whatsapptime.exe

WhatsappTime Trusted

The executable whatsapptime.exe has been detected as malware by 1 anti-virus scanner. It is set to automatically execute when any user logs into Windows (through the local user run registry setting) with the name ‘WhatsappTime’. While running, it connects to the Internet address 9c.45.37a9.ip4.static.sl-reverse.com on port 443.
Publisher:
WhatsappTime Trusted  (signed and verified)

MD5:
0a30f9bff0cf88f64906e0289cf94359

SHA-1:
5ef684cee5146db8d76a3ece205e64f3404a26ee

SHA-256:
140ffb5e628b897239e68d07315017d23bb18662d5674a1db79b8738e9663f9d

Scanner detections:
1 / 68

Status:
Malware

Analysis date:
11/23/2017 2:08:27 PM UTC  (today)

Scan engine
Detection
Engine version

Reason Heuristics
PUP (M)
16.8.2.14

File size:
45.6 MB (47,789,368 bytes)

File type:
Executable application (Win32 EXE)

Common path:
C:\users\{user}\appdata\roaming\whatsapptime\whatsapptime.exe

Digital Signature
Authority:
WhatsappTime Trusted

Valid from:
5/25/2016 6:16:37 PM

Valid to:
5/23/2026 6:16:37 PM

Subject:
CN="""WhatsappTIme Trusted""", O="""WhatsappTime Trusted""", S=Some-State, C=US

Issuer:
CN="""WhatsappTIme Trusted""", O="""WhatsappTime Trusted""", S=Some-State, C=US

Serial number:
00A60CF24083331D6D

File PE Metadata
Compilation timestamp:
2/20/2016 9:13:51 PM

OS version:
5.1

OS bitness:
Win32

Subsystem:
Windows GUI

Linker version:
12.0

CTPH (ssdeep):
786432:tuK9C64r1c7VQZgnUrurLpbH05yL5dsuUQq6+4UYOkdOXQ5HkJ:gwC64r1c6ZgnUSrLpbUAdBUQq6/BLtEJ

Entry address:
0x1C9A031

Entry point:
E8, 5A, 3A, 01, 00, E9, 7F, FE, FF, FF, 55, 8B, EC, 8B, 55, 0C, A1, 20, A8, EC, 02, F7, D2, 8B, 4D, 08, 23, D0, 23, 4D, 0C, 0B, D1, 89, 15, 20, A8, EC, 02, 5D, C3, E8, 09, 21, 00, 00, 85, C0, 74, 08, 6A, 16, E8, CC, 21, 00, 00, 59, F6, 05, 20, A8, EC, 02, 02, 74, 21, 6A, 17, E8, D9, 20, 60, 00, 85, C0, 74, 05, 6A, 07, 59, CD, 29, 6A, 01, 68, 15, 00, 00, 40, 6A, 03, E8, A9, F8, FF, FF, 83, C4, 0C, 6A, 03, E8, 16, FC, FF, FF, CC, 55, 8B, EC, 8D, 45, 18, 50, 6A, 00, FF, 75, 14, FF, 75, 10, FF, 75, 0C, FF, 75...
 
[+]

Entropy:
6.8637

Code size:
34.9 MB (36,634,112 bytes)

Startup File (All Users Run)
Registry location:
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run

Name:
WhatsappTime

Command:
C:\users\{user}\appdata\roaming\whatsapptime\whatsapptime.exe su


The executing file has been seen to make the following network communications in live environments.

TCP (HTTP SSL):
Connects to bam-6.nr-data.net  (162.247.242.18:443)

TCP (HTTP):
Connects to tlb.hwcdn.net  (69.16.175.42:80)

TCP (HTTP SSL):
Connects to 2d.4a.37a9.ip4.static.sl-reverse.com  (169.55.74.45:443)

TCP (HTTP SSL):
Connects to b4.e0.559e.ip4.static.sl-reverse.com  (158.85.224.180:443)

TCP (HTTP SSL):
Connects to 9c.45.37a9.ip4.static.sl-reverse.com  (169.55.69.156:443)

TCP (HTTP SSL):
Connects to 32.4a.37a9.ip4.static.sl-reverse.com  (169.55.74.50:443)

TCP (HTTP SSL):
Connects to whatsapp-cdn-shv-01-sin6.fbcdn.net  (157.240.7.54:443)

TCP (HTTP SSL):
Connects to whatsapp-cdn-shv-01-lhr3.fbcdn.net  (31.13.90.51:443)

TCP (HTTP SSL):
Connects to 2a.4a.37a9.ip4.static.sl-reverse.com  (169.55.74.42:443)

TCP (HTTP SSL):
Connects to 39.4a.37a9.ip4.static.sl-reverse.com  (169.55.74.57:443)

TCP (HTTP SSL):
Connects to whatsapp-cdn-shv-02-mia1.fbcdn.net  (157.240.0.53:443)

TCP (HTTP SSL):
Connects to ae.e0.559e.ip4.static.sl-reverse.com  (158.85.224.174:443)

TCP (HTTP SSL):
Connects to 9d.45.37a9.ip4.static.sl-reverse.com  (169.55.69.157:443)

TCP (HTTP SSL):
Connects to wb-in-f155.1e100.net  (66.102.1.155:443)

TCP (HTTP SSL):
Connects to waws-prod-blu-015.cloudapp.net  (191.236.16.12:443)

TCP (HTTP SSL):
Connects to server-54-230-202-253.fra50.r.cloudfront.net  (54.230.202.253:443)

TCP (HTTP SSL):
Connects to server-54-230-202-23.fra50.r.cloudfront.net  (54.230.202.23:443)

TCP (HTTP SSL):
Connects to server-54-230-201-157.fra50.r.cloudfront.net  (54.230.201.157:443)

TCP (HTTP SSL):
Connects to server-52-85-178-85.fra50.r.cloudfront.net  (52.85.178.85:443)

TCP (HTTP SSL):
Connects to ec2-54-228-237-30.eu-west-1.compute.amazonaws.com  (54.228.237.30:443)

Remove whatsapptime.exe - Powered by Reason Core Security