twittertime.exe

The Foundation

The application twittertime.exe by The Foundation has been detected as a potentially unwanted program by 1 anti-malware scanner with very strong indications that the file is a potential threat. It is set to automatically execute when any user logs into Windows (through the local user run registry setting) with the name ‘TwitterTime’. While running, it connects to the Internet address text-lb.eqiad.wikimedia.org on port 443.
Publisher:
The Foundation  (signed and verified)

MD5:
5874a9c878ab6a5adcf1d6d818096fd3

SHA-1:
dfee81b6e686c454b15fe9c1f58854fd51dc5d9d

SHA-256:
f8a2ad1534030695d5b57f2ee8f27b9262d2ea3d3decb738e2a5959d111c9929

Scanner detections:
1 / 68

Status:
Potentially unwanted

Analysis date:
12/25/2024 6:02:46 PM UTC  (today)

Scan engine
Detection
Engine version

Reason Heuristics
PUP.TrailerTime.TheFound (M)
16.6.3.10

File size:
45.6 MB (47,771,056 bytes)

File type:
Executable application (Win32 EXE)

Common path:
C:\users\{user}\appdata\roaming\twittertime\twittertime.exe

Digital Signature
Signed by:

Authority:
The Foundation

Valid from:
6/14/2015 10:54:30 PM

Valid to:
6/11/2025 10:54:30 PM

Subject:
CN=The Foundation, O=The Foundation, S=Some-State, C=US

Issuer:
CN=The Foundation, O=The Foundation, S=Some-State, C=US

Serial number:
00BFDA29BD9F457AD4

File PE Metadata
Compilation timestamp:
3/5/2015 4:51:42 AM

OS version:
5.1

OS bitness:
Win32

Subsystem:
Windows GUI

Linker version:
12.0

CTPH (ssdeep):
786432:eLJmRGIXff9keaayimwJZHM3SD3K4mNCesWePrumsEUF0pfUUQgaE:etmRGIXff923imwJZMCDVVesWewF3UQ8

Entry address:
0x1C996D1

Entry point:
E8, 9A, 3A, 01, 00, E9, 7F, FE, FF, FF, 55, 8B, EC, 8B, 55, 0C, A1, 20, 38, EC, 02, F7, D2, 8B, 4D, 08, 23, D0, 23, 4D, 0C, 0B, D1, 89, 15, 20, 38, EC, 02, 5D, C3, E8, 09, 21, 00, 00, 85, C0, 74, 08, 6A, 16, E8, CC, 21, 00, 00, 59, F6, 05, 20, 38, EC, 02, 02, 74, 21, 6A, 17, E8, A9, 21, 60, 00, 85, C0, 74, 05, 6A, 07, 59, CD, 29, 6A, 01, 68, 15, 00, 00, 40, 6A, 03, E8, A9, F8, FF, FF, 83, C4, 0C, 6A, 03, E8, 16, FC, FF, FF, CC, 55, 8B, EC, 8D, 45, 18, 50, 6A, 00, FF, 75, 14, FF, 75, 10, FF, 75, 0C, FF, 75...
 
[+]

Entropy:
6.8705

Code size:
34.9 MB (36,634,112 bytes)

Startup File (All Users Run)
Registry location:
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run

Name:
TwitterTime

Command:
C:\users\{user}\appdata\roaming\twittertime\twittertime.exe su


The executing file has been seen to make the following network communications in live environments.

TCP (HTTP SSL):
Connects to text-lb.eqiad.wikimedia.org  (208.80.154.224:443)

TCP (HTTP SSL):
Connects to e2.ycpi.vip.bra.yahoo.com  (200.152.162.161:443)

TCP (HTTP SSL):
Connects to upload-lb.eqiad.wikimedia.org  (208.80.154.240:443)

TCP (HTTP SSL):
Connects to e1.ycpi.vip.bra.yahoo.com  (200.152.162.135:443)

TCP (HTTP SSL):
Connects to rtr3.l7.search.vip.bf1.yahoo.com  (63.250.200.63:443)

Remove twittertime.exe - Powered by Reason Core Security