instatime.exe

InstaTime

The executable instatime.exe has been detected as malware by 1 anti-virus scanner. It is set to automatically execute when any user logs into Windows (through the local user run registry setting) with the name ‘InstaTime’. While running, it connects to the Internet address instagram-p3-shv-01-lhr3.fbcdn.net on port 443.
Publisher:
InstaTime  (signed and verified)

MD5:
76740412c352254cb37cb76abc5c22d2

SHA-1:
44521f50315ef2de305101d752bfa2775b0ba63c

SHA-256:
f8e3f821ad0f6f139e97b24196d7536107d9e6c43cc7759d9d124fab3ee9c864

Scanner detections:
1 / 68

Status:
Malware

Analysis date:
11/2/2024 11:30:54 AM UTC  (today)

Scan engine
Detection
Engine version

Reason Heuristics
PUP (M)
17.1.3.2

File size:
45.6 MB (47,795,408 bytes)

File type:
Executable application (Win32 EXE)

Common path:
C:\users\{user}\appdata\roaming\instatime\instatime.exe

Digital Signature
Signed by:

Authority:
InstaTime

Valid from:
6/2/2015 3:10:01 AM

Valid to:
5/30/2025 3:10:01 AM

Subject:
E=softninjas@gmail.com, CN=InstaTime, O=InstaTime, S=Some-State, C=US

Issuer:
E=softninjas@gmail.com, CN=InstaTime, O=InstaTime, S=Some-State, C=US

Serial number:
00E63C0FE02346D411

File PE Metadata
Compilation timestamp:
2/20/2016 9:13:51 PM

OS version:
5.1

OS bitness:
Win32

Subsystem:
Windows GUI

Linker version:
12.0

Entry address:
0x1C9A031

Entry point:
E8, 5A, 3A, 01, 00, E9, 7F, FE, FF, FF, 55, 8B, EC, 8B, 55, 0C, A1, 20, A8, EC, 02, F7, D2, 8B, 4D, 08, 23, D0, 23, 4D, 0C, 0B, D1, 89, 15, 20, A8, EC, 02, 5D, C3, E8, 09, 21, 00, 00, 85, C0, 74, 08, 6A, 16, E8, CC, 21, 00, 00, 59, F6, 05, 20, A8, EC, 02, 02, 74, 21, 6A, 17, E8, D9, 20, 60, 00, 85, C0, 74, 05, 6A, 07, 59, CD, 29, 6A, 01, 68, 15, 00, 00, 40, 6A, 03, E8, A9, F8, FF, FF, 83, C4, 0C, 6A, 03, E8, 16, FC, FF, FF, CC, 55, 8B, EC, 8D, 45, 18, 50, 6A, 00, FF, 75, 14, FF, 75, 10, FF, 75, 0C, FF, 75...
 
[+]

Entropy:
6.8738

Code size:
34.9 MB (36,634,112 bytes)

Startup File (All Users Run)
Registry location:
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run

Name:
InstaTime

Command:
C:\users\{user}\appdata\roaming\instatime\instatime.exe su


The executing file has been seen to make the following network communications in live environments.

TCP (HTTP SSL):
Connects to instagram-p3-shv-01-sin6.fbcdn.net  (157.240.7.52:443)

TCP (HTTP SSL):
Connects to xx-fbcdn-shv-01-sin6.fbcdn.net  (157.240.7.26:443)

TCP (HTTP):
Connects to s-prd-pxl-adcom-scd-blue-b.evip.aol.com  (149.174.66.134:80)

TCP (HTTP SSL):
Connects to instagram-p3-shv-01-lht6.fbcdn.net  (157.240.1.52:443)

TCP (HTTP SSL):
Connects to edge-star-mini-shv-01-sin6.facebook.com  (157.240.7.35:443)

TCP (HTTP):

TCP (HTTP):

TCP (HTTP SSL):
Connects to a23-49-53-186.deploy.static.akamaitechnologies.com  (23.49.53.186:443)

TCP (HTTP):

TCP (HTTP):
Connects to 206-141.amazon.com  (72.21.206.141:80)

TCP (HTTP SSL):
Connects to edge-star-mini-shv-01-lhr3.facebook.com  (31.13.90.36:443)

TCP (HTTP):
Connects to a.tribalfusion.com  (204.11.109.66:80)

TCP (HTTP):
Connects to unknown.telstraglobal.net  (210.176.156.25:80)

TCP (HTTP):
Connects to tags.expo9.exponential.com  (204.11.109.77:80)

TCP (HTTP):
Connects to ox-173-241-248-199.xf.dc.openx.org  (173.241.248.199:80)

TCP (HTTP):
Connects to a184-86-201-168.deploy.static.akamaitechnologies.com  (184.86.201.168:80)

TCP (HTTP):
Connects to a104-108-200-70.deploy.static.akamaitechnologies.com  (104.108.200.70:80)

TCP (HTTP):
Connects to static.ill.117.239.141.26/24.bsnl.in  (117.239.141.26:80)

TCP (HTTP):
Connects to c8.63.5177.ip4.static.sl-reverse.com  (119.81.99.200:80)

TCP (HTTP):

Remove instatime.exe - Powered by Reason Core Security