home

whatsapptime.exe

The application whatsapptime.exe has been detected as a potentially unwanted program by 1 anti-malware scanner with very strong indications that the file is a potential threat. It is set to automatically execute when any user logs into Windows (through the local user run registry setting) with the name ‘whatsappTime’. While running, it connects to the Internet address 9c.45.37a9.ip4.static.sl-reverse.com on port 443.
MD5:
a362b0fec30975df6ba694b2dde5d01c

SHA-1:
e7414f95b02c0f7792669b20d26732c2d24a4d26

SHA-256:
12da34357e11af94f9f1fefe46cc0d848bc92d4af3cb5574c301e3245de4acb2

Scanner detections:
1 / 68

Status:
Potentially unwanted

Analysis date:
11/6/2024 12:24:07 AM UTC  (today)

Scan engine
Detection
Engine version

Reason Heuristics
PUP.WikiZ
17.1.26.8

File size:
45.6 MB (47,788,782 bytes)

File type:
Executable application (Win32 EXE)

Common path:
C:\users\{user}\appdata\roaming\whatsapptime\tmp\whatsapptime.exe

File PE Metadata
Compilation timestamp:
2/20/2016 7:13:51 PM

OS version:
5.1

OS bitness:
Win32

Subsystem:
Windows GUI

Linker version:
12.0

Entry address:
0x1C9A031

Entry point:
E8, 5A, 3A, 01, 00, E9, 7F, FE, FF, FF, 55, 8B, EC, 8B, 55, 0C, A1, 20, A8, EC, 02, F7, D2, 8B, 4D, 08, 23, D0, 23, 4D, 0C, 0B, D1, 89, 15, 20, A8, EC, 02, 5D, C3, E8, 09, 21, 00, 00, 85, C0, 74, 08, 6A, 16, E8, CC, 21, 00, 00, 59, F6, 05, 20, A8, EC, 02, 02, 74, 21, 6A, 17, E8, D9, 20, 60, 00, 85, C0, 74, 05, 6A, 07, 59, CD, 29, 6A, 01, 68, 15, 00, 00, 40, 6A, 03, E8, A9, F8, FF, FF, 83, C4, 0C, 6A, 03, E8, 16, FC, FF, FF, CC, 55, 8B, EC, 8D, 45, 18, 50, 6A, 00, FF, 75, 14, FF, 75, 10, FF, 75, 0C, FF, 75...
 
[+]

Entropy:
6.8638

Code size:
34.9 MB (36,634,112 bytes)

Startup File (All Users Run)
Registry location:
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run

Name:
whatsappTime

Command:
C:\users\{user}\appdata\roaming\whatsapptime\whatsapptime.exe su


The executing file has been seen to make the following network communications in live environments.

TCP (HTTP SSL):
Connects to whatsapp-cdn-shv-01-frt3.fbcdn.net  (31.13.92.52:443)

TCP (HTTP):
Connects to tlb.hwcdn.net  (69.16.175.10:80)

TCP (HTTP):
Connects to a184-86-201-168.deploy.static.akamaitechnologies.com  (184.86.201.168:80)

TCP (HTTP):
Connects to ox-173-241-248-143.xf.dc.openx.org  (173.241.248.143:80)

TCP (HTTP SSL):
Connects to ec2-52-48-217-100.eu-west-1.compute.amazonaws.com  (52.48.217.100:443)

TCP (HTTP):
Connects to ox-173-241-240-220.xa.dc.openx.org  (173.241.240.220:80)

TCP (HTTP SSL):
Connects to 24.4a.37a9.ip4.static.sl-reverse.com  (169.55.74.36:443)

TCP (HTTP SSL):
Connects to wb-in-f154.1e100.net  (66.102.1.154:443)

TCP (HTTP SSL):
Connects to server-54-192-45-120.fra6.r.cloudfront.net  (54.192.45.120:443)

TCP (HTTP):
Connects to ox-173-241-240-143.xa.dc.openx.org  (173.241.240.143:80)

TCP (HTTP SSL):
Connects to ec2-52-87-10-164.compute-1.amazonaws.com  (52.87.10.164:443)

TCP (HTTP SSL):
Connects to a104-104-178-204.deploy.static.akamaitechnologies.com  (104.104.178.204:443)

TCP (HTTP SSL):
Connects to 39.4a.37a9.ip4.static.sl-reverse.com  (169.55.74.57:443)

TCP (HTTP SSL):
Connects to 9c.45.37a9.ip4.static.sl-reverse.com  (169.55.69.156:443)

TCP (HTTP SSL):
Connects to 2a.4a.37a9.ip4.static.sl-reverse.com  (169.55.74.42:443)

TCP (HTTP SSL):
Connects to whatsapp-cdn-shv-01-cdg2.fbcdn.net  (179.60.192.51:443)

TCP (HTTP SSL):
Connects to ec2-54-154-194-232.eu-west-1.compute.amazonaws.com  (54.154.194.232:443)

TCP (HTTP SSL):
Connects to ec2-52-211-238-123.eu-west-1.compute.amazonaws.com  (52.211.238.123:443)

TCP (HTTP SSL):
Connects to ec2-52-211-21-195.eu-west-1.compute.amazonaws.com  (52.211.21.195:443)

TCP (HTTP):
Connects to a95-101-72-59.deploy.akamaitechnologies.com  (95.101.72.59:80)

Remove whatsapptime.exe - Powered by Reason Core Security
herdProtect is a second line of defense malware removal platform powered by 68 anti-malware engines in the cloud. Since no single anti-malware program is perfect 100% of the time, herdProtect utilizes a 'herd' of multiple engines to guarantee the widest coverage and the earliest possible detection.