instatime.exe

InstaTime

The executable instatime.exe has been detected as malware by 1 anti-virus scanner. It is set to automatically execute when any user logs into Windows (through the local user run registry setting) with the name ‘InstaTime’. While running, it connects to the Internet address instagram-p3-shv-01-sin6.fbcdn.net on port 443.
Publisher:
InstaTime  (signed and verified)

MD5:
50a75f98c62e16f83a03c68cfb590045

SHA-1:
b331bb2ebb8df1d28c015bac7a728f2ed61ccf91

SHA-256:
9ee44db8173417154edddedb0c476e3ca5bd9537339418ef9a62d7d71753b09a

Scanner detections:
1 / 68

Status:
Malware

Analysis date:
12/24/2024 1:34:29 AM UTC  (today)

Scan engine
Detection
Engine version

Reason Heuristics
PUP (M)
16.12.4.18

File size:
45.6 MB (47,795,408 bytes)

File type:
Executable application (Win32 EXE)

Common path:
C:\users\{user}\appdata\roaming\instatime\instatime.exe

Digital Signature
Signed by:

Authority:
InstaTime

Valid from:
6/2/2015 3:10:01 AM

Valid to:
5/30/2025 3:10:01 AM

Subject:
E=softninjas@gmail.com, CN=InstaTime, O=InstaTime, S=Some-State, C=US

Issuer:
E=softninjas@gmail.com, CN=InstaTime, O=InstaTime, S=Some-State, C=US

Serial number:
00E63C0FE02346D411

File PE Metadata
Compilation timestamp:
2/20/2016 9:13:51 PM

OS version:
5.1

OS bitness:
Win32

Subsystem:
Windows GUI

Linker version:
12.0

CTPH (ssdeep):
786432:luK9C64r1c7VQZgnUrurLpbH05yL5dsuUQq6+4UYOkdOXQv0NV:owC64r1c6ZgnUSrLpbUAdBUQq6/BLruV

Entry address:
0x1C9A031

Entry point:
E8, 5A, 3A, 01, 00, E9, 7F, FE, FF, FF, 55, 8B, EC, 8B, 55, 0C, A1, 20, A8, EC, 02, F7, D2, 8B, 4D, 08, 23, D0, 23, 4D, 0C, 0B, D1, 89, 15, 20, A8, EC, 02, 5D, C3, E8, 09, 21, 00, 00, 85, C0, 74, 08, 6A, 16, E8, CC, 21, 00, 00, 59, F6, 05, 20, A8, EC, 02, 02, 74, 21, 6A, 17, E8, D9, 20, 60, 00, 85, C0, 74, 05, 6A, 07, 59, CD, 29, 6A, 01, 68, 15, 00, 00, 40, 6A, 03, E8, A9, F8, FF, FF, 83, C4, 0C, 6A, 03, E8, 16, FC, FF, FF, CC, 55, 8B, EC, 8D, 45, 18, 50, 6A, 00, FF, 75, 14, FF, 75, 10, FF, 75, 0C, FF, 75...
 
[+]

Entropy:
6.8738

Code size:
34.9 MB (36,634,112 bytes)

Startup File (All Users Run)
Registry location:
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run

Name:
InstaTime

Command:
C:\users\{user}\appdata\roaming\instatime\instatime.exe su


The executing file has been seen to make the following network communications in live environments.

TCP (HTTP SSL):
Connects to unknown.telstraglobal.net  (210.176.156.25:443)

TCP (HTTP):
Connects to ec2-54-235-132-90.compute-1.amazonaws.com  (54.235.132.90:80)

TCP (HTTP SSL):
Connects to rtr3.l7.search.vip.sg3.yahoo.com  (106.10.162.43:443)

TCP (HTTP SSL):
Connects to a23-46-108-136.deploy.static.akamaitechnologies.com  (23.46.108.136:443)

TCP (HTTP SSL):
Connects to l1.ycs.vip.inc.yahoo.com  (203.84.220.80:443)

TCP (HTTP SSL):
Connects to server-54-230-147-5.sfo4.r.cloudfront.net  (54.230.147.5:443)

TCP (HTTP SSL):
Connects to r2.ycpi.vip.ne1.yahoo.net  (98.138.81.73:443)

TCP (HTTP SSL):
Connects to ec2-54-86-12-10.compute-1.amazonaws.com  (54.86.12.10:443)

TCP (HTTP SSL):
Connects to a23-7-240-14.deploy.static.akamaitechnologies.com  (23.7.240.14:443)

TCP (HTTP SSL):
Connects to xx-fbcdn-shv-01-ams3.fbcdn.net  (31.13.91.6:443)

TCP (HTTP):
Connects to tags.expo9.exponential.com  (204.11.109.76:80)

TCP (HTTP SSL):
Connects to instagram-p3-shv-01-ams3.fbcdn.net  (31.13.91.52:443)

TCP (HTTP SSL):
Connects to edge-star-mini-shv-01-sin6.facebook.com  (157.240.7.35:443)

TCP (HTTP SSL):
Connects to edge-star-mini-shv-01-ams3.facebook.com  (31.13.91.36:443)

TCP (HTTP):

TCP (HTTP):
Connects to ec2-54-77-116-233.eu-west-1.compute.amazonaws.com  (54.77.116.233:80)

TCP (HTTP):

TCP (HTTP):
Connects to ec2-54-148-136-137.us-west-2.compute.amazonaws.com  (54.148.136.137:80)

TCP (HTTP):
Connects to ec2-52-52-174-92.us-west-1.compute.amazonaws.com  (52.52.174.92:80)

TCP (HTTP SSL):
Connects to ec2-52-40-164-62.us-west-2.compute.amazonaws.com  (52.40.164.62:443)

Remove instatime.exe - Powered by Reason Core Security