messengertime.exe

SoftNinjas

The application messengertime.exe by SoftNinjas has been detected as a potentially unwanted program by 1 anti-malware scanner with very strong indications that the file is a potential threat. It is set to automatically execute when any user logs into Windows (through the local user run registry setting) with the name ‘MessengerTime’. While running, it connects to the Internet address edge-star-mini-shv-01-cdg2.facebook.com on port 443.
Publisher:
SoftNinjas  (signed and verified)

MD5:
1eb45d2fb9db50c2963103cc4ba33721

SHA-1:
8408fffa817538a7ce1cefe22417732a7ebf833d

SHA-256:
5659a4ea663ee1ef8d9a34127e6eacdee97f7a439deef89051163872c350a2db

Scanner detections:
1 / 68

Status:
Potentially unwanted

Analysis date:
11/23/2024 1:28:29 AM UTC  (today)

Scan engine
Detection
Engine version

Reason Heuristics
PUP.WikiZ
17.3.10.10

File size:
45.6 MB (47,787,744 bytes)

File type:
Executable application (Win32 EXE)

Common path:
C:\users\{user}\appdata\roaming\messengertime\messengertime.exe

Digital Signature
Signed by:

Authority:
SoftNinjas

Valid from:
8/10/2015 7:59:03 PM

Valid to:
8/7/2025 7:59:03 PM

Subject:
CN=MessengerTime, O=SoftNinjas, S=Some-State, C=US

Issuer:
CN=MessengerTime, O=SoftNinjas, S=Some-State, C=US

Serial number:
00F1F3BE66B4319891

File PE Metadata
Compilation timestamp:
2/17/2017 12:17:08 PM

OS version:
5.1

OS bitness:
Win32

Subsystem:
Windows GUI

Linker version:
12.0

Entry address:
0x1C9A083

Entry point:
E8, 98, 3A, 01, 00, E9, 7F, FE, FF, FF, 55, 8B, EC, 8B, 55, 0C, A1, 20, A8, EC, 02, F7, D2, 8B, 4D, 08, 23, D0, 23, 4D, 0C, 0B, D1, 89, 15, 20, A8, EC, 02, 5D, C3, E8, A7, 20, 00, 00, 85, C0, 74, 08, 6A, 16, E8, 6A, 21, 00, 00, 59, F6, 05, 20, A8, EC, 02, 02, 74, 21, 6A, 17, E8, 97, 24, 60, 00, 85, C0, 74, 05, 6A, 07, 59, CD, 29, 6A, 01, 68, 15, 00, 00, 40, 6A, 03, E8, A7, F8, FF, FF, 83, C4, 0C, 6A, 03, E8, 14, FC, FF, FF, CC, 55, 8B, EC, 8D, 45, 18, 50, 6A, 00, FF, 75, 14, FF, 75, 10, FF, 75, 0C, FF, 75...
 
[+]

Code size:
34.9 MB (36,637,696 bytes)

Startup File (All Users Run)
Registry location:
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run

Name:
MessengerTime

Command:
C:\users\{user}\appdata\roaming\messengertime\messengertime.exe su


The executing file has been seen to make the following network communications in live environments.

TCP (HTTP SSL):
Connects to rtr3.l7.search.vip.ir2.yahoo.com  (217.12.15.96:443)

TCP (HTTP SSL):
Connects to edge-star-shv-01-cdg2.facebook.com  (179.60.192.3:443)

TCP (HTTP SSL):
Connects to edge-star-mini-shv-01-cdg2.facebook.com  (179.60.192.36:443)

TCP (HTTP SSL):
Connects to elgiganten.se.ssl.d1.sc.omtrdc.net  (63.140.43.116:443)

TCP (HTTP SSL):
Connects to e2.ycpi.vip.amb.yahoo.com  (87.248.116.12:443)

TCP (HTTP SSL):
Connects to a1.ue.vip.ir2.yahoo.net  (77.238.185.49:443)

TCP (HTTP SSL):
Connects to 203-el-vpx.tripnet.se  (217.28.206.203:443)

TCP (HTTP SSL):
Connects to xx-fbcdn-shv-01-cdg2.fbcdn.net  (179.60.192.7:443)

TCP (HTTP SSL):
Connects to e1.ycpi.vip.amb.yahoo.com  (87.248.116.11:443)

TCP (HTTP SSL):
Connects to a95-101-142-107.deploy.akamaitechnologies.com  (95.101.142.107:443)

TCP (HTTP SSL):
Connects to pprd1-rtr2.manhattan.vip.bf1.yahoo.com  (72.30.203.224:443)

TCP (HTTP SSL):
Connects to mpr2.ngd.vip.ir2.yahoo.com  (217.12.15.54:443)

TCP (HTTP):
Connects to ec2-54-235-102-46.compute-1.amazonaws.com  (54.235.102.46:80)

TCP (HTTP):
Connects to ec2-54-197-238-140.compute-1.amazonaws.com  (54.197.238.140:80)

TCP (HTTP SSL):
Connects to ec2-52-45-159-13.compute-1.amazonaws.com  (52.45.159.13:443)

TCP (HTTP SSL):
Connects to ec2-184-169-175-212.us-west-1.compute.amazonaws.com  (184.169.175.212:443)

TCP (HTTP SSL):
Connects to e1.ycpi.vip.deb.yahoo.com  (87.248.118.22:443)

TCP (HTTP SSL):
Connects to a23-223-38-234.deploy.static.akamaitechnologies.com  (23.223.38.234:443)

TCP (HTTP SSL):
Connects to a104-75-68-229.deploy.static.akamaitechnologies.com  (104.75.68.229:443)

TCP (HTTP SSL):
Connects to upload-lb.esams.wikimedia.org  (91.198.174.208:443)

Remove messengertime.exe - Powered by Reason Core Security