instatime.exe

InstaTime

The application instatime.exe by InstaTime has been detected as a potentially unwanted program by 1 anti-malware scanner with very strong indications that the file is a potential threat. It is set to automatically execute when any user logs into Windows (through the local user run registry setting) with the name ‘InstaTime’. While running, it connects to the Internet address edge-star-mini-shv-01-gru2.facebook.com on port 443.
Publisher:
InstaTime  (signed and verified)

MD5:
1fcdb5f7d07f43ac55e43252665bdd09

SHA-1:
dd8e1618b6c5719412dd2712e96096ba94b41b87

SHA-256:
778ceefb7daa90a688e1a94ad0c5d398b539a4127cd2980a9faa1bdcf32a06bd

Scanner detections:
1 / 68

Status:
Potentially unwanted

Analysis date:
11/5/2024 4:33:14 AM UTC  (today)

Scan engine
Detection
Engine version

Reason Heuristics
PUP.InstaTim (M)
16.5.2.12

File size:
45.6 MB (47,788,552 bytes)

File type:
Executable application (Win32 EXE)

Common path:
C:\users\{user}\appdata\roaming\instatime\instatime.exe

Digital Signature
Signed by:

Authority:
InstaTime

Valid from:
6/1/2015 2:40:01 PM

Valid to:
5/29/2025 2:40:01 PM

Subject:
E=softninjas@gmail.com, CN=InstaTime, O=InstaTime, S=Some-State, C=US

Issuer:
E=softninjas@gmail.com, CN=InstaTime, O=InstaTime, S=Some-State, C=US

Serial number:
00E63C0FE02346D411

File PE Metadata
Compilation timestamp:
2/20/2016 7:43:51 AM

OS version:
5.1

OS bitness:
Win32

Subsystem:
Windows GUI

Linker version:
12.0

CTPH (ssdeep):
786432:suK9C64r1c7VQZgnUrurLpbH05yL5dsuUQq6+4UYOkdOXQvGXe:xwC64r1c6ZgnUSrLpbUAdBUQq6/BLr6e

Entry address:
0x1C9A031

Entry point:
E8, 5A, 3A, 01, 00, E9, 7F, FE, FF, FF, 55, 8B, EC, 8B, 55, 0C, A1, 20, A8, EC, 02, F7, D2, 8B, 4D, 08, 23, D0, 23, 4D, 0C, 0B, D1, 89, 15, 20, A8, EC, 02, 5D, C3, E8, 09, 21, 00, 00, 85, C0, 74, 08, 6A, 16, E8, CC, 21, 00, 00, 59, F6, 05, 20, A8, EC, 02, 02, 74, 21, 6A, 17, E8, D9, 20, 60, 00, 85, C0, 74, 05, 6A, 07, 59, CD, 29, 6A, 01, 68, 15, 00, 00, 40, 6A, 03, E8, A9, F8, FF, FF, 83, C4, 0C, 6A, 03, E8, 16, FC, FF, FF, CC, 55, 8B, EC, 8D, 45, 18, 50, 6A, 00, FF, 75, 14, FF, 75, 10, FF, 75, 0C, FF, 75...
 
[+]

Entropy:
6.8734

Code size:
34.9 MB (36,634,112 bytes)

Startup File (All Users Run)
Registry location:
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run

Name:
InstaTime

Command:
C:\users\{user}\appdata\roaming\instatime\instatime.exe su


The executing file has been seen to make the following network communications in live environments.

TCP (HTTP SSL):
Connects to instagram-p3-shv-01-gru2.fbcdn.net  (31.13.85.52:443)

TCP (HTTP):
Connects to 208.185.50.90.IPYX-063360-004-ZYO.zip.zayo.com  (208.185.50.90:80)

TCP (HTTP SSL):
Connects to 208.185.50.35.IPYX-063360-004-ZYO.zip.zayo.com  (208.185.50.35:443)

TCP (HTTP):
Connects to cassiopeia.caixa.gov.br  (200.201.166.253:80)

TCP (HTTP):
Connects to 206-141.amazon.com  (72.21.206.141:80)

TCP (HTTP SSL):
Connects to xx-fbcdn-shv-01-gru2.fbcdn.net  (31.13.85.4:443)

TCP (HTTP SSL):
Connects to edge-star-mini-shv-01-gru2.facebook.com  (31.13.85.36:443)

TCP (HTTP SSL):
Connects to edge-star-mini-shv-02-gru2.facebook.com  (157.240.12.35:443)

TCP (HTTP SSL):
Connects to xx-fbcdn-shv-01-waw1.fbcdn.net  (31.13.81.13:443)

TCP (HTTP SSL):
Connects to instagram-p3-shv-01-waw1.fbcdn.net  (31.13.81.52:443)

TCP (HTTP SSL):
Connects to edge-star-mini-shv-01-waw1.facebook.com  (31.13.81.36:443)

TCP (HTTP SSL):
Connects to rtr3.l7.search.vip.bf1.yahoo.com  (63.250.200.63:443)

TCP (HTTP SSL):
Connects to e2-ha.ycpi.bra.yahoo.com  (200.152.162.143:443)

TCP (HTTP SSL):
Connects to e2.ycpi.vip.nya.yahoo.com  (69.147.82.61:443)

TCP (HTTP SSL):
Connects to e1-ha.ycpi.bra.yahoo.com  (200.152.162.189:443)

TCP (HTTP SSL):
Connects to a1.ue.vip.bf1.yahoo.net  (76.13.28.196:443)

TCP (HTTP SSL):
Connects to a-0001.a-msedge.net  (204.79.197.200:443)

TCP (HTTP SSL):
Connects to xx-fbcdn-shv-02-gru2.fbcdn.net  (157.240.12.16:443)

TCP (HTTP SSL):
Connects to instagram-p3-shv-01-frt3.fbcdn.net  (31.13.92.51:443)

TCP (HTTP SSL):
Connects to rtr3.l7.search.vip.ir2.yahoo.com  (217.12.15.96:443)

Remove instatime.exe - Powered by Reason Core Security