home

IncrediMail_Install.exe

IncrediMail Installer

IncrediMail Ltd.

The application IncrediMail_Install.exe by IncrediMail has been detected as a potentially unwanted program by 3 anti-malware scanners. This is a setup and installation application and has been known to bundle potentially unwanted software. The file has been seen being downloaded from www.premiumsave.info and multiple other hosts. While running, it connects to the Internet address cen.incredimail.com on port 80 using the HTTP protocol.
Publisher:
IncrediMail Ltd.  (signed and verified)

Product:
IncrediMail Installer

Version:
8, 0, 0, 1003

MD5:
05feca1b4b1f7f9d924191716ad3f0ba

SHA-1:
ecc7347ae9d83bf9cadced06310069abd822d08c

SHA-256:
d3e37331bb4b3819c2889c3460f6951a34cf7852f73c0c569999db21dc700071

Scanner detections:
3 / 68

Status:
Potentially unwanted

Analysis date:
4/18/2024 11:15:55 PM UTC  (a few moments ago)

Scan engine
Detection
Engine version

Dr.Web
Tool.InstallToolbar.96
9.0.1.0240

K7 AntiVirus
Riskware
13.173.9916

Reason Heuristics
PUP.Installer.IncrediMail.Installer.Meta
15.4.25.2

File size:
452.3 KB (463,184 bytes)

Product version:
8, 0, 0, 1003

Copyright:
Copyright (C) 2010

Original file name:
IncrediMail_Install.exe

File type:
Executable application (Win32 EXE)

Language:
Hebrew (Israel)

Common path:
C:\users\{user}\downloads\incredimail_install.exe

Digital Signature
Signed by:
IncrediMail Ltd.

Authority:
VeriSign, Inc.

Valid from:
8/16/2009 5:00:00 PM

Valid to:
9/5/2012 4:59:59 PM

Subject:
CN=IncrediMail Ltd., OU=R&D, OU=Digital ID Class 3 - Microsoft Software Validation v2, O=IncrediMail Ltd., L=Tel-Aviv, S=Israel, C=IL

Issuer:
CN=VeriSign Class 3 Code Signing 2009-2 CA, OU=Terms of use at https://www.verisign.com/rpa (c)09, OU=VeriSign Trust Network, O="VeriSign, Inc.", C=US

Serial number:
2DA9DB2D3D256C114685CBB35C1B551D

File PE Metadata
Compilation timestamp:
10/5/2011 9:06:41 AM

OS version:
4.0

OS bitness:
Win32

Subsystem:
Windows GUI

Linker version:
8.0

CTPH (ssdeep):
12288:QiWF8jURnLKL8T8v4tnMx0hnUn7NXGb5BjIdlHFZ0:QivUxo8wv4nMxSnyU/jyHFZ0

Entry address:
0x78C5

Entry point:
6A, 0C, 68, 90, 8D, 40, 00, E8, 53, 14, 00, 00, 83, 65, E4, 00, 83, 65, FC, 00, E8, 65, FC, FF, FF, 89, 45, E4, EB, 07, 33, C0, 40, C3, 8B, 65, E8, 83, 4D, FC, FF, FF, 75, E4, FF, 15, 50, 10, 40, 00, CC, 55, 8B, EC, 8B, 45, 10, 56, FF, 75, 0C, 8B, F1, FF, 75, 08, 83, 26, 00, 50, 89, 46, 04, FF, 15, 54, 10, 40, 00, 89, 06, 8B, C6, 5E, 5D, C2, 0C, 00, FF, 31, FF, 71, 04, FF, 15, 58, 10, 40, 00, C3, 55, 8B, EC, 51, 51, 53, 56, 8B, F1, FF, 36, FF, 76, 04, FF, 15, 68, 10, 40, 00, 33, DB, 3B, C3, 75, 0A, FF, 15...
 
[+]

Entropy:
7.8735

Developed / compiled with:
Microsoft Visual C++ v7.1

Code size:
33.5 KB (34,304 bytes)

The file IncrediMail_Install.exe has been seen being distributed by the following 4 URLs.

http://www.premiumsave.info/installmate/.../incredibar_install.exe

http://www.nlstorage.info/installmate/.../incredibar_install.exe

http://dssr73hc3f9h8.cloudfront.net/.../incredibar_install.exe

http://cdn.bigspeedpro.com/mirror/.../incredibar_installer.exe

The executing file has been seen to make the following network communication in live environments.

TCP (HTTP):
Connects to cen.incredimail.com  (82.80.204.5:80)

Remove IncrediMail_Install.exe - Powered by Reason Core Security
herdProtect is a second line of defense malware removal platform powered by 68 anti-malware engines in the cloud. Since no single anti-malware program is perfect 100% of the time, herdProtect utilizes a 'herd' of multiple engines to guarantee the widest coverage and the earliest possible detection.