instatime.exe

InstaTime

The executable instatime.exe has been detected as malware by 1 anti-virus scanner. It is set to automatically execute when any user logs into Windows (through the local user run registry setting) with the name ‘InstaTime’. While running, it connects to the Internet address instagram-p3-shv-01-syd2.fbcdn.net on port 443.
Publisher:
InstaTime  (signed and verified)

MD5:
ea157f65b8b99ea3d980fd1dfadb7e0f

SHA-1:
3cc36f174703c7d9f27661f7db01f745d0538b83

SHA-256:
d80ddc7e82c314dd509720560e9cfba7c90af823375dbe0ab841ea1c29c18b62

Scanner detections:
1 / 68

Status:
Malware

Analysis date:
11/5/2024 11:18:33 PM UTC  (a few moments ago)

Scan engine
Detection
Engine version

Reason Heuristics
PUP (M)
16.11.12.13

File size:
47.2 MB (49,533,400 bytes)

File type:
Executable application (Win32 EXE)

Common path:
C:\users\{user}\appdata\roaming\instatime\instatime.exe

Digital Signature
Signed by:

Authority:
InstaTime

Valid from:
6/1/2015 11:40:01 PM

Valid to:
5/29/2025 11:40:01 PM

Subject:
E=softninjas@gmail.com, CN=InstaTime, O=InstaTime, S=Some-State, C=US

Issuer:
E=softninjas@gmail.com, CN=InstaTime, O=InstaTime, S=Some-State, C=US

Serial number:
00E63C0FE02346D411

File PE Metadata
Compilation timestamp:
2/20/2016 4:43:51 PM

OS version:
5.1

OS bitness:
Win32

Subsystem:
Windows GUI

Linker version:
12.0

CTPH (ssdeep):
786432:XuK9C64r1c7VQZgnUrurLpbH05yL5dsuUQq6+4UYOkdOXQvl8YP:+wC64r1c6ZgnUSrLpbUAdBUQq6/BLrGC

Entry address:
0x1C9A031

Entry point:
E8, 5A, 3A, 01, 00, E9, 7F, FE, FF, FF, 55, 8B, EC, 8B, 55, 0C, A1, 20, A8, EC, 02, F7, D2, 8B, 4D, 08, 23, D0, 23, 4D, 0C, 0B, D1, 89, 15, 20, A8, EC, 02, 5D, C3, E8, 09, 21, 00, 00, 85, C0, 74, 08, 6A, 16, E8, CC, 21, 00, 00, 59, F6, 05, 20, A8, EC, 02, 02, 74, 21, 6A, 17, E8, D9, 20, 60, 00, 85, C0, 74, 05, 6A, 07, 59, CD, 29, 6A, 01, 68, 15, 00, 00, 40, 6A, 03, E8, A9, F8, FF, FF, 83, C4, 0C, 6A, 03, E8, 16, FC, FF, FF, CC, 55, 8B, EC, 8D, 45, 18, 50, 6A, 00, FF, 75, 14, FF, 75, 10, FF, 75, 0C, FF, 75...
 
[+]

Code size:
34.9 MB (36,634,112 bytes)

Startup File (All Users Run)
Registry location:
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run

Name:
InstaTime

Command:
C:\users\{user}\appdata\roaming\instatime\instatime.exe su


The executing file has been seen to make the following network communications in live environments.

TCP (HTTP SSL):
Connects to li1059-74.members.linode.com  (45.33.122.74:443)

TCP (HTTP SSL):
Connects to instagram-p3-shv-01-syd2.fbcdn.net  (157.240.8.52:443)

TCP (HTTP SSL):
Connects to sg3onepush.vip.sg3.yahoo.com  (106.10.184.41:443)

TCP (HTTP SSL):
Connects to server-52-84-239-157.sfo5.r.cloudfront.net  (52.84.239.157:443)

TCP (HTTP SSL):
Connects to piwikprodweb.corpapps.vip.gq1.yahoo.com  (98.136.170.37:443)

TCP (HTTP SSL):
Connects to e2-ha.ycpi.sgb.yahoo.com  (119.161.10.199:443)

TCP (HTTP SSL):
Connects to a23-49-237-106.deploy.static.akamaitechnologies.com  (23.49.237.106:443)

TCP (HTTP SSL):
Connects to a23-0-98-160.deploy.static.akamaitechnologies.com  (23.0.98.160:443)

TCP (HTTP SSL):
Connects to a23-0-200-103.deploy.static.akamaitechnologies.com  (23.0.200.103:443)

TCP (HTTP SSL):
Connects to 114.255.178.107.bc.googleusercontent.com  (107.178.255.114:443)

TCP (HTTP SSL):
Connects to instagram-p3-shv-01-ort2.fbcdn.net  (157.240.2.52:443)

TCP (HTTP SSL):
Connects to edge-star-mini-shv-01-ort2.facebook.com  (157.240.2.35:443)

TCP (HTTP SSL):
Connects to bam-4.nr-data.net  (50.31.164.174:443)

TCP (HTTP):
Connects to a104-81-143-230.deploy.static.akamaitechnologies.com  (104.81.143.230:80)

TCP (HTTP SSL):
Connects to text-lb.esams.wikimedia.org  (91.198.174.192:443)

TCP (HTTP SSL):
Connects to instagram-p3-shv-01-amt2.fbcdn.net  (31.13.64.52:443)

TCP (HTTP SSL):
Connects to edge-star-mini-shv-01-syd2.facebook.com  (157.240.8.35:443)

TCP (HTTP SSL):
Connects to edge-star-mini-shv-01-fra3.facebook.com  (31.13.93.36:443)

TCP (HTTP SSL):
Connects to xx-fbcdn-shv-01-ort2.fbcdn.net  (157.240.2.25:443)

TCP (HTTP SSL):
Connects to wb-in-f157.1e100.net  (66.102.1.157:443)

Remove instatime.exe - Powered by Reason Core Security