» instatime.exe
Overview
Analysis
File Details
Behaviors (1)
Network (60)

instatime.exe

InstaTime

The executable instatime.exe has been detected as malware by 1 anti-virus scanner. It is set to automatically execute when any user logs into Windows (through the local user run registry setting) with the name ‘InstaTime’. While running, it connects to the Internet address edge-star-mini-shv-01-fra3.facebook.com on port 443.

File name:

instatime.exe

Publisher:

InstaTime (signed and verified)

MD5:

2866418da420c42640b7aae08c176154

SHA-1:

3cab911fb0e7c93e5f71bae64d436f40198b04a3

SHA-256:

d01b5ea5e0488bcdcee4b4c83c41d5b4d5af1f790671944909bf304b29dd3a55

Scanner detections:

1 / 68

Status:

Malware

Analysis date:

11/26/2024 9:06:07 PM UTC (today)

Scan engine

Detection

Engine version

Reason Heuristics

PUP (M)

16.10.2.20

File size:

47.2 MB (49,532,328 bytes)

File type:

Executable application (Win32 EXE)

Common path:

C:\users\{user}\appdata\roaming\instatime\instatime.exe

Digital Signature

Signed by:

InstaTime

Authority:

InstaTime

Valid from:

6/1/2015 11:40:01 PM

Valid to:

5/29/2025 11:40:01 PM

Subject:

E=softninjas@gmail.com, CN=InstaTime, O=InstaTime, S=Some-State, C=US

Issuer:

E=softninjas@gmail.com, CN=InstaTime, O=InstaTime, S=Some-State, C=US

Serial number:

00E63C0FE02346D411

File PE Metadata

Compilation timestamp:

2/20/2016 4:43:51 PM

OS version:

5.1

OS bitness:

Win32

Subsystem:

Windows GUI

Linker version:

12.0

CTPH (ssdeep):

786432:muK9C64r1c7VQZgnUrurLpbH05yL5dsuUQq6+4UYOkdOXQv34oU:/wC64r1c6ZgnUSrLpbUAdBUQq6/BLroh

Entry address:

0x1C9A031

Entry point:

E8, 5A, 3A, 01, 00, E9, 7F, FE, FF, FF, 55, 8B, EC, 8B, 55, 0C, A1, 20, A8, EC, 02, F7, D2, 8B, 4D, 08, 23, D0, 23, 4D, 0C, 0B, D1, 89, 15, 20, A8, EC, 02, 5D, C3, E8, 09, 21, 00, 00, 85, C0, 74, 08, 6A, 16, E8, CC, 21, 00, 00, 59, F6, 05, 20, A8, EC, 02, 02, 74, 21, 6A, 17, E8, D9, 20, 60, 00, 85, C0, 74, 05, 6A, 07, 59, CD, 29, 6A, 01, 68, 15, 00, 00, 40, 6A, 03, E8, A9, F8, FF, FF, 83, C4, 0C, 6A, 03, E8, 16, FC, FF, FF, CC, 55, 8B, EC, 8D, 45, 18, 50, 6A, 00, FF, 75, 14, FF, 75, 10, FF, 75, 0C, FF, 75... 
[+]

Entropy:

6.9380

Code size:

34.9 MB (36,634,112 bytes)

Startup File (All Users Run)

Registry location:

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run

Name:

InstaTime

Command:

C:\users\{user}\appdata\roaming\instatime\instatime.exe su

The executing file has been seen to make the following network communications in live environments.

TCP (HTTP SSL):

Connects to wb-in-f155.1e100.net (66.102.1.155:443)

TCP (HTTP SSL):

Connects to mc.yandex.ru (87.250.250.119:443)

TCP (HTTP SSL):

Connects to edge-star-mini-shv-01-fra3.facebook.com (31.13.93.36:443)

TCP (HTTP SSL):

Connects to edge-star-mini-shv-01-ams3.facebook.com (31.13.91.36:443)

TCP (HTTP SSL):

Connects to ec2-54-223-40-251.cn-north-1.compute.amazonaws.com.cn (54.223.40.251:443)

TCP (HTTP SSL):

Connects to a23-37-53-224.deploy.static.akamaitechnologies.com (23.37.53.224:443)

TCP (HTTP):

Connects to a23-37-50-129.deploy.static.akamaitechnologies.com (23.37.50.129:80)

TCP (HTTP):

Connects to a184-51-148-82.deploy.static.akamaitechnologies.com (184.51.148.82:80)

TCP (HTTP):

Connects to a184-51-148-72.deploy.static.akamaitechnologies.com (184.51.148.72:80)

TCP (HTTP):

Connects to a184-51-148-136.deploy.static.akamaitechnologies.com (184.51.148.136:80)

TCP (HTTP):

Connects to a184-51-148-104.deploy.static.akamaitechnologies.com (184.51.148.104:80)

TCP (HTTP SSL):

Connects to a172-227-12-158.deploy.static.akamaitechnologies.com (172.227.12.158:443)

TCP (HTTP):

Connects to 89.9d.a86c.ip4.static.sl-reverse.com (108.168.157.137:80)

TCP (HTTP):

Connects to 85.242.178.107.bc.googleusercontent.com (107.178.242.85:80)

TCP (HTTP):

Connects to 145.40.211.130.bc.googleusercontent.com (130.211.40.145:80)

TCP (HTTP SSL):

Connects to xx-fbcdn-shv-01-lht6.fbcdn.net (157.240.1.23:443)

TCP (HTTP SSL):

Connects to edge-star-mini-shv-01-atl3.facebook.com (31.13.65.36:443)

TCP (HTTP SSL):

Connects to ec2-54-87-178-183.compute-1.amazonaws.com (54.87.178.183:443)

TCP (HTTP SSL):

Connects to ec2-54-154-194-232.eu-west-1.compute.amazonaws.com (54.154.194.232:443)

TCP (HTTP):

Connects to ec2-107-22-230-235.compute-1.amazonaws.com (107.22.230.235:80)

Remove instatime.exe - Powered by Reason Core Security

herdProtect is a second line of defense malware removal platform powered by 68 anti-malware engines in the cloud. Since no single anti-malware program is perfect 100% of the time, herdProtect utilizes a 'herd' of multiple engines to guarantee the widest coverage and the earliest possible detection.