produpd.exe

VDI Shared Product Update Tools

VDI

The executable produpd.exe, “Product updater system service” has been detected as malware by 2 anti-virus scanners. It is set to automatically start when a user logs into Windows via the current user run registry key under the display name ‘produpd’. While running, it connects to the Internet address ns.cnt.ru on port 4899.
Publisher:
VDI

Product:
VDI Shared Product Update Tools

Description:
Product updater system service

Version:
2, 0, 0, 163

MD5:
3a08e9692c62723168915a76e9577978

SHA-1:
090497189ef87c74d4525857a98bfeb551219029

SHA-256:
ece4feae28cf0492b4683b1b4172b246be79ecb2702d2b5234539e13389cb010

Scanner detections:
2 / 68

Status:
Malware

Analysis date:
11/27/2024 4:43:22 AM UTC  (today)

Scan engine
Detection
Engine version

ESET NOD32
Win32/Glupteba.AL trojan
6.3

F-Secure
Variant.Razy.84351
5.15.96

File size:
480 KB (491,520 bytes)

Product version:
2.0.0.1

Copyright:
Copyright (C) 2016

Original file name:
produpd.exe

File type:
Executable application (Win32 EXE)

Language:
Russian (Russia)

Common path:
C:\users\{user}\appdata\roaming\vdi\shared\product updater\produpd.exe

File PE Metadata
Compilation timestamp:
8/29/2016 3:29:17 PM

OS version:
6.0

OS bitness:
Win32

Subsystem:
Windows GUI

Linker version:
14.0

CTPH (ssdeep):
12288:UiKQAOtSmjUS8pka7055C6wC9PK6HlLIkskz3+3BX:hKYUS8/70YChK6HlLIk9z3MX

Entry address:
0x17630

Entry point:
E8, A6, 09, 00, 00, E9, 8E, FE, FF, FF, FF, 25, AC, 52, 45, 00, 8B, 4D, F4, 64, 89, 0D, 00, 00, 00, 00, 59, 5F, 5F, 5E, 5B, 8B, E5, 5D, 51, F2, C3, 8B, 4D, F0, 33, CD, F2, E8, A9, F8, FF, FF, F2, E9, DA, FF, FF, FF, 50, 64, FF, 35, 00, 00, 00, 00, 8D, 44, 24, 0C, 2B, 64, 24, 0C, 53, 56, 57, 89, 28, 8B, E8, A1, 70, B0, 46, 00, 33, C5, 50, FF, 75, FC, C7, 45, FC, FF, FF, FF, FF, 8D, 45, F4, 64, A3, 00, 00, 00, 00, F2, C3, 50, 64, FF, 35, 00, 00, 00, 00, 8D, 44, 24, 0C, 2B, 64, 24, 0C, 53, 56, 57, 89, 28, 8B...
 
[+]

Entropy:
6.5411

Code size:
333.5 KB (341,504 bytes)

Startup File (User Run)
Registry location:
HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run

Name:
produpd

Command:
C:\users\{user}\appdata\roaming\vdi\shared\product updater\produpd.exe


The executing file has been seen to make the following network communications in live environments.

TCP:
Connects to icebergcone.com  (91.142.85.224:444)

TCP (HTTP SSL):
Connects to edge-star-mini-shv-01-frt3.facebook.com  (31.13.92.36:443)

TCP:
Connects to f755.fuchsia.servdiscount-customer.com  (85.14.243.91:444)

TCP:
Connects to 55.33.224.159.triolan.net  (159.224.33.55:20000)

TCP (HTTP SSL):
Connects to thesmurfsco.ubi.com  (216.98.48.81:443)

TCP (HTTP SSL):
Connects to a104-96-4-12.deploy.static.akamaitechnologies.com  (104.96.4.12:443)

TCP (HTTP SSL):
Connects to signin.g.ebay.com  (66.211.185.34:443)

TCP:
Connects to spb-195-218-234-158.sovintel.spb.ru  (195.218.234.158:4899)

TCP:
Connects to 81.30.179.31.static.ufanet.ru  (81.30.179.31:4899)

TCP (HTTP SSL):
Connects to webcluster.ngs.ru  (195.93.187.9:443)

TCP:
Connects to sha.gkmar.ru  (87.117.4.75:4899)

TCP (HTTP SSL):
Connects to server-54-192-129-61.ams50.r.cloudfront.net  (54.192.129.61:443)

TCP (HTTP SSL):
Connects to server-54-192-129-151.ams50.r.cloudfront.net  (54.192.129.151:443)

TCP (HTTP):
Connects to ns3035260.ip-51-255-80.eu  (51.255.80.157:80)

TCP:
Connects to ns1.daum.net  (211.244.82.213:465)

TCP (SMTP):
Connects to mail-by2nam010170.inbound.protection.outlook.com  (216.32.181.170:25)

TCP (SMTP):
Connects to mail-by24247.inbound.protection.outlook.com  (207.46.163.247:25)

TCP:
Connects to ip-static-94-242-254-135.server.lu  (94.242.254.135:444)

TCP (HTTP):
Connects to ec2-54-227-234-51.compute-1.amazonaws.com  (54.227.234.51:80)

TCP (HTTP):
Connects to bluto.centralwebsites.com  (96.126.111.51:80)

Remove produpd.exe - Powered by Reason Core Security