incredimailsetup.exe

Installer Web Internet

ClientConnect LTD

The file belongs to the ClientConnect (Conduit/Perion) platform, a utility that bundles and monetizes search toolbars and browser add-ons. The application incredimailsetup.exe, “Installer Web Internet Setup ” by ClientConnect has been detected as adware by 9 anti-malware scanners. The program is a setup application that uses the Inno Setup installer. The file has been seen being downloaded from cdn.incredmailfiles.com. While running, it connects to the Internet address cms.dmccint.com on port 80 using the HTTP protocol.
Publisher:
ClientConnect LTD  (signed and verified)

Product:
Installer Web Internet

Description:
Installer Web Internet Setup

MD5:
120cc407f697601794b6d79bfcd0e739

SHA-1:
d9d967839ec38b45b8832980cf78f7446a59e21a

SHA-256:
843528c98711f2798514a5bcb079c52d268fa66a26f3fa3db44a62d92dcda27a

Scanner detections:
9 / 68

Status:
Adware

Explanation:
Uses the InstallCore download manager to install additional potentially unwanted software which may include extensions such as DealPly and various toolbars.

Analysis date:
9/29/2020 6:55:20 PM UTC  (today)

Scan engine
Detection
Engine version

Avira AntiVirus
7.11.201.124

Baidu Antivirus
Adware.Win32.InstallCore
4.0.3.15115

Comodo Security
Application.Win32.InstallCore.KJH
20715

ESET NOD32
Win32/InstallCore.UQ (variant)
9.11015

McAfee
Artemis!120CC407F697
5600.6884

NANO AntiVirus
Riskware.Win32.InstallCore.dfgoss
0.30.0.64448

Reason Heuristics
PUP.Installer.ClientConnect.Q
15.1.15.18

Trend Micro House Call
Suspicious_GEN.F47V0111
7.2.15

VIPRE Antivirus
Conduit
36664

File size:
789.1 KB (808,000 bytes)

Product version:
5.1

File type:
Executable application (Win32 EXE)

Installer:
Inno Setup

Language:
Language Neutral

Common path:
C:\users\{user}\downloads\incredimailsetup.exe

Digital Signature
Authority:
Symantec Corporation

Valid from:
6/15/2014 10:00:00 AM

Valid to:
6/16/2016 9:59:59 AM

Subject:
CN=ClientConnect LTD, OU=IncrediMail, O=ClientConnect LTD, L=Ness Ziona, S=Israel, C=IL

Issuer:
CN=Symantec Class 3 SHA256 Code Signing CA, OU=Symantec Trust Network, O=Symantec Corporation, C=US

Serial number:
41E7062BC1FD079BD90453D7B130730C

File PE Metadata
Compilation timestamp:
6/20/1992 8:22:17 AM

OS version:
1.0

OS bitness:
Win32

Subsystem:
Windows GUI

Linker version:
2.25

CTPH (ssdeep):
24576:9HSgvdEGQ6d0Vjr4OROFjMY36gmDae/yK:9yKdAVwOROjmO1K

Entry address:
0x9C40

Entry point:
55, 8B, EC, 83, C4, C4, 53, 56, 57, 33, C0, 89, 45, F0, 89, 45, DC, E8, 86, 94, FF, FF, E8, 8D, A6, FF, FF, E8, 1C, A9, FF, FF, E8, 53, C9, FF, FF, E8, 9A, C9, FF, FF, E8, C9, F2, FF, FF, E8, 30, F4, FF, FF, 33, C0, 55, 68, FC, A2, 40, 00, 64, FF, 30, 64, 89, 20, 33, D2, 55, 68, C5, A2, 40, 00, 64, FF, 32, 64, 89, 22, A1, 14, C0, 40, 00, E8, 96, FE, FF, FF, E8, C9, FA, FF, FF, 8D, 55, F0, 33, C0, E8, 83, CF, FF, FF, 8B, 55, F0, B8, 24, CE, 40, 00, E8, 32, 95, FF, FF, 6A, 02, 6A, 00, 6A, 01, 8B, 0D, 24, CE...
 
[+]

Entropy:
7.8784

Packer / compiler:
Inno Setup v5.x - Installer Maker

Code size:
37 KB (37,888 bytes)

The file incredimailsetup.exe has been seen being distributed by the following URL.

The executing file has been seen to make the following network communication in live environments.

TCP (HTTP):
Connects to cms.dmccint.com  (23.67.242.80:80)

 
http://cms.dmccint.com/DynamicOffer/16279115/16300238/?mainofferId=16275681&CurrentStep=2&TotalSteps=4&DownloadBrowser=IE&CType=-1&UserMode=-1&DMVersion=1.3.6.62.16299104.01&Language=US-EN

Remove incredimailsetup.exe - Powered by Reason Core Security