instatime.exe

InstaTime

The application instatime.exe by InstaTime has been detected as a potentially unwanted program by 1 anti-malware scanner with very strong indications that the file is a potential threat. It is set to automatically execute when any user logs into Windows (through the local user run registry setting) with the name ‘InstaTime’. While running, it connects to the Internet address edge-star-mini-shv-01-gru2.facebook.com on port 443.
Publisher:
InstaTime  (signed and verified)

MD5:
d5fd2f26e8f8c961e6de852867dc0901

SHA-1:
1e1f516282389cef619292f6a69eaa6c26121427

SHA-256:
765cb52f3ae9b24c36bc6228c086a6f3ffb101f013d084e55362fc74de776824

Scanner detections:
1 / 68

Status:
Potentially unwanted

Analysis date:
11/27/2024 9:35:32 AM UTC  (today)

Scan engine
Detection
Engine version

Reason Heuristics
PUP.InstaTime (M)
15.12.20.16

File size:
45.8 MB (48,031,472 bytes)

File type:
Executable application (Win32 EXE)

Common path:
C:\users\{user}\appdata\roaming\instatime\instatime.exe

Digital Signature
Signed by:

Authority:
InstaTime

Valid from:
6/1/2015 5:40:01 PM

Valid to:
5/29/2025 5:40:01 PM

Subject:
E=softninjas@gmail.com, CN=InstaTime, O=InstaTime, S=Some-State, C=US

Issuer:
E=softninjas@gmail.com, CN=InstaTime, O=InstaTime, S=Some-State, C=US

Serial number:
00E63C0FE02346D411

File PE Metadata
Compilation timestamp:
3/4/2015 10:51:42 PM

OS version:
5.1

OS bitness:
Win32

Subsystem:
Windows GUI

Linker version:
12.0

CTPH (ssdeep):
786432:9LJmRGIXff9keaayimwJZHM3SD3K4mNCesWePrumsEUF0pfOU9W:9tmRGIXff923imwJZMCDVVesWewFJUE

Entry address:
0x1C996D1

Entry point:
E8, 9A, 3A, 01, 00, E9, 7F, FE, FF, FF, 55, 8B, EC, 8B, 55, 0C, A1, 20, 38, EC, 02, F7, D2, 8B, 4D, 08, 23, D0, 23, 4D, 0C, 0B, D1, 89, 15, 20, 38, EC, 02, 5D, C3, E8, 09, 21, 00, 00, 85, C0, 74, 08, 6A, 16, E8, CC, 21, 00, 00, 59, F6, 05, 20, 38, EC, 02, 02, 74, 21, 6A, 17, E8, A9, 21, 60, 00, 85, C0, 74, 05, 6A, 07, 59, CD, 29, 6A, 01, 68, 15, 00, 00, 40, 6A, 03, E8, A9, F8, FF, FF, 83, C4, 0C, 6A, 03, E8, 16, FC, FF, FF, CC, 55, 8B, EC, 8D, 45, 18, 50, 6A, 00, FF, 75, 14, FF, 75, 10, FF, 75, 0C, FF, 75...
 
[+]

Entropy:
6.8854

Code size:
34.9 MB (36,634,112 bytes)

Startup File (All Users Run)
Registry location:
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run

Name:
InstaTime

Command:
C:\users\{user}\appdata\roaming\instatime\instatime.exe su


The executing file has been seen to make the following network communications in live environments.

TCP (HTTP SSL):
Connects to b1c15fd7.virtua.com.br  (177.193.95.215:443)

TCP (HTTP SSL):
Connects to edge-star-mini-shv-01-gru2.facebook.com  (31.13.85.36:443)

TCP (HTTP SSL):
Connects to b1c15f11.virtua.com.br  (177.193.95.17:443)

TCP (HTTP SSL):
Connects to a23-67-115-229.deploy.static.akamaitechnologies.com  (23.67.115.229:443)

TCP (HTTP SSL):
Connects to a23-67-115-2.deploy.static.akamaitechnologies.com  (23.67.115.2:443)

TCP (HTTP SSL):
Connects to uol.com.br.102.112.2o7.net  (63.140.61.132:443)

TCP (HTTP SSL):
Connects to b1c15fe2.virtua.com.br  (177.193.95.226:443)

TCP (HTTP):
Connects to b1c15f9a.virtua.com.br  (177.193.95.154:80)

TCP (HTTP SSL):
Connects to 34.f4.c1ad.ip4.static.sl-reverse.com  (173.193.244.52:443)

TCP (HTTP SSL):
Connects to 200-147-68-8.static.uol.com.br  (200.147.68.8:443)

TCP (HTTP):
Connects to a184-51-56-220.deploy.static.akamaitechnologies.com  (184.51.56.220:80)

TCP (HTTP SSL):
Connects to ec2-52-73-242-62.compute-1.amazonaws.com  (52.73.242.62:443)

TCP (HTTP SSL):
Connects to ec2-52-54-144-1.compute-1.amazonaws.com  (52.54.144.1:443)

TCP (HTTP SSL):
Connects to dmppixel-shared-mtc-c.evip.aol.com  (64.12.245.38:443)

TCP (HTTP SSL):
Connects to cache.google.com  (200.189.63.145:443)

TCP (HTTP SSL):
Connects to b1c15ff5.virtua.com.br  (177.193.95.245:443)

TCP (HTTP SSL):
Connects to b1c15ff1.virtua.com.br  (177.193.95.241:443)

TCP (HTTP SSL):
Connects to b1c15f93.virtua.com.br  (177.193.95.147:443)

TCP (HTTP SSL):
Connects to a23-13-232-251.deploy.static.akamaitechnologies.com  (23.13.232.251:443)

TCP (HTTP SSL):
Connects to a23-10-53-109.deploy.static.akamaitechnologies.com  (23.10.53.109:443)

Remove instatime.exe - Powered by Reason Core Security