whatsapptime.exe

WhatsappTime Trusted

The executable whatsapptime.exe has been detected as malware by 1 anti-virus scanner. It is set to automatically execute when any user logs into Windows (through the local user run registry setting) with the name ‘whatsappTime’. While running, it connects to the Internet address b3.e0.559e.ip4.static.sl-reverse.com on port 443.
Publisher:
WhatsappTime Trusted  (signed and verified)

MD5:
ecdefca44ceb64ef4106fee77f71e807

SHA-1:
40b058947a757289f281268f7df5e0897971457a

SHA-256:
c61a8d8ec2a4bdd909eeaca42cd17c2a60155778ce3987afca1a1eedbc33d375

Scanner detections:
1 / 68

Status:
Malware

Analysis date:
11/23/2024 2:44:29 AM UTC  (today)

Scan engine
Detection
Engine version

Reason Heuristics
PUP (M)
17.3.5.13

File size:
45.6 MB (47,817,520 bytes)

File type:
Executable application (Win32 EXE)

Common path:
C:\users\{user}\appdata\roaming\whatsapptime\whatsapptime.exe

Digital Signature
Authority:
WhatsappTime Trusted

Valid from:
5/25/2016 5:16:37 PM

Valid to:
5/23/2026 5:16:37 PM

Subject:
CN="""WhatsappTIme Trusted""", O="""WhatsappTime Trusted""", S=Some-State, C=US

Issuer:
CN="""WhatsappTIme Trusted""", O="""WhatsappTime Trusted""", S=Some-State, C=US

Serial number:
00A60CF24083331D6D

File PE Metadata
Compilation timestamp:
2/17/2017 2:47:08 PM

OS version:
5.1

OS bitness:
Win32

Subsystem:
Windows GUI

Linker version:
12.0

Entry address:
0x1C9A083

Entry point:
E8, 98, 3A, 01, 00, E9, 7F, FE, FF, FF, 55, 8B, EC, 8B, 55, 0C, A1, 20, A8, EC, 02, F7, D2, 8B, 4D, 08, 23, D0, 23, 4D, 0C, 0B, D1, 89, 15, 20, A8, EC, 02, 5D, C3, E8, A7, 20, 00, 00, 85, C0, 74, 08, 6A, 16, E8, 6A, 21, 00, 00, 59, F6, 05, 20, A8, EC, 02, 02, 74, 21, 6A, 17, E8, 97, 24, 60, 00, 85, C0, 74, 05, 6A, 07, 59, CD, 29, 6A, 01, 68, 15, 00, 00, 40, 6A, 03, E8, A7, F8, FF, FF, 83, C4, 0C, 6A, 03, E8, 14, FC, FF, FF, CC, 55, 8B, EC, 8D, 45, 18, 50, 6A, 00, FF, 75, 14, FF, 75, 10, FF, 75, 0C, FF, 75...
 
[+]

Entropy:
6.8634

Code size:
34.9 MB (36,637,696 bytes)

Startup File (All Users Run)
Registry location:
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run

Name:
whatsappTime

Command:
C:\users\{user}\appdata\roaming\whatsapptime\whatsapptime.exe su


The executing file has been seen to make the following network communications in live environments.

TCP (HTTP):
Connects to dmppixel-shared-mtc-c.evip.aol.com  (64.12.245.38:80)

TCP (HTTP):
Connects to t-ams5.mplxtms.com  (63.215.202.72:80)

TCP (HTTP):
Connects to atpixel-mtc-b.evip.aol.com  (64.12.97.1:80)

TCP (HTTP):
Connects to a95-100-248-162.deploy.akamaitechnologies.com  (95.100.248.162:80)

TCP (HTTP SSL):
Connects to a95-101-249-159.deploy.akamaitechnologies.com  (95.101.249.159:443)

TCP (HTTP SSL):
Connects to a23-74-181-125.deploy.static.akamaitechnologies.com  (23.74.181.125:443)

TCP (HTTP SSL):
Connects to www.careerbuilder.com.cdn.cloudflare.net  (208.82.7.22:443)

TCP (HTTP SSL):
Connects to 31.4a.37a9.ip4.static.sl-reverse.com  (169.55.74.49:443)

TCP (HTTP):
Connects to ec2-46-51-205-34.eu-west-1.compute.amazonaws.com  (46.51.205.34:80)

TCP (HTTP):
Connects to a95-100-248-105.deploy.akamaitechnologies.com  (95.100.248.105:80)

TCP (HTTP SSL):
Connects to ec2-54-77-155-10.eu-west-1.compute.amazonaws.com  (54.77.155.10:443)

TCP (HTTP):
Connects to ec2-54-164-239-146.compute-1.amazonaws.com  (54.164.239.146:80)

TCP (HTTP):

TCP (HTTP SSL):
Connects to b3.e0.559e.ip4.static.sl-reverse.com  (158.85.224.179:443)

TCP (HTTP):
Connects to xx-fbcdn-shv-01-frt3.fbcdn.net  (31.13.92.14:80)

TCP (HTTP SSL):
Connects to xx-fbcdn-shv-01-cdg2.fbcdn.net  (179.60.192.7:443)

TCP (HTTP SSL):
Connects to whatsapp-cdn-shv-01-frt3.fbcdn.net  (31.13.92.52:443)

TCP (HTTP):
Connects to ox-173-241-240-143.xa.dc.openx.org  (173.241.240.143:80)

TCP (HTTP SSL):
Connects to edge-star-mini-shv-01-frt3.facebook.com  (31.13.92.36:443)

TCP (HTTP SSL):
Connects to edge-star-mini-shv-01-cdg2.facebook.com  (179.60.192.36:443)

Remove whatsapptime.exe - Powered by Reason Core Security