produpd.exe

VDI Shared Product Update Tools

VDI

The executable produpd.exe, “Product updater system service” has been detected as malware by 3 anti-virus scanners. It is set to automatically start when a user logs into Windows via the current user run registry key under the display name ‘produpd’. While running, it connects to the Internet address 252.29.155.104.bc.googleusercontent.com on port 80 using the HTTP protocol.
Publisher:
VDI

Product:
VDI Shared Product Update Tools

Description:
Product updater system service

Version:
2, 0, 0, 163

MD5:
48623bec6c6b485c762853c452d764b7

SHA-1:
129b3c4b06d3da65a7952fab7aedc6030a59a239

SHA-256:
e1adc6471a0b0f712c943797ef3615b3238ccd95677fb68a3bf772ce807592d6

Scanner detections:
3 / 68

Status:
Malware

Analysis date:
12/26/2024 7:35:04 AM UTC  (today)

Scan engine
Detection
Engine version

avast!
Win32:Dropper-gen [Drp]
160917-0

F-Secure
Variant.Strictor.113697
5.15.154

Reason Heuristics
Trojan.Glupteba (M)
16.11.12.14

File size:
641.5 KB (656,896 bytes)

Product version:
2.0.0.1

Copyright:
Copyright (C) 2016

Original file name:
produpd.exe

File type:
Executable application (Win32 EXE)

Language:
Russian (Russia)

Common path:
C:\users\{user}\appdata\roaming\vdi\shared\product updater\produpd.exe

File PE Metadata
Compilation timestamp:
9/22/2016 7:05:11 AM

OS version:
6.0

OS bitness:
Win32

Subsystem:
Windows GUI

Linker version:
14.0

CTPH (ssdeep):
12288:GNmlRuOOZ/DfUKbZE9o+n/tWdl5kHWe1oiN555VZG/Z08KOb9DpQGgde:MXOOZ/DfUKbZE9o+nVW3M1oyg/Z08KQM

Entry address:
0x353E6

Entry point:
E8, 80, 09, 00, 00, E9, 8E, FE, FF, FF, FF, 25, 38, 62, 47, 00, 8B, 4D, F4, 64, 89, 0D, 00, 00, 00, 00, 59, 5F, 5F, 5E, 5B, 8B, E5, 5D, 51, F2, C3, 8B, 4D, F0, 33, CD, F2, E8, A8, F8, FF, FF, F2, E9, DA, FF, FF, FF, 8B, 4D, EC, 33, CD, F2, E8, 97, F8, FF, FF, F2, E9, C9, FF, FF, FF, 50, 64, FF, 35, 00, 00, 00, 00, 8D, 44, 24, 0C, 2B, 64, 24, 0C, 53, 56, 57, 89, 28, 8B, E8, A1, 70, 10, 49, 00, 33, C5, 50, FF, 75, FC, C7, 45, FC, FF, FF, FF, FF, 8D, 45, F4, 64, A3, 00, 00, 00, 00, F2, C3, 50, 64, FF, 35, 00...
 
[+]

Code size:
467 KB (478,208 bytes)

Startup File (User Run)
Registry location:
HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run

Name:
produpd

Command:
C:\users\{user}\appdata\roaming\vdi\shared\product updater\produpd.exe


The executing file has been seen to make the following network communications in live environments.

TCP:
Connects to nodomen.ru  (185.31.161.198:444)

TCP (HTTP):
Connects to instagram-p3-shv-01-fra3.fbcdn.net  (31.13.93.52:80)

TCP (HTTP SSL):
Connects to ec2-34-195-251-240.compute-1.amazonaws.com  (34.195.251.240:443)

TCP (HTTP SSL):
Connects to e.mail.ru  (217.69.139.216:443)

TCP:
Connects to malta1752.dedicatedpanel.com  (85.25.210.136:444)

TCP:
Connects to u022.umbra.myloc.de  (85.114.140.22:444)

TCP:
Connects to poczta.interia.pl  (217.74.64.236:993)

TCP (HTTP):
Connects to ns535262.ip-158-69-246.net  (158.69.246.3:80)

TCP (SMTP):
Connects to mx0a-0009cc01.pphosted.com  (148.163.156.200:25)

TCP (HTTP):
Connects to bvsport.ca  (91.121.155.125:80)

TCP (HTTP SSL):
Connects to a104-75-82-69.deploy.static.akamaitechnologies.com  (104.75.82.69:443)

TCP (HTTP SSL):
Connects to a104-122-243-148.deploy.static.akamaitechnologies.com  (104.122.243.148:443)

TCP (HTTP):
Connects to video-edge-c6808c.sin01.hls.ttvnw.net  (45.113.129.121:80)

TCP (HTTP):
Connects to video-edge-c678ec.arn03.hls.ttvnw.net  (52.223.193.116:80)

TCP:
Connects to vcs-s-m-yc.mail.vip.ir2.yahoo.com  (217.146.190.250:465)

TCP (HTTP SSL):
Connects to thesmurfsco.ubi.com  (216.98.48.81:443)

TCP (HTTP SSL):
Connects to signin.g.ebay.com  (66.211.181.96:443)

TCP (HTTP SSL):
Connects to server-54-230-96-47.arn1.r.cloudfront.net  (54.230.96.47:443)

TCP (HTTP SSL):
Connects to server-54-192-98-230.arn1.r.cloudfront.net  (54.192.98.230:443)

TCP (HTTP SSL):
Connects to server-54-192-94-46.fra2.r.cloudfront.net  (54.192.94.46:443)

Remove produpd.exe - Powered by Reason Core Security