whatsapptime.exe

WTApps

The executable whatsapptime.exe has been detected as malware by 1 anti-virus scanner. It is set to automatically execute when any user logs into Windows (through the local user run registry setting) with the name ‘WhatsappTime’. This file is typically installed with the program WhatsappTime - Whatsapp for Desktop by WhatsappTime. While running, it connects to the Internet address 2a.4a.37a9.ip4.static.sl-reverse.com on port 443.
Publisher:
WTApps  (signed and verified)

MD5:
3357858009fb7dbf437740e91807af06

SHA-1:
8abf15f33d13329ea13b6a92a7902c46c0121647

Scanner detections:
1 / 68

Status:
Malware

Analysis date:
12/15/2017 5:51:19 AM UTC  (today)

Scan engine
Detection
Engine version

Reason Heuristics
PUP (M)
16.8.2.14

File size:
45.8 MB (48,042,960 bytes)

File type:
Executable application (Win32 EXE)

Common path:
C:\Documents and Settings\{user}\Application data\whatsapptime\whatsapptime.exe

Digital Signature
Signed by:

Authority:
WTApps

Valid from:
9/9/2015 2:30:36 PM

Valid to:
9/6/2025 2:30:36 PM

Subject:
CN=WTApps, O=WTApps, S=Some-State, C=US

Issuer:
CN=WTApps, O=WTApps, S=Some-State, C=US

Serial number:
00820714628B1C1CC8

File PE Metadata
Compilation timestamp:
2/20/2016 9:13:51 PM

OS version:
5.1

OS bitness:
Win32

Subsystem:
Windows GUI

Linker version:
12.0

CTPH (ssdeep):
786432:WuK9C64r1c7VQZgnUrurLpbH05yL5dsuUQq6+4UYOkdOXQ5hI:PwC64r1c6ZgnUSrLpbUAdBUQq6/BLt2

Entry address:
0x1C9A031

Entry point:
E8, 5A, 3A, 01, 00, E9, 7F, FE, FF, FF, 55, 8B, EC, 8B, 55, 0C, A1, 20, A8, EC, 02, F7, D2, 8B, 4D, 08, 23, D0, 23, 4D, 0C, 0B, D1, 89, 15, 20, A8, EC, 02, 5D, C3, E8, 09, 21, 00, 00, 85, C0, 74, 08, 6A, 16, E8, CC, 21, 00, 00, 59, F6, 05, 20, A8, EC, 02, 02, 74, 21, 6A, 17, E8, D9, 20, 60, 00, 85, C0, 74, 05, 6A, 07, 59, CD, 29, 6A, 01, 68, 15, 00, 00, 40, 6A, 03, E8, A9, F8, FF, FF, 83, C4, 0C, 6A, 03, E8, 16, FC, FF, FF, CC, 55, 8B, EC, 8D, 45, 18, 50, 6A, 00, FF, 75, 14, FF, 75, 10, FF, 75, 0C, FF, 75...
 
[+]

Entropy:
6.8734

Code size:
34.9 MB (36,634,112 bytes)

Startup File (All Users Run)
Registry location:
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run

Name:
WhatsappTime

Command:
C:\Documents and Settings\{user}\Application data\whatsapptime\whatsapptime.exe su


The file whatsapptime.exe has been discovered within the following program.

About 7% of users remove it
 
Powered by Should I Remove It?

The executing file has been seen to make the following network communications in live environments.

TCP (HTTP SSL):
Connects to 2a.4a.37a9.ip4.static.sl-reverse.com  (169.55.74.42:443)

TCP (HTTP SSL):
Connects to 9d.45.37a9.ip4.static.sl-reverse.com  (169.55.69.157:443)

TCP (HTTP SSL):
Connects to unknown.telstraglobal.net  (210.176.156.35:443)

TCP (HTTP SSL):
Connects to static.khi77.pie.net.pk  (221.120.207.30:443)

TCP (HTTP):
Connects to a88-221-235-138.deploy.akamaitechnologies.com  (88.221.235.138:80)

TCP (HTTP):

TCP (HTTP):

TCP (HTTP):

TCP (HTTP SSL):
Connects to 39.4a.37a9.ip4.static.sl-reverse.com  (169.55.74.57:443)

TCP (HTTP):
Connects to a104-124-112-148.deploy.static.akamaitechnologies.com  (104.124.112.148:80)

TCP (HTTP):

TCP (HTTP SSL):
Connects to a104-114-107-195.deploy.static.akamaitechnologies.com  (104.114.107.195:443)

TCP (HTTP SSL):
Connects to static.ill.117.239.141.48/24.bsnl.in  (117.239.141.48:443)

TCP (HTTP SSL):
Connects to static.ill.117.239.141.40/24.bsnl.in  (117.239.141.40:443)

TCP (HTTP SSL):
Connects to static.ill.117.239.141.24/24.bsnl.in  (117.239.141.24:443)

TCP (HTTP SSL):
Connects to static.ill.117.239.141.11/24.bsnl.in  (117.239.141.11:443)

TCP (HTTP):

TCP (HTTP SSL):
Connects to a104-118-7-24.deploy.static.akamaitechnologies.com  (104.118.7.24:443)

TCP (HTTP):

TCP (HTTP SSL):
Connects to whatsapp-cdn-shv-01-mxp1.fbcdn.net  (31.13.86.51:443)

Remove whatsapptime.exe - Powered by Reason Core Security