home

facebooktime.exe

FacebookTime

The application facebooktime.exe by FacebookTime has been detected as a potentially unwanted program by 1 anti-malware scanner with very strong indications that the file is a potential threat. It is set to automatically execute when any user logs into Windows (through the local user run registry setting) with the name ‘FacebookTime’. While running, it connects to the Internet address host-213.158.190.106.tedata.net on port 443.
Publisher:
FacebookTime  (signed and verified)

MD5:
7b1092f96d6bb69a8fd66d4c8cd35c86

SHA-1:
eb271924c21c60b9247aee204992fb0073867163

SHA-256:
f2bccdb04104ecc4749abd6311569ae4e638a165db080a850fe5729902f86f67

Scanner detections:
1 / 68

Status:
Potentially unwanted

Analysis date:
4/28/2024 9:58:53 PM UTC  (today)

Scan engine
Detection
Engine version

Reason Heuristics
PUP.WikiZ
16.8.9.10

File size:
45.6 MB (47,771,032 bytes)

File type:
Executable application (Win32 EXE)

Common path:
C:\users\{user}\appdata\roaming\facebooktime\facebooktime.exe

Digital Signature
Signed by:
FacebookTime

Authority:
FacebookTime

Valid from:
7/13/2016 5:25:46 PM

Valid to:
7/11/2026 5:25:46 PM

Subject:
CN=FacebookTime, O=FacebookTime, S=Some-State, C=US

Issuer:
CN=FacebookTime, O=FacebookTime, S=Some-State, C=US

Serial number:
0094DD5C55474B634F

File PE Metadata
Compilation timestamp:
2/20/2016 6:43:51 PM

OS version:
5.1

OS bitness:
Win32

Subsystem:
Windows GUI

Linker version:
12.0

CTPH (ssdeep):
786432:YuK9C64r1c7VQZgnUrurLpbH05yL5dsuUQq6+4UYOkdOXQBjqQ:1wC64r1c6ZgnUSrLpbUAdBUQq6/BLNOQ

Entry address:
0x1C9A031

Entry point:
E8, 5A, 3A, 01, 00, E9, 7F, FE, FF, FF, 55, 8B, EC, 8B, 55, 0C, A1, 20, A8, EC, 02, F7, D2, 8B, 4D, 08, 23, D0, 23, 4D, 0C, 0B, D1, 89, 15, 20, A8, EC, 02, 5D, C3, E8, 09, 21, 00, 00, 85, C0, 74, 08, 6A, 16, E8, CC, 21, 00, 00, 59, F6, 05, 20, A8, EC, 02, 02, 74, 21, 6A, 17, E8, D9, 20, 60, 00, 85, C0, 74, 05, 6A, 07, 59, CD, 29, 6A, 01, 68, 15, 00, 00, 40, 6A, 03, E8, A9, F8, FF, FF, 83, C4, 0C, 6A, 03, E8, 16, FC, FF, FF, CC, 55, 8B, EC, 8D, 45, 18, 50, 6A, 00, FF, 75, 14, FF, 75, 10, FF, 75, 0C, FF, 75...
 
[+]

Entropy:
6.8638

Code size:
34.9 MB (36,634,112 bytes)

Startup File (All Users Run)
Registry location:
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run

Name:
FacebookTime

Command:
C:\users\{user}\appdata\roaming\facebooktime\facebooktime.exe su


The executing file has been seen to make the following network communications in live environments.

TCP (HTTP SSL):
Connects to xx-fbcdn-shv-01-cai1.fbcdn.net  (31.13.88.8:443)

TCP (HTTP SSL):
Connects to xx-fbcdn-shv-01-fra3.fbcdn.net  (31.13.93.7:443)

TCP (HTTP):
Connects to server-54-230-159-25.sin3.r.cloudfront.net  (54.230.159.25:80)

TCP (HTTP):
Connects to server-54-230-157-4.sin3.r.cloudfront.net  (54.230.157.4:80)

TCP (HTTP):
Connects to server-52-84-219-248.sin3.r.cloudfront.net  (52.84.219.248:80)

TCP (HTTP SSL):
Connects to rtr3.l7.search.vip.bf1.yahoo.com  (63.250.200.63:443)

TCP (HTTP SSL):
Connects to r1.ycpi.vip.bf1.yahoo.net  (98.139.199.204:443)

TCP (HTTP SSL):
Connects to l1-ha.ycs.aea.yahoo.com  (183.177.93.11:443)

TCP (HTTP SSL):
Connects to edge-z-m-mini-shv-01-fra3.facebook.com  (31.13.93.37:443)

TCP (HTTP SSL):
Connects to edge-star-shv-01-cai1.facebook.com  (31.13.88.4:443)

TCP (HTTP):
Connects to ec2-75-101-162-66.compute-1.amazonaws.com  (75.101.162.66:80)

TCP (HTTP):
Connects to ec2-54-221-206-77.compute-1.amazonaws.com  (54.221.206.77:80)

TCP (HTTP):
Connects to ec2-54-169-224-160.ap-southeast-1.compute.amazonaws.com  (54.169.224.160:80)

TCP (HTTP):
Connects to ec2-54-169-131-4.ap-southeast-1.compute.amazonaws.com  (54.169.131.4:80)

TCP (HTTP):
Connects to ec2-54-154-66-200.eu-west-1.compute.amazonaws.com  (54.154.66.200:80)

TCP (HTTP):
Connects to ec2-54-153-120-43.us-west-1.compute.amazonaws.com  (54.153.120.43:80)

TCP (HTTP):
Connects to ec2-52-77-5-157.ap-southeast-1.compute.amazonaws.com  (52.77.5.157:80)

TCP (HTTP):
Connects to ec2-52-77-175-116.ap-southeast-1.compute.amazonaws.com  (52.77.175.116:80)

TCP (HTTP):
Connects to ec2-52-77-151-17.ap-southeast-1.compute.amazonaws.com  (52.77.151.17:80)

TCP (HTTP):
Connects to ec2-52-220-249-239.ap-southeast-1.compute.amazonaws.com  (52.220.249.239:80)

Remove facebooktime.exe - Powered by Reason Core Security
herdProtect is a second line of defense malware removal platform powered by 68 anti-malware engines in the cloud. Since no single anti-malware program is perfect 100% of the time, herdProtect utilizes a 'herd' of multiple engines to guarantee the widest coverage and the earliest possible detection.