whatsapptime.exe

WhatsappTime Trusted

The executable whatsapptime.exe has been detected as malware by 1 anti-virus scanner. It is set to automatically execute when any user logs into Windows (through the local user run registry setting) with the name ‘whatsappTime’.
Publisher:
WhatsappTime Trusted  (signed and verified)

MD5:
569c85e1025e53d76d92878b8799499a

SHA-1:
7563c444b6411310ba51537b99e187ff786a24f6

SHA-256:
358b76d725f0adaa52d238efa4da6873e52dd8536dc7db653af8837359e1dbfc

Scanner detections:
1 / 68

Status:
Malware

Analysis date:
11/23/2024 2:46:37 AM UTC  (today)

Scan engine
Detection
Engine version

Reason Heuristics
PUP (M)
17.3.1.16

File size:
45.6 MB (47,817,600 bytes)

File type:
Executable application (Win32 EXE)

Common path:
C:\users\{user}\appdata\roaming\whatsapptime\whatsapptime.exe

Digital Signature
Authority:
WhatsappTime Trusted

Valid from:
5/25/2016 5:16:37 PM

Valid to:
5/23/2026 5:16:37 PM

Subject:
CN="""WhatsappTIme Trusted""", O="""WhatsappTime Trusted""", S=Some-State, C=US

Issuer:
CN="""WhatsappTIme Trusted""", O="""WhatsappTime Trusted""", S=Some-State, C=US

Serial number:
00A60CF24083331D6D

File PE Metadata
Compilation timestamp:
2/17/2017 2:47:08 PM

OS version:
5.1

OS bitness:
Win32

Subsystem:
Windows GUI

Linker version:
12.0

Entry address:
0x1C9A083

Entry point:
E8, 98, 3A, 01, 00, E9, 7F, FE, FF, FF, 55, 8B, EC, 8B, 55, 0C, A1, 20, A8, EC, 02, F7, D2, 8B, 4D, 08, 23, D0, 23, 4D, 0C, 0B, D1, 89, 15, 20, A8, EC, 02, 5D, C3, E8, A7, 20, 00, 00, 85, C0, 74, 08, 6A, 16, E8, 6A, 21, 00, 00, 59, F6, 05, 20, A8, EC, 02, 02, 74, 21, 6A, 17, E8, 97, 24, 60, 00, 85, C0, 74, 05, 6A, 07, 59, CD, 29, 6A, 01, 68, 15, 00, 00, 40, 6A, 03, E8, A7, F8, FF, FF, 83, C4, 0C, 6A, 03, E8, 14, FC, FF, FF, CC, 55, 8B, EC, 8D, 45, 18, 50, 6A, 00, FF, 75, 14, FF, 75, 10, FF, 75, 0C, FF, 75...
 
[+]

Entropy:
6.8634

Code size:
34.9 MB (36,637,696 bytes)

Startup File (All Users Run)
Registry location:
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run

Name:
whatsappTime

Command:
C:\users\{user}\appdata\roaming\whatsapptime\whatsapptime.exe su


The executing file has been seen to make the following network communications in live environments.

TCP (HTTP SSL):
Connects to ec2-54-77-155-10.eu-west-1.compute.amazonaws.com  (54.77.155.10:443)

TCP (HTTP):
Connects to ec2-54-225-175-205.compute-1.amazonaws.com  (54.225.175.205:80)

TCP (HTTP SSL):
Connects to a92-122-145-128.deploy.akamaitechnologies.com  (92.122.145.128:443)

TCP (HTTP SSL):
Connects to a104-84-213-222.deploy.static.akamaitechnologies.com  (104.84.213.222:443)

TCP (HTTP SSL):
Connects to a104-84-163-17.deploy.static.akamaitechnologies.com  (104.84.163.17:443)

TCP (HTTP SSL):
Connects to a104-83-96-246.deploy.static.akamaitechnologies.com  (104.83.96.246:443)

TCP (HTTP SSL):
Connects to 39.4a.37a9.ip4.static.sl-reverse.com  (169.55.74.57:443)

TCP (HTTP SSL):
Connects to a104-108-39-228.deploy.static.akamaitechnologies.com  (104.108.39.228:443)

TCP (HTTP):
Connects to hwcdn.net  (69.16.175.42:80)

TCP (HTTP SSL):
Connects to b1.e0.559e.ip4.static.sl-reverse.com  (158.85.224.177:443)

TCP (HTTP):
Connects to a184-86-201-168.deploy.static.akamaitechnologies.com  (184.86.201.168:80)

TCP (HTTP SSL):
Connects to 9c.45.37a9.ip4.static.sl-reverse.com  (169.55.69.156:443)

TCP (HTTP SSL):
Connects to 32.4a.37a9.ip4.static.sl-reverse.com  (169.55.74.50:443)

TCP (HTTP SSL):
Connects to xx-fbcdn-shv-01-frt3.fbcdn.net  (31.13.92.14:443)

TCP (HTTP):
Connects to server-54-192-203-215.fra50.r.cloudfront.net  (54.192.203.215:80)

TCP (HTTP SSL):
Connects to px-acs001.quantserve.com.akadns.net  (95.172.94.11:443)

TCP (HTTP SSL):
Connects to ec2-52-23-111-92.compute-1.amazonaws.com  (52.23.111.92:443)

TCP (HTTP SSL):

TCP (HTTP SSL):
Connects to ec2-34-200-184-123.compute-1.amazonaws.com  (34.200.184.123:443)

TCP (HTTP):
Connects to server-54-230-201-73.fra50.r.cloudfront.net  (54.230.201.73:80)

Remove whatsapptime.exe - Powered by Reason Core Security