messengertime.exe

SoftNinjas

The application messengertime.exe by SoftNinjas has been detected as a potentially unwanted program by 1 anti-malware scanner with very strong indications that the file is a potential threat. It is set to automatically execute when any user logs into Windows (through the local user run registry setting) with the name ‘MessengerTime’. While running, it connects to the Internet address dc1-ads-pub-ws-vip.kelkoo.com on port 443.
Publisher:
SoftNinjas  (signed and verified)

MD5:
bffbfa74c8bc6b5cfd074fe0c5f1f78c

SHA-1:
d66ae7bca0e55b6b4f34c7dbb0697bd433c881b4

SHA-256:
d6a834103490d3aee032dac62c38ae6ec63387ac0ec0947dd6c06e3420b15760

Scanner detections:
1 / 68

Status:
Potentially unwanted

Analysis date:
11/23/2024 1:38:40 AM UTC  (today)

Scan engine
Detection
Engine version

Reason Heuristics
PUP.WikiZ
17.3.1.14

File size:
45.6 MB (47,813,512 bytes)

File type:
Executable application (Win32 EXE)

Common path:
C:\users\{user}\appdata\roaming\messengertime\messengertime.exe

Digital Signature
Signed by:

Authority:
SoftNinjas

Valid from:
8/10/2015 11:29:03 PM

Valid to:
8/7/2025 11:29:03 PM

Subject:
CN=MessengerTime, O=SoftNinjas, S=Some-State, C=US

Issuer:
CN=MessengerTime, O=SoftNinjas, S=Some-State, C=US

Serial number:
00F1F3BE66B4319891

File PE Metadata
Compilation timestamp:
2/17/2017 4:47:08 PM

OS version:
5.1

OS bitness:
Win32

Subsystem:
Windows GUI

Linker version:
12.0

Entry address:
0x1C9A083

Entry point:
E8, 98, 3A, 01, 00, E9, 7F, FE, FF, FF, 55, 8B, EC, 8B, 55, 0C, A1, 20, A8, EC, 02, F7, D2, 8B, 4D, 08, 23, D0, 23, 4D, 0C, 0B, D1, 89, 15, 20, A8, EC, 02, 5D, C3, E8, A7, 20, 00, 00, 85, C0, 74, 08, 6A, 16, E8, 6A, 21, 00, 00, 59, F6, 05, 20, A8, EC, 02, 02, 74, 21, 6A, 17, E8, 97, 24, 60, 00, 85, C0, 74, 05, 6A, 07, 59, CD, 29, 6A, 01, 68, 15, 00, 00, 40, 6A, 03, E8, A7, F8, FF, FF, 83, C4, 0C, 6A, 03, E8, 14, FC, FF, FF, CC, 55, 8B, EC, 8D, 45, 18, 50, 6A, 00, FF, 75, 14, FF, 75, 10, FF, 75, 0C, FF, 75...
 
[+]

Entropy:
6.8714

Code size:
34.9 MB (36,637,696 bytes)

Startup File (All Users Run)
Registry location:
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run

Name:
MessengerTime

Command:
C:\users\{user}\appdata\roaming\messengertime\messengertime.exe su


The executing file has been seen to make the following network communications in live environments.

TCP (HTTP SSL):
Connects to edge-star-mini-shv-01-cdg2.facebook.com  (179.60.192.36:443)

TCP (HTTP SSL):
Connects to edge-star-shv-01-cdg2.facebook.com  (179.60.192.3:443)

TCP (HTTP SSL):
Connects to xx-fbcdn-shv-01-cdg2.fbcdn.net  (179.60.192.7:443)

TCP (HTTP SSL):
Connects to dc1-ads-pub-ws-vip.kelkoo.com  (95.211.116.66:443)

TCP (HTTP):
Connects to dc1-kls-pub-css-vip.kelkoo.com  (95.211.116.18:80)

TCP (HTTP SSL):
Connects to 122.68.85.212.in-addr.arpa  (212.85.68.122:443)

TCP (HTTP SSL):
Connects to rtr3.l7.search.vip.ir2.yahoo.com  (217.12.15.96:443)

TCP (HTTP SSL):
Connects to edge-star-shv-01-vie1.facebook.com  (31.13.84.8:443)

TCP (HTTP SSL):
Connects to xx-fbcdn-shv-01-vie1.fbcdn.net  (31.13.84.4:443)

TCP (HTTP SSL):
Connects to server-54-230-93-113.fra2.r.cloudfront.net  (54.230.93.113:443)

TCP (HTTP SSL):
Connects to ec2-54-210-204-41.compute-1.amazonaws.com  (54.210.204.41:443)

TCP (HTTP SSL):
Connects to e1.ycpi.vip.deb.yahoo.com  (87.248.118.22:443)

TCP (HTTP SSL):
Connects to a104-108-50-170.deploy.static.akamaitechnologies.com  (104.108.50.170:443)

TCP (HTTP SSL):
Connects to xx-fbcdn-shv-01-lht6.fbcdn.net  (157.240.1.23:443)

TCP (HTTP SSL):
Connects to xx-fbcdn-shv-01-lhr3.fbcdn.net  (31.13.90.6:443)

TCP (HTTP SSL):
Connects to xx-fbcdn-shv-01-frt3.fbcdn.net  (31.13.92.14:443)

TCP (HTTP SSL):
Connects to host213-123-242-170.in-addr.btopenworld.com  (213.123.242.170:443)

TCP (HTTP SSL):
Connects to host211-rangeA-akamai-aanp.cdn.englw.isp.sky.com  (176.255.202.211:443)

TCP (HTTP SSL):
Connects to edge-star-shv-01-lht6.facebook.com  (157.240.1.18:443)

TCP (HTTP SSL):
Connects to edge-star-shv-01-lhr3.facebook.com  (31.13.90.2:443)

Remove messengertime.exe - Powered by Reason Core Security