» whatsapptime.exe
Overview
Analysis
File Details
Behaviors (1)
Programs (1)
Network (60)

whatsapptime.exe

WhatsappTime Trusted

The executable whatsapptime.exe has been detected as malware by 1 anti-virus scanner. It is set to automatically execute when any user logs into Windows (through the local user run registry setting) with the name ‘WhatsappTime’. This file is typically installed with the program WhatsappTime - Whatsapp for Desktop by WhatsappTime. While running, it connects to the Internet address 9c.45.37a9.ip4.static.sl-reverse.com on port 443.

File name:

whatsapptime.exe

Publisher:

WhatsappTime Trusted (signed and verified)

MD5:

0a30f9bff0cf88f64906e0289cf94359

SHA-1:

5ef684cee5146db8d76a3ece205e64f3404a26ee

SHA-256:

140ffb5e628b897239e68d07315017d23bb18662d5674a1db79b8738e9663f9d

Scanner detections:

1 / 68

Status:

Malware

Analysis date:

4/27/2024 11:14:24 AM UTC (today)

Scan engine

Detection

Engine version

Reason Heuristics

PUP (M)

16.8.2.14

File size:

45.6 MB (47,789,368 bytes)

File type:

Executable application (Win32 EXE)

Common path:

C:\users\{user}\appdata\roaming\whatsapptime\whatsapptime.exe

Digital Signature

Signed by:

WhatsappTime Trusted

Authority:

WhatsappTime Trusted

Valid from:

5/25/2016 6:16:37 PM

Valid to:

5/23/2026 6:16:37 PM

Subject:

CN="""WhatsappTIme Trusted""", O="""WhatsappTime Trusted""", S=Some-State, C=US

Issuer:

CN="""WhatsappTIme Trusted""", O="""WhatsappTime Trusted""", S=Some-State, C=US

Serial number:

00A60CF24083331D6D

File PE Metadata

Compilation timestamp:

2/20/2016 9:13:51 PM

OS version:

5.1

OS bitness:

Win32

Subsystem:

Windows GUI

Linker version:

12.0

CTPH (ssdeep):

786432:tuK9C64r1c7VQZgnUrurLpbH05yL5dsuUQq6+4UYOkdOXQ5HkJ:gwC64r1c6ZgnUSrLpbUAdBUQq6/BLtEJ

Entry address:

0x1C9A031

Entry point:

E8, 5A, 3A, 01, 00, E9, 7F, FE, FF, FF, 55, 8B, EC, 8B, 55, 0C, A1, 20, A8, EC, 02, F7, D2, 8B, 4D, 08, 23, D0, 23, 4D, 0C, 0B, D1, 89, 15, 20, A8, EC, 02, 5D, C3, E8, 09, 21, 00, 00, 85, C0, 74, 08, 6A, 16, E8, CC, 21, 00, 00, 59, F6, 05, 20, A8, EC, 02, 02, 74, 21, 6A, 17, E8, D9, 20, 60, 00, 85, C0, 74, 05, 6A, 07, 59, CD, 29, 6A, 01, 68, 15, 00, 00, 40, 6A, 03, E8, A9, F8, FF, FF, 83, C4, 0C, 6A, 03, E8, 16, FC, FF, FF, CC, 55, 8B, EC, 8D, 45, 18, 50, 6A, 00, FF, 75, 14, FF, 75, 10, FF, 75, 0C, FF, 75... 
[+]

Entropy:

6.8637

Code size:

34.9 MB (36,634,112 bytes)

Startup File (All Users Run)

Registry location:

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run

Name:

WhatsappTime

Command:

C:\users\{user}\appdata\roaming\whatsapptime\whatsapptime.exe su

The file whatsapptime.exe has been discovered within the following program.

WhatsappTime - Whatsapp for Desktop by WhatsappTime

About 7% of users remove it

The executing file has been seen to make the following network communications in live environments.

TCP (HTTP SSL):

Connects to bam-6.nr-data.net (162.247.242.18:443)

TCP (HTTP):

Connects to tlb.hwcdn.net (69.16.175.42:80)

TCP (HTTP SSL):

Connects to 2d.4a.37a9.ip4.static.sl-reverse.com (169.55.74.45:443)

TCP (HTTP SSL):

Connects to b4.e0.559e.ip4.static.sl-reverse.com (158.85.224.180:443)

TCP (HTTP SSL):

Connects to 9c.45.37a9.ip4.static.sl-reverse.com (169.55.69.156:443)

TCP (HTTP SSL):

Connects to 32.4a.37a9.ip4.static.sl-reverse.com (169.55.74.50:443)

TCP (HTTP SSL):

Connects to whatsapp-cdn-shv-01-sin6.fbcdn.net (157.240.7.54:443)

TCP (HTTP SSL):

Connects to whatsapp-cdn-shv-01-lhr3.fbcdn.net (31.13.90.51:443)

TCP (HTTP SSL):

Connects to 2a.4a.37a9.ip4.static.sl-reverse.com (169.55.74.42:443)

TCP (HTTP SSL):

Connects to 39.4a.37a9.ip4.static.sl-reverse.com (169.55.74.57:443)

TCP (HTTP SSL):

Connects to whatsapp-cdn-shv-02-mia1.fbcdn.net (157.240.0.53:443)

TCP (HTTP SSL):

Connects to ae.e0.559e.ip4.static.sl-reverse.com (158.85.224.174:443)

TCP (HTTP SSL):

Connects to 9d.45.37a9.ip4.static.sl-reverse.com (169.55.69.157:443)

TCP (HTTP SSL):

Connects to wb-in-f155.1e100.net (66.102.1.155:443)

TCP (HTTP SSL):

Connects to waws-prod-blu-015.cloudapp.net (191.236.16.12:443)

TCP (HTTP SSL):

Connects to server-54-230-202-253.fra50.r.cloudfront.net (54.230.202.253:443)

TCP (HTTP SSL):

Connects to server-54-230-202-23.fra50.r.cloudfront.net (54.230.202.23:443)

TCP (HTTP SSL):

Connects to server-54-230-201-157.fra50.r.cloudfront.net (54.230.201.157:443)

TCP (HTTP SSL):

Connects to server-52-85-178-85.fra50.r.cloudfront.net (52.85.178.85:443)

TCP (HTTP SSL):

Connects to ec2-54-228-237-30.eu-west-1.compute.amazonaws.com (54.228.237.30:443)

Remove whatsapptime.exe - Powered by Reason Core Security

herdProtect is a second line of defense malware removal platform powered by 68 anti-malware engines in the cloud. Since no single anti-malware program is perfect 100% of the time, herdProtect utilizes a 'herd' of multiple engines to guarantee the widest coverage and the earliest possible detection.