twittertime.exe

TwitterTime

The application twittertime.exe by TwitterTime has been detected as a potentially unwanted program by 1 anti-malware scanner with very strong indications that the file is a potential threat. It is set to automatically execute when any user logs into Windows (through the local user run registry setting) with the name ‘TwitterTime’. While running, it connects to the Internet address r-199-59-148-139.twttr.com on port 443.
Publisher:
TwitterTime  (signed and verified)

MD5:
6b457539b0133637ca3639ca864a6169

SHA-1:
3ee8d7f9a9b35edff79bdc85ef43e591020a267e

SHA-256:
6e284bedc4e8a1e8d53fa1e1b62da9ba6921e79df7d81f3a538dcc4cc4729f78

Scanner detections:
1 / 68

Status:
Potentially unwanted

Analysis date:
11/27/2024 1:14:01 AM UTC  (today)

Scan engine
Detection
Engine version

Reason Heuristics
PUP.WikiZ
16.8.2.14

File size:
45.6 MB (47,782,472 bytes)

File type:
Executable application (Win32 EXE)

Common path:
C:\users\{user}\appdata\roaming\twittertime\twittertime.exe

Digital Signature
Signed by:

Authority:
TwitterTime

Valid from:
11/12/2015 1:17:36 AM

Valid to:
11/9/2025 1:17:36 AM

Subject:
CN=TwitterTime, O=TwitterTime, S=Some-State, C=US

Issuer:
CN=TwitterTime, O=TwitterTime, S=Some-State, C=US

Serial number:
00ABE8EDD9D1FE1E8C

File PE Metadata
Compilation timestamp:
2/20/2016 6:43:51 PM

OS version:
5.1

OS bitness:
Win32

Subsystem:
Windows GUI

Linker version:
12.0

CTPH (ssdeep):
786432:8uK9C64r1c7VQZgnUrurLpbH05yL5dsuUQq6+4UYOkdOXQXE2k:hwC64r1c6ZgnUSrLpbUAdBUQq6/BLjxk

Entry address:
0x1C9A031

Entry point:
E8, 5A, 3A, 01, 00, E9, 7F, FE, FF, FF, 55, 8B, EC, 8B, 55, 0C, A1, 20, A8, EC, 02, F7, D2, 8B, 4D, 08, 23, D0, 23, 4D, 0C, 0B, D1, 89, 15, 20, A8, EC, 02, 5D, C3, E8, 09, 21, 00, 00, 85, C0, 74, 08, 6A, 16, E8, CC, 21, 00, 00, 59, F6, 05, 20, A8, EC, 02, 02, 74, 21, 6A, 17, E8, D9, 20, 60, 00, 85, C0, 74, 05, 6A, 07, 59, CD, 29, 6A, 01, 68, 15, 00, 00, 40, 6A, 03, E8, A9, F8, FF, FF, 83, C4, 0C, 6A, 03, E8, 16, FC, FF, FF, CC, 55, 8B, EC, 8D, 45, 18, 50, 6A, 00, FF, 75, 14, FF, 75, 10, FF, 75, 0C, FF, 75...
 
[+]

Entropy:
6.8646

Code size:
34.9 MB (36,634,112 bytes)

Startup File (All Users Run)
Registry location:
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run

Name:
TwitterTime

Command:
C:\users\{user}\appdata\roaming\twittertime\twittertime.exe su


The executing file has been seen to make the following network communications in live environments.

TCP (HTTP):
Connects to w8.thefreedictionary.com  (85.195.124.227:80)

TCP (HTTP):
Connects to unknown.telstraglobal.net  (210.176.156.25:80)

TCP (HTTP):
Connects to server-54-230-59-14.gru1.r.cloudfront.net  (54.230.59.14:80)

TCP (HTTP):
Connects to server-54-230-141-155.sfo5.r.cloudfront.net  (54.230.141.155:80)

TCP (HTTP):
Connects to rtb-pixel-hk2.everesttech.net  (66.117.25.55:80)

TCP (HTTP):
Connects to ox-173-241-248-220.xf.dc.openx.org  (173.241.248.220:80)

TCP (HTTP):
Connects to ox-173-241-248-143.xf.dc.openx.org  (173.241.248.143:80)

TCP (HTTP):
Connects to mpr2.ngd.vip.sg3.yahoo.com  (106.10.198.32:80)

TCP (HTTP):
Connects to masterPixelList-tp00.everesttech.net  (66.117.25.36:80)

TCP (HTTP):
Connects to imagizer-cv.imageshack.us  (38.99.77.16:80)

TCP (HTTP):
Connects to hwcdn.net  (69.16.175.42:80)

TCP (HTTP):

TCP (HTTP):

TCP (HTTP):
Connects to ec2-46-51-205-34.eu-west-1.compute.amazonaws.com  (46.51.205.34:80)

TCP (HTTP):
Connects to cm-hk2.everesttech.net  (66.117.25.58:80)

TCP (HTTP):

TCP (HTTP):

TCP (HTTP):
Connects to a104-93-105-194.deploy.static.akamaitechnologies.com  (104.93.105.194:80)

TCP (HTTP):
Connects to spdc.pbp.vip.sg3.yahoo.com  (106.10.193.30:80)

TCP (HTTP):
Connects to r2.ycpi.vip.gq1.yahoo.net  (208.71.44.31:80)

Remove twittertime.exe - Powered by Reason Core Security