instatime.exe

InstaTime

The executable instatime.exe has been detected as malware by 1 anti-virus scanner. It is set to automatically execute when any user logs into Windows (through the local user run registry setting) with the name ‘InstaTime’. While running, it connects to the Internet address instagram-p3-shv-01-sin6.fbcdn.net on port 443.
Publisher:
InstaTime  (signed and verified)

MD5:
ff5462cd5a6c1fa35e47201321a65826

SHA-1:
eeb463a24bb0e3711996e9d653f0b2901bdaf17c

SHA-256:
40fefda1d2483602623dc2107f319c8bd23cbeaa74940dc7ad517fe7f77630f7

Scanner detections:
1 / 68

Status:
Malware

Analysis date:
12/24/2024 1:42:36 AM UTC  (today)

Scan engine
Detection
Engine version

Reason Heuristics
PUP (M)
17.2.8.3

File size:
45.6 MB (47,795,408 bytes)

File type:
Executable application (Win32 EXE)

Common path:
C:\users\{user}\appdata\roaming\instatime\instatime.exe

Digital Signature
Signed by:

Authority:
InstaTime

Valid from:
6/1/2015 5:40:01 PM

Valid to:
5/29/2025 5:40:01 PM

Subject:
E=softninjas@gmail.com, CN=InstaTime, O=InstaTime, S=Some-State, C=US

Issuer:
E=softninjas@gmail.com, CN=InstaTime, O=InstaTime, S=Some-State, C=US

Serial number:
00E63C0FE02346D411

File PE Metadata
Compilation timestamp:
1/14/2017 1:33:31 PM

OS version:
5.1

OS bitness:
Win32

Subsystem:
Windows GUI

Linker version:
12.0

Entry address:
0x1C99451

Entry point:
E8, 9A, 3A, 01, 00, E9, 7F, FE, FF, FF, 55, 8B, EC, 8B, 55, 0C, A1, 20, B8, EC, 02, F7, D2, 8B, 4D, 08, 23, D0, 23, 4D, 0C, 0B, D1, 89, 15, 20, B8, EC, 02, 5D, C3, E8, 09, 21, 00, 00, 85, C0, 74, 08, 6A, 16, E8, CC, 21, 00, 00, 59, F6, 05, 20, B8, EC, 02, 02, 74, 21, 6A, 17, E8, C9, 2D, 60, 00, 85, C0, 74, 05, 6A, 07, 59, CD, 29, 6A, 01, 68, 15, 00, 00, 40, 6A, 03, E8, A9, F8, FF, FF, 83, C4, 0C, 6A, 03, E8, 16, FC, FF, FF, CC, 55, 8B, EC, 8D, 45, 18, 50, 6A, 00, FF, 75, 14, FF, 75, 10, FF, 75, 0C, FF, 75...
 
[+]

Entropy:
6.8717

Code size:
34.9 MB (36,635,648 bytes)

Startup File (All Users Run)
Registry location:
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run

Name:
InstaTime

Command:
C:\users\{user}\appdata\roaming\instatime\instatime.exe su


The executing file has been seen to make the following network communications in live environments.

TCP (HTTP SSL):
Connects to rtr3.l7.search.vip.sg3.yahoo.com  (106.10.162.43:443)

TCP (HTTP SSL):
Connects to l1.ycs.vip.inc.yahoo.com  (203.84.220.80:443)

TCP (HTTP):
Connects to mumbai-122-19.primenet.in  (203.115.122.19:80)

TCP (HTTP SSL):
Connects to instagram-p3-shv-01-lht6.fbcdn.net  (157.240.1.52:443)

TCP (HTTP SSL):
Connects to edge-star-mini-shv-01-lht6.facebook.com  (157.240.1.35:443)

TCP (HTTP):
Connects to ec2-54-243-110-17.compute-1.amazonaws.com  (54.243.110.17:80)

TCP (HTTP):
Connects to ec2-184-73-214-150.compute-1.amazonaws.com  (184.73.214.150:80)

TCP (HTTP):
Connects to unknown.telstraglobal.net  (210.176.156.21:80)

TCP (HTTP):
Connects to ox-173-241-248-143.xf.dc.openx.org  (173.241.248.143:80)

TCP (HTTP SSL):
Connects to fna-instagram-shv-01-fdel1.fbcdn.net  (157.240.189.32:443)

TCP (HTTP):

TCP (HTTP):
Connects to ec2-54-197-238-140.compute-1.amazonaws.com  (54.197.238.140:80)

TCP (HTTP):

TCP (HTTP):
Connects to s-prd-umpxl-adcom-scd-blue-b.evip.aol.com  (149.174.66.131:80)

TCP (HTTP):
Connects to s-prd-umpxl-adcom-scd-a.evip.aol.com  (152.163.13.4:80)

TCP (HTTP):
Connects to s-prd-pxl-adcom-scd-blue-b.evip.aol.com  (149.174.66.134:80)

TCP (HTTP):
Connects to sjc06-login.dotomi.com  (205.180.87.204:80)

TCP (HTTP SSL):
Connects to rtr3.l7.search.vip.bf1.yahoo.com  (63.250.200.63:443)

TCP (HTTP SSL):
Connects to r1.ycpi.vip.ne1.yahoo.net  (98.138.81.72:443)

TCP (HTTP):
Connects to px-acs001.quantserve.com.akadns.net  (203.190.124.20:80)

Remove instatime.exe - Powered by Reason Core Security