produpd.exe

VDI Shared Product Update Tools

VDI

The executable produpd.exe, “Product updater system service” has been detected as malware by 2 anti-virus scanners. It is set to automatically start when a user logs into Windows via the current user run registry key under the display name ‘produpd’. While running, it connects to the Internet address any.yandex.ru on port 80 using the HTTP protocol.
Publisher:
VDI

Product:
VDI Shared Product Update Tools

Description:
Product updater system service

Version:
2, 0, 0, 163

MD5:
6e4c77fdd7c8c1160dc973adc93abc64

SHA-1:
06a6a3c88c9754f2a662f8394078c3a69f665a7c

SHA-256:
b7892ade30402adf4312f3afc475ada0dc4cc36f33c2fcbe4bd524087b43239e

Scanner detections:
2 / 68

Status:
Malware

Analysis date:
11/24/2024 10:06:19 PM UTC  (today)

Scan engine
Detection
Engine version

F-Secure
Variant.Strictor.113697
5.15.154

Reason Heuristics
Trojan.Glupteba (M)
16.11.12.14

File size:
642 KB (657,408 bytes)

Product version:
2.0.0.1

Copyright:
Copyright (C) 2016

Original file name:
produpd.exe

File type:
Executable application (Win32 EXE)

Language:
Russian (Russia)

Common path:
C:\users\{user}\appdata\roaming\vdi\shared\product updater\produpd.exe

File PE Metadata
Compilation timestamp:
9/15/2016 3:51:05 PM

OS version:
6.0

OS bitness:
Win32

Subsystem:
Windows GUI

Linker version:
14.0

CTPH (ssdeep):
12288:4W8loTOO3/DfUKbZE9oU1OwVkz5k2eaihN5m5DZWeZjozV6LlGgdUpk:FvOO3/DfUKbZE9oU1/VwMaigYeZjozVw

Entry address:
0x353E6

Entry point:
E8, 80, 09, 00, 00, E9, 8E, FE, FF, FF, FF, 25, 38, 62, 47, 00, 8B, 4D, F4, 64, 89, 0D, 00, 00, 00, 00, 59, 5F, 5F, 5E, 5B, 8B, E5, 5D, 51, F2, C3, 8B, 4D, F0, 33, CD, F2, E8, A8, F8, FF, FF, F2, E9, DA, FF, FF, FF, 8B, 4D, EC, 33, CD, F2, E8, 97, F8, FF, FF, F2, E9, C9, FF, FF, FF, 50, 64, FF, 35, 00, 00, 00, 00, 8D, 44, 24, 0C, 2B, 64, 24, 0C, 53, 56, 57, 89, 28, 8B, E8, A1, 70, 10, 49, 00, 33, C5, 50, FF, 75, FC, C7, 45, FC, FF, FF, FF, FF, 8D, 45, F4, 64, A3, 00, 00, 00, 00, F2, C3, 50, 64, FF, 35, 00...
 
[+]

Entropy:
6.5825

Code size:
467 KB (478,208 bytes)

Startup File (User Run)
Registry location:
HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run

Name:
produpd

Command:
C:\users\{user}\appdata\roaming\vdi\shared\product updater\produpd.exe


The executing file has been seen to make the following network communications in live environments.

TCP (HTTP):
Connects to g1.formy.net  (195.191.248.36:80)

TCP (WHOIS):
Connects to whois.opensrs.net  (64.99.62.11:43)

TCP (HTTP SSL):
Connects to o2.mail.ru  (217.69.139.61:443)

TCP:
Connects to ih425675.dedic.myihor.ru  (193.124.177.10:444)

TCP (HTTP SSL):
Connects to ec2-52-89-83-8.us-west-2.compute.amazonaws.com  (52.89.83.8:443)

TCP (HTTP SSL):
Connects to ec2-35-161-87-166.us-west-2.compute.amazonaws.com  (35.161.87.166:443)

TCP (HTTP):
Connects to ec2-34-195-251-240.compute-1.amazonaws.com  (34.195.251.240:80)

TCP:
Connects to 55.33.224.159.triolan.net  (159.224.33.55:20000)

TCP (HTTP):
Connects to webmaster.yandex.ru  (93.158.134.62:80)

TCP (HTTP):
Connects to static.37.58.243.136.clients.your-server.de  (136.243.58.37:80)

TCP:
Connects to static.178-248-206-178.kgts.ru  (178.206.248.178:4899)

TCP (HTTP SSL):
Connects to server-54-192-129-195.ams50.r.cloudfront.net  (54.192.129.195:443)

TCP (HTTP SSL):
Connects to server-54-192-129-170.ams50.r.cloudfront.net  (54.192.129.170:443)

TCP:
Connects to nodomen.ru  (89.184.67.224:444)

TCP:
Connects to l37-192-31-163.novotelecom.ru  (37.192.31.163:4899)

TCP:
Connects to ip-85-26-138-59.nwgsm.ru  (85.26.138.59:4899)

TCP:
Connects to ip-184-168-221-36.ip.secureserver.net  (184.168.221.36:8000)

TCP:
Connects to interviewder.net  (91.203.5.26:444)

TCP:
Connects to f755.fuchsia.servdiscount-customer.com  (85.14.243.91:444)

TCP (HTTP SSL):
Connects to ec2-54-186-89-206.us-west-2.compute.amazonaws.com  (54.186.89.206:443)

Remove produpd.exe - Powered by Reason Core Security