

TCP (HTTP):
Connects to ec2-52-48-52-62.eu-west-1.compute.amazonaws.com  (52.48.52.62:80)

TCP (HTTP):
Connects to e2.ycpi.vip.deb.yahoo.com  (87.248.118.23:80)

TCP (HTTP):
Connects to de4.ioam.de  (91.215.100.40:80)

TCP (HTTP SSL):
Connects to edge-star-shv-01-sin6.facebook.com  (157.240.7.20:443)

TCP (HTTP):
Connects to edge-star-shv-01-cdg2.facebook.com  (179.60.192.3:80)

TCP (HTTP SSL):
Connects to xx-fbcdn-shv-01-frt3.fbcdn.net  (31.13.92.14:443)

TCP (HTTP SSL):
Connects to server-54-230-24-50.mxp4.r.cloudfront.net  (54.230.24.50:443)

TCP (HTTP SSL):
Connects to edge-star-shv-01-vie1.facebook.com  (31.13.84.8:443)

TCP (HTTP SSL):
Connects to edge-star-shv-01-gru2.facebook.com  (31.13.85.8:443)

TCP (HTTP):
Connects to e2.ycpi.vip.bra.yahoo.com  (200.152.162.161:80)

TCP (HTTP):
Connects to e1.ycpi.vip.deb.yahoo.com  (87.248.118.22:80)

TCP (HTTP):
Connects to a104-106-100-197.deploy.static.akamaitechnologies.com  (104.106.100.197:80)

TCP (HTTP):
Connects to static.ill.117.239.240.17/24.bsnl.in  (117.239.240.17:80)

TCP (HTTP SSL):
Connects to server-54-230-217-118.mrs50.r.cloudfront.net  (54.230.217.118:443)

TCP (HTTP):
Connects to r1-ha.ycpi.aea.yahoo.net  (183.177.93.12:80)

TCP (HTTP):
Connects to ewe-hb-ggc-node4-170.cache.google.com  (80.228.66.170:80)

Scan INCMAIL.EXE - Powered by Reason Core Security
herdProtect is a second line of defense malware removal platform powered by 68 anti-malware engines in the cloud. Since no single anti-malware program is perfect 100% of the time, herdProtect utilizes a 'herd' of multiple engines to guarantee the widest coverage and the earliest possible detection.