instatime.exe

InstaTime

The application instatime.exe by InstaTime has been detected as a potentially unwanted program by 1 anti-malware scanner with very strong indications that the file is a potential threat. It is set to automatically execute when any user logs into Windows (through the local user run registry setting) with the name ‘InstaTime’. While running, it connects to the Internet address edge-star-mini-shv-01-fra3.facebook.com on port 443.
Publisher:
InstaTime  (signed and verified)

MD5:
75c4806b129caef80bdde06317ca3df2

SHA-1:
71f3fff882dce21378043df198b114ca0b75b12a

SHA-256:
0b17cf33ea31eb7ef306d9691933119103b2f15f08995c21269dcf81584cf62a

Scanner detections:
1 / 68

Status:
Potentially unwanted

Analysis date:
12/26/2024 5:20:10 AM UTC  (today)

Scan engine
Detection
Engine version

Reason Heuristics
PUP.InstaTim (M)
16.6.1.17

File size:
45.6 MB (47,791,256 bytes)

File type:
Executable application (Win32 EXE)

Common path:
C:\users\{user}\appdata\roaming\instatime\instatime.exe

Digital Signature
Signed by:

Authority:
InstaTime

Valid from:
6/1/2015 10:40:01 PM

Valid to:
5/29/2025 10:40:01 PM

Subject:
E=softninjas@gmail.com, CN=InstaTime, O=InstaTime, S=Some-State, C=US

Issuer:
E=softninjas@gmail.com, CN=InstaTime, O=InstaTime, S=Some-State, C=US

Serial number:
00E63C0FE02346D411

File PE Metadata
Compilation timestamp:
2/20/2016 3:43:51 PM

OS version:
5.1

OS bitness:
Win32

Subsystem:
Windows GUI

Linker version:
12.0

CTPH (ssdeep):
786432:WuK9C64r1c7VQZgnUrurLpbH05yL5dsuUQq6+4UYOkdOXQvqe6:PwC64r1c6ZgnUSrLpbUAdBUQq6/BLrj6

Entry address:
0x1C9A031

Entry point:
E8, 5A, 3A, 01, 00, E9, 7F, FE, FF, FF, 55, 8B, EC, 8B, 55, 0C, A1, 20, A8, EC, 02, F7, D2, 8B, 4D, 08, 23, D0, 23, 4D, 0C, 0B, D1, 89, 15, 20, A8, EC, 02, 5D, C3, E8, 09, 21, 00, 00, 85, C0, 74, 08, 6A, 16, E8, CC, 21, 00, 00, 59, F6, 05, 20, A8, EC, 02, 02, 74, 21, 6A, 17, E8, D9, 20, 60, 00, 85, C0, 74, 05, 6A, 07, 59, CD, 29, 6A, 01, 68, 15, 00, 00, 40, 6A, 03, E8, A9, F8, FF, FF, 83, C4, 0C, 6A, 03, E8, 16, FC, FF, FF, CC, 55, 8B, EC, 8D, 45, 18, 50, 6A, 00, FF, 75, 14, FF, 75, 10, FF, 75, 0C, FF, 75...
 
[+]

Entropy:
6.8734

Code size:
34.9 MB (36,634,112 bytes)

Startup File (All Users Run)
Registry location:
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run

Name:
InstaTime

Command:
C:\users\{user}\appdata\roaming\instatime\instatime.exe su


The executing file has been seen to make the following network communications in live environments.

TCP (HTTP):
Connects to dmppixel-shared-mtc-c.evip.aol.com  (64.12.245.38:80)

TCP (HTTP SSL):
Connects to m-prd-pxl-shared-mr1-blue-a.evip.aol.com  (152.163.50.2:443)

TCP (HTTP SSL):
Connects to edge-star-mini-shv-01-gru2.facebook.com  (31.13.85.36:443)

TCP (HTTP SSL):
Connects to edge-star-mini-shv-02-gru2.facebook.com  (157.240.12.35:443)

TCP (HTTP):
Connects to 249.237.189.200.sta.impsat.net.br  (200.189.237.249:80)

TCP (HTTP SSL):
Connects to 186-228-156-58.ded.intelignet.com.br  (186.228.156.58:443)

TCP (HTTP SSL):
Connects to rtr3.l7.search.vip.bf1.yahoo.com  (63.250.200.63:443)

TCP (HTTP SSL):
Connects to instagram-p3-shv-01-gru2.fbcdn.net  (31.13.85.52:443)

TCP (HTTP SSL):
Connects to xx-fbcdn-shv-01-fra3.fbcdn.net  (31.13.93.7:443)

TCP (HTTP SSL):
Connects to upload-lb.eqiad.wikimedia.org  (208.80.154.240:443)

TCP (HTTP SSL):
Connects to text-lb.eqiad.wikimedia.org  (208.80.154.224:443)

TCP (HTTP SSL):
Connects to lr-in-f200.1e100.net  (209.85.233.200:443)

TCP (HTTP SSL):
Connects to instagram-p3-shv-01-frt3.fbcdn.net  (31.13.92.51:443)

TCP (HTTP SSL):
Connects to edge-star-mini-shv-01-frt3.facebook.com  (31.13.92.36:443)

TCP (HTTP SSL):
Connects to edge-star-mini-shv-01-eze1.facebook.com  (31.13.94.35:443)

TCP (HTTP SSL):
Connects to edge-star-mini-shv-01-cdg2.facebook.com  (179.60.192.36:443)

TCP (HTTP SSL):
Connects to ec2-54-77-155-10.eu-west-1.compute.amazonaws.com  (54.77.155.10:443)

TCP (HTTP SSL):
Connects to ec2-52-73-242-62.compute-1.amazonaws.com  (52.73.242.62:443)

TCP (HTTP SSL):
Connects to ec2-52-20-7-211.compute-1.amazonaws.com  (52.20.7.211:443)

TCP (HTTP):
Connects to ec2-50-17-189-123.compute-1.amazonaws.com  (50.17.189.123:80)

Remove instatime.exe - Powered by Reason Core Security