whatsapptime.exe

WhatsappTime Trusted

The executable whatsapptime.exe has been detected as malware by 1 anti-virus scanner. It is set to automatically execute when any user logs into Windows (through the local user run registry setting) with the name ‘whatsappTime’. While running, it connects to the Internet address b1.e0.559e.ip4.static.sl-reverse.com on port 443.
Publisher:
WhatsappTime Trusted  (signed and verified)

MD5:
edf48e4d29f1de7d2abb437bc50e91da

SHA-1:
3332e231410d91ea1f9ad2266cff937b6e34a498

SHA-256:
f31627a3821f5ee4375e97f1dab61fe6039bc9c3d52a2311df9b5cda59cb4576

Scanner detections:
1 / 68

Status:
Malware

Analysis date:
11/23/2024 2:20:29 AM UTC  (today)

Scan engine
Detection
Engine version

Reason Heuristics
PUP (M)
17.3.10.13

File size:
45.6 MB (47,791,632 bytes)

File type:
Executable application (Win32 EXE)

Common path:
C:\users\{user}\appdata\roaming\whatsapptime\whatsapptime.exe

Digital Signature
Authority:
WhatsappTime Trusted

Valid from:
5/25/2016 5:16:37 PM

Valid to:
5/23/2026 5:16:37 PM

Subject:
CN="""WhatsappTIme Trusted""", O="""WhatsappTime Trusted""", S=Some-State, C=US

Issuer:
CN="""WhatsappTIme Trusted""", O="""WhatsappTime Trusted""", S=Some-State, C=US

Serial number:
00A60CF24083331D6D

File PE Metadata
Compilation timestamp:
2/17/2017 2:47:08 PM

OS version:
5.1

OS bitness:
Win32

Subsystem:
Windows GUI

Linker version:
12.0

Entry address:
0x1C9A083

Entry point:
E8, 98, 3A, 01, 00, E9, 7F, FE, FF, FF, 55, 8B, EC, 8B, 55, 0C, A1, 20, A8, EC, 02, F7, D2, 8B, 4D, 08, 23, D0, 23, 4D, 0C, 0B, D1, 89, 15, 20, A8, EC, 02, 5D, C3, E8, A7, 20, 00, 00, 85, C0, 74, 08, 6A, 16, E8, 6A, 21, 00, 00, 59, F6, 05, 20, A8, EC, 02, 02, 74, 21, 6A, 17, E8, 97, 24, 60, 00, 85, C0, 74, 05, 6A, 07, 59, CD, 29, 6A, 01, 68, 15, 00, 00, 40, 6A, 03, E8, A7, F8, FF, FF, 83, C4, 0C, 6A, 03, E8, 14, FC, FF, FF, CC, 55, 8B, EC, 8D, 45, 18, 50, 6A, 00, FF, 75, 14, FF, 75, 10, FF, 75, 0C, FF, 75...
 
[+]

Entropy:
6.8623

Code size:
34.9 MB (36,637,696 bytes)

Startup File (All Users Run)
Registry location:
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run

Name:
whatsappTime

Command:
C:\users\{user}\appdata\roaming\whatsapptime\whatsapptime.exe su


The executing file has been seen to make the following network communications in live environments.

TCP (HTTP SSL):
Connects to b2.e0.559e.ip4.static.sl-reverse.com  (158.85.224.178:443)

TCP (HTTP SSL):
Connects to b3.e0.559e.ip4.static.sl-reverse.com  (158.85.224.179:443)

TCP (HTTP SSL):
Connects to ae.e0.559e.ip4.static.sl-reverse.com  (158.85.224.174:443)

TCP (HTTP SSL):
Connects to ad.e0.559e.ip4.static.sl-reverse.com  (158.85.224.173:443)

TCP (HTTP):
Connects to 185.13.228.10.pol.ir  (185.13.228.10:80)

TCP (HTTP SSL):
Connects to 32.4a.37a9.ip4.static.sl-reverse.com  (169.55.74.50:443)

TCP (HTTP SSL):
Connects to whatsapp-cdn-shv-01-frt3.fbcdn.net  (31.13.92.52:443)

TCP (HTTP):
Connects to ox-173-241-240-220.xa.dc.openx.org  (173.241.240.220:80)

TCP (HTTP):
Connects to ec2-54-235-135-109.compute-1.amazonaws.com  (54.235.135.109:80)

TCP (HTTP SSL):
Connects to 38.4a.37a9.ip4.static.sl-reverse.com  (169.55.74.56:443)

TCP (HTTP):
Connects to ox-173-241-248-143.xf.dc.openx.org  (173.241.248.143:80)

TCP (HTTP):
Connects to a72-247-178-11.deploy.akamaitechnologies.com  (72.247.178.11:80)

TCP (HTTP):
Connects to a184-86-201-168.deploy.static.akamaitechnologies.com  (184.86.201.168:80)

TCP (HTTP):
Connects to tlb.hwcdn.net  (69.16.175.42:80)

TCP (HTTP SSL):
Connects to 2d.4a.37a9.ip4.static.sl-reverse.com  (169.55.74.45:443)

TCP (HTTP):
Connects to ec2-75-101-162-66.compute-1.amazonaws.com  (75.101.162.66:80)

TCP (HTTP SSL):
Connects to b1.e0.559e.ip4.static.sl-reverse.com  (158.85.224.177:443)

TCP (HTTP):
Connects to ec2-54-235-183-213.compute-1.amazonaws.com  (54.235.183.213:80)

TCP (HTTP):
Connects to ec2-50-16-227-194.compute-1.amazonaws.com  (50.16.227.194:80)

TCP (HTTP):
Connects to ec2-23-23-73-48.compute-1.amazonaws.com  (23.23.73.48:80)

Remove whatsapptime.exe - Powered by Reason Core Security