whatsapptime.exe

WTApps

The executable whatsapptime.exe has been detected as malware by 1 anti-virus scanner. It is set to automatically execute when any user logs into Windows (through the local user run registry setting) with the name ‘whatsappTime’. This file is typically installed with the program WhatsappTime - Whatsapp for Desktop by WhatsappTime. While running, it connects to the Internet address b2.e0.559e.ip4.static.sl-reverse.com on port 443.
Publisher:
WTApps  (signed and verified)

MD5:
537d2b877f109694d5403024952feb79

SHA-1:
0448889cf4dafdf73c95d5c197ee83caa5ec0ad3

SHA-256:
0c7057e5a98fc0ed094973113fbcf3df7e41fb3cc0fda1aaa53afed68b3b4337

Scanner detections:
1 / 68

Status:
Malware

Analysis date:
12/27/2024 7:32:12 PM UTC  (today)

Scan engine
Detection
Engine version

Reason Heuristics
PUP (M)
16.8.2.14

File size:
45.8 MB (48,021,784 bytes)

File type:
Executable application (Win32 EXE)

Common path:
C:\users\{user}\appdata\roaming\whatsapptime\whatsapptime.exe

Digital Signature
Signed by:

Authority:
WTApps

Valid from:
9/9/2015 2:30:36 PM

Valid to:
9/6/2025 2:30:36 PM

Subject:
CN=WTApps, O=WTApps, S=Some-State, C=US

Issuer:
CN=WTApps, O=WTApps, S=Some-State, C=US

Serial number:
00820714628B1C1CC8

File PE Metadata
Compilation timestamp:
3/5/2015 9:21:42 AM

OS version:
5.1

OS bitness:
Win32

Subsystem:
Windows GUI

Linker version:
12.0

CTPH (ssdeep):
786432:xLJmRGIXff9keaayimwJZHM3SD3K4mNCesWePrumsEUF0pfNU1U:xtmRGIXff923imwJZMCDVVesWewFGUC

Entry address:
0x1C996D1

Entry point:
E8, 9A, 3A, 01, 00, E9, 7F, FE, FF, FF, 55, 8B, EC, 8B, 55, 0C, A1, 20, 38, EC, 02, F7, D2, 8B, 4D, 08, 23, D0, 23, 4D, 0C, 0B, D1, 89, 15, 20, 38, EC, 02, 5D, C3, E8, 09, 21, 00, 00, 85, C0, 74, 08, 6A, 16, E8, CC, 21, 00, 00, 59, F6, 05, 20, 38, EC, 02, 02, 74, 21, 6A, 17, E8, A9, 21, 60, 00, 85, C0, 74, 05, 6A, 07, 59, CD, 29, 6A, 01, 68, 15, 00, 00, 40, 6A, 03, E8, A9, F8, FF, FF, 83, C4, 0C, 6A, 03, E8, 16, FC, FF, FF, CC, 55, 8B, EC, 8D, 45, 18, 50, 6A, 00, FF, 75, 14, FF, 75, 10, FF, 75, 0C, FF, 75...
 
[+]

Entropy:
6.8753

Code size:
34.9 MB (36,634,112 bytes)

Startup File (All Users Run)
Registry location:
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run

Name:
whatsappTime

Command:
C:\users\{user}\appdata\roaming\whatsapptime\whatsapptime.exe su


The file whatsapptime.exe has been discovered within the following program.

About 7% of users remove it
 
Powered by Should I Remove It?

The executing file has been seen to make the following network communications in live environments.

TCP (HTTP):
Connects to edge-star-shv-01-hkg3.facebook.com  (31.13.95.8:80)

TCP (HTTP SSL):
Connects to 32.4a.37a9.ip4.static.sl-reverse.com  (169.55.74.50:443)

TCP (HTTP SSL):
Connects to wb-in-f157.1e100.net  (66.102.1.157:443)

TCP (HTTP SSL):
Connects to af.e0.559e.ip4.static.sl-reverse.com  (158.85.224.175:443)

TCP (HTTP):
Connects to a104-124-213-216.deploy.static.akamaitechnologies.com  (104.124.213.216:80)

TCP (HTTP SSL):
Connects to 2d.4a.37a9.ip4.static.sl-reverse.com  (169.55.74.45:443)

TCP (HTTP):
Connects to server-52-85-30-26.mnl50.r.cloudfront.net  (52.85.30.26:80)

TCP (HTTP SSL):
Connects to ec2-54-77-155-10.eu-west-1.compute.amazonaws.com  (54.77.155.10:443)

TCP (HTTP SSL):
Connects to xx-fbcdn-shv-01-sin6.fbcdn.net  (157.240.7.26:443)

TCP (HTTP SSL):
Connects to b2.e0.559e.ip4.static.sl-reverse.com  (158.85.224.178:443)

TCP (HTTP):
Connects to xx-fbcdn-shv-01-hkg3.fbcdn.net  (31.13.95.12:80)

TCP (HTTP SSL):
Connects to whatsapp-cdn-shv-01-lht6.fbcdn.net  (157.240.1.53:443)

TCP (HTTP SSL):
Connects to rtr3.l7.search.vip.ir2.yahoo.com  (217.12.15.96:443)

TCP (HTTP SSL):
Connects to rtr3.l7.search.vip.gq1.yahoo.com  (208.71.45.11:443)

TCP (HTTP SSL):
Connects to r2.ycpi.vip.ir2.yahoo.net  (217.12.13.41:443)

TCP (HTTP SSL):
Connects to r2.ycpi.vip.gq1.yahoo.net  (208.71.44.31:443)

TCP (HTTP SSL):
Connects to l1-ha.ycs.aea.yahoo.com  (183.177.93.11:443)

TCP (HTTP SSL):
Connects to edge-star-mini-shv-01-hkg3.facebook.com  (31.13.95.36:443)

TCP (HTTP):
Connects to ec2-54-243-168-255.compute-1.amazonaws.com  (54.243.168.255:80)

TCP (HTTP):
Connects to ec2-54-221-206-77.compute-1.amazonaws.com  (54.221.206.77:80)

Remove whatsapptime.exe - Powered by Reason Core Security