instatime.exe

InstaTime

The executable instatime.exe has been detected as malware by 1 anti-virus scanner. It is set to automatically execute when any user logs into Windows (through the local user run registry setting) with the name ‘InstaTime’.
Publisher:
InstaTime  (signed and verified)

MD5:
a2bab772bdcae6b6d453e916fe49b92f

SHA-1:
30f76ef58b1bc853cac89708a324dc7204986440

SHA-256:
1344fa6ebb6fced919c4d2ce46d65d4c8ff4f15a5404c238dd3b435348d9f3e9

Scanner detections:
1 / 68

Status:
Malware

Analysis date:
12/24/2024 11:43:36 AM UTC  (today)

Scan engine
Detection
Engine version

Reason Heuristics
PUP (M)
16.8.6.21

File size:
45.8 MB (48,017,480 bytes)

File type:
Executable application (Win32 EXE)

Common path:
C:\users\{user}\appdata\roaming\instatime\instatime.exe

Digital Signature
Signed by:

Authority:
InstaTime

Valid from:
6/1/2015 6:40:01 PM

Valid to:
5/29/2025 6:40:01 PM

Subject:
E=softninjas@gmail.com, CN=InstaTime, O=InstaTime, S=Some-State, C=US

Issuer:
E=softninjas@gmail.com, CN=InstaTime, O=InstaTime, S=Some-State, C=US

Serial number:
00E63C0FE02346D411

File PE Metadata
Compilation timestamp:
3/5/2015 12:51:42 AM

OS version:
5.1

OS bitness:
Win32

Subsystem:
Windows GUI

Linker version:
12.0

CTPH (ssdeep):
786432:RLJmRGIXff9keaayimwJZHM3SD3K4mNCesWePrumsEUF0pfOU7p:RtmRGIXff923imwJZMCDVVesWewFJUt

Entry address:
0x1C996D1

Entry point:
E8, 9A, 3A, 01, 00, E9, 7F, FE, FF, FF, 55, 8B, EC, 8B, 55, 0C, A1, 20, 38, EC, 02, F7, D2, 8B, 4D, 08, 23, D0, 23, 4D, 0C, 0B, D1, 89, 15, 20, 38, EC, 02, 5D, C3, E8, 09, 21, 00, 00, 85, C0, 74, 08, 6A, 16, E8, CC, 21, 00, 00, 59, F6, 05, 20, 38, EC, 02, 02, 74, 21, 6A, 17, E8, A9, 21, 60, 00, 85, C0, 74, 05, 6A, 07, 59, CD, 29, 6A, 01, 68, 15, 00, 00, 40, 6A, 03, E8, A9, F8, FF, FF, 83, C4, 0C, 6A, 03, E8, 16, FC, FF, FF, CC, 55, 8B, EC, 8D, 45, 18, 50, 6A, 00, FF, 75, 14, FF, 75, 10, FF, 75, 0C, FF, 75...
 
[+]

Code size:
34.9 MB (36,634,112 bytes)

Startup File (All Users Run)
Registry location:
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run

Name:
InstaTime

Command:
C:\users\{user}\appdata\roaming\instatime\instatime.exe su


The executing file has been seen to make the following network communications in live environments.

TCP (HTTP):
Connects to 208.185.50.80.IPYX-063360-004-ZYO.zip.zayo.com  (208.185.50.80:80)

TCP (HTTP SSL):
Connects to bam-3.nr-data.net  (50.31.164.173:443)

TCP (HTTP):
Connects to tags.expo9.exponential.com  (204.11.109.77:80)

TCP (HTTP):
Connects to a.tribalfusion.com  (204.11.109.66:80)

TCP (HTTP):
Connects to 107.154.107.40.ip.incapdns.net  (107.154.107.40:80)

TCP (HTTP SSL):
Connects to bto-04-082.bto.ras.cantv.net  (200.44.23.210:443)

TCP (HTTP SSL):
Connects to bto-04-080.bto.ras.cantv.net  (200.44.23.208:443)

TCP (HTTP SSL):
Connects to bto-04-091.bto.ras.cantv.net  (200.44.23.219:443)

TCP (HTTP):
Connects to ec2-54-172-76-86.compute-1.amazonaws.com  (54.172.76.86:80)

TCP (HTTP SSL):
Connects to instagram-p3-shv-01-mia1.fbcdn.net  (31.13.73.52:443)

TCP (HTTP):
Connects to ec2-34-193-29-123.compute-1.amazonaws.com  (34.193.29.123:80)

TCP (HTTP SSL):
Connects to bto-04-075.bto.ras.cantv.net  (200.44.23.203:443)

TCP (HTTP SSL):
Connects to bto-04-026.bto.ras.cantv.net  (200.44.23.154:443)

TCP (HTTP SSL):
Connects to bto-04-025.bto.ras.cantv.net  (200.44.23.153:443)

TCP (HTTP SSL):
Connects to bto-04-010.bto.ras.cantv.net  (200.44.23.138:443)

TCP (HTTP SSL):
Connects to bto-04-009.bto.ras.cantv.net  (200.44.23.137:443)

TCP (HTTP SSL):
Connects to a23-10-101-123.deploy.static.akamaitechnologies.com  (23.10.101.123:443)

TCP (HTTP SSL):
Connects to rtr3.l7.search.vip.bf1.yahoo.com  (63.250.200.63:443)

TCP (HTTP SSL):
Connects to edge-star-mini-shv-02-mia1.facebook.com  (157.240.0.35:443)

TCP (HTTP):
Connects to ec2-54-152-171-205.compute-1.amazonaws.com  (54.152.171.205:80)

Remove instatime.exe - Powered by Reason Core Security