home

IncrediMail_Install.exe

IncrediMail Installer

IncrediMail Ltd.

The application IncrediMail_Install.exe by IncrediMail has been detected as a potentially unwanted program by 9 anti-malware scanners. This is a self-extracting archive and installer and has been known to bundle potentially unwanted software. The file has been seen being downloaded from www.pcwelt.de and multiple other hosts. While running, it connects to the Internet address cen.incredimail.com on port 80 using the HTTP protocol.
Publisher:
IncrediMail Ltd.  (signed and verified)

Product:
IncrediMail Installer

Version:
8, 0, 0, 1298

MD5:
3b1ae960a3d4abc92d06226d7183ea5b

SHA-1:
5926549014674b465a512b2c1fbf3468a5edf866

SHA-256:
667a280446c88c867d1c4b271c894956bdbca0853c7810899b840839df416749

Scanner detections:
9 / 68

Status:
Potentially unwanted

Analysis date:
4/24/2024 1:29:22 PM UTC  (today)

Scan engine
Detection
Engine version

Avira AntiVirus
Adware/InstaTool.A
7.11.133.78

Dr.Web
Adware.IncrediMail.8
9.0.1.0123

K7 AntiVirus
Riskware
13.173.9916

Reason Heuristics
Threat.Win.Reputation.IMP
14.5.3.13

Rising Antivirus
PE:PUF.IncredimailInstaller!1.9C36
23.00.65.14501

Trend Micro House Call
HV_SIGNATURE_CI053700.RDXN
7.2.123

Trend Micro
TROJ_SPNR.0CCR12
10.465.03

VIPRE Antivirus
Trojan.Win32.Generic
22594

XVirus List
Win32.Detected
2.5.3

File size:
463.8 KB (474,944 bytes)

Product version:
8, 0, 0, 1298

Copyright:
Copyright (C) 2010

Original file name:
IncrediMail_Install.exe

File type:
Executable application (Win32 EXE)

Language:
Hebräisch (Israel)

Common path:
C:\users\{user}\downloads\incredimail_install.exe

Digital Signature
Signed by:
IncrediMail Ltd.

Authority:
VeriSign, Inc.

Valid from:
8/17/2009 2:00:00 AM

Valid to:
9/6/2012 1:59:59 AM

Subject:
CN=IncrediMail Ltd., OU=R&D, OU=Digital ID Class 3 - Microsoft Software Validation v2, O=IncrediMail Ltd., L=Tel-Aviv, S=Israel, C=IL

Issuer:
CN=VeriSign Class 3 Code Signing 2009-2 CA, OU=Terms of use at https://www.verisign.com/rpa (c)09, OU=VeriSign Trust Network, O="VeriSign, Inc.", C=US

Serial number:
2DA9DB2D3D256C114685CBB35C1B551D

File PE Metadata
Compilation timestamp:
8/25/2011 3:10:04 PM

OS version:
4.0

OS bitness:
Win32

Subsystem:
Windows GUI

Linker version:
8.0

CTPH (ssdeep):
12288:cQU6DcCs0DcW+smXWvbSed/T7Sdabv8Lhth:cQU6DcCBDcs/eeN6y+hth

Entry address:
0x78C5

Entry point:
6A, 0C, 68, 90, 8D, 40, 00, E8, 53, 14, 00, 00, 83, 65, E4, 00, 83, 65, FC, 00, E8, 65, FC, FF, FF, 89, 45, E4, EB, 07, 33, C0, 40, C3, 8B, 65, E8, 83, 4D, FC, FF, FF, 75, E4, FF, 15, 50, 10, 40, 00, CC, 55, 8B, EC, 8B, 45, 10, 56, FF, 75, 0C, 8B, F1, FF, 75, 08, 83, 26, 00, 50, 89, 46, 04, FF, 15, 54, 10, 40, 00, 89, 06, 8B, C6, 5E, 5D, C2, 0C, 00, FF, 31, FF, 71, 04, FF, 15, 58, 10, 40, 00, C3, 55, 8B, EC, 51, 51, 53, 56, 8B, F1, FF, 36, FF, 76, 04, FF, 15, 68, 10, 40, 00, 33, DB, 3B, C3, 75, 0A, FF, 15...
 
[+]

Developed / compiled with:
Microsoft Visual C++ v7.1

Code size:
33.5 KB (34,304 bytes)

The file IncrediMail_Install.exe has been seen being distributed by the following 2 URLs.

http://www.pcwelt.de/download_file?bid=276192

http://download.pcwelt.de/area_release/files/B9/D7/.../incredimail_install.exe

The executing file has been seen to make the following network communication in live environments.

TCP (HTTP):
Connects to cen.incredimail.com  (82.80.204.5:80)

Remove IncrediMail_Install.exe - Powered by Reason Core Security
herdProtect is a second line of defense malware removal platform powered by 68 anti-malware engines in the cloud. Since no single anti-malware program is perfect 100% of the time, herdProtect utilizes a 'herd' of multiple engines to guarantee the widest coverage and the earliest possible detection.