produpd.exe

produpd.exe

Vested Development, Inc

The executable produpd.exe has been detected as malware by 1 anti-virus scanner. It is set to automatically start when a user logs into Windows via the current user run registry key under the display name ‘produpd’. While running, it connects to the Internet address ih425675.dedic.myihor.ru on port 8000.
Publisher:
Vested Development, Inc

Product:
produpd.exe

Version:
2.2.1.23

MD5:
8e2588847ef8ed23fadd78e2a89747f1

SHA-1:
27b681d6a950d80a83d74216054f11f7a7db9a14

SHA-256:
91605caf633bf501c261dfc0e3d3f1da4c512f5e4b914a04a7d5c7f5fb1278fa

Scanner detections:
1 / 68

Status:
Malware

Analysis date:
12/25/2024 3:34:16 AM UTC  (today)

Scan engine
Detection
Engine version

Reason Heuristics
Trojan.Glupteba
17.2.17.8

File size:
528 KB (540,672 bytes)

Product version:
2.2.0.2

Copyright:
Copyright © 2016

Original file name:
produpd.exe

File type:
Executable application (Win32 EXE)

Language:
English (United States)

Common path:
C:\users\{user}\appdata\roaming\vdi\shared\product updater\produpd.exe

File PE Metadata
Compilation timestamp:
9/18/2006 9:08:26 PM

OS version:
6.0

OS bitness:
Win32

Subsystem:
Windows GUI

Linker version:
14.0

Entry address:
0x544CE

Entry point:
30, F8, 41, 85, F1, F6, D5, 68, 50, 69, 00, 00, F8, 5A, F6, D4, E9, 91, 00, 00, 00, 72, 66, 98, D1, 2F, 16, FA, 00, 9B, 8D, 00, CA, 00, AF, 65, AF, AE, BE, 69, C2, 35, 5E, 01, B5, 65, 5E, CF, 14, 00, 00, 0B, 10, F1, 8D, 4E, 9E, 83, EA, 02, 90, F6, D5, 87, C9, FC, F6, D0, 86, C8, F7, D1, B4, 8D, B1, 45, 8D, 41, FD, B1, B5, EB, 20, 00, 00, 00, 4C, 00, 85, FF, D1, 75, B0, 1B, 00, 44, 2A, DC, 99, 71, A6, 8B, 1C, 9D, 9E, 43, 2D, 00, 26, 40, C7, CA, 68, 92, 63, 7D, 31, 04, 00, 30, CD, E9, C1, 46, 03, 00, 00, 5A...
 
[+]

Entropy:
6.6857

Code size:
333.5 KB (341,504 bytes)

Startup File (User Run)
Registry location:
HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run

Name:
produpd

Command:
"C:\users\{user}\appdata\roaming\vdi\shared\product updater\produpd.exe" \20506


The executing file has been seen to make the following network communications in live environments.

TCP (HTTP SSL):
Connects to server-54-230-15-201.ams1.r.cloudfront.net  (54.230.15.201:443)

TCP (WHOIS):
Connects to paragon.opensrs.net  (64.99.63.15:43)

TCP (HTTP):
Connects to l2top.ru  (91.121.37.31:80)

TCP:
Connects to icebergcone.com  (91.142.85.224:8000)

TCP:
Connects to nodomen.ru  (89.184.67.224:8000)

TCP (HTTP SSL):
Connects to a104-122-243-148.deploy.static.akamaitechnologies.com  (104.122.243.148:443)

TCP (HTTP):
Connects to wwwb-front2.us.archive.org  (207.241.224.26:80)

TCP (WHOIS):
Connects to whois.localnet  (213.248.242.41:43)

TCP (HTTP SSL):
Connects to signin.g.ebay.com  (66.211.185.47:443)

TCP:
Connects to 92x255x254x169.static-business.chelny.ertelecom.ru  (92.255.254.169:4899)

TCP (WHOIS):
Connects to whois.ispapi.net  (93.190.235.106:43)

TCP (HTTP):
Connects to webmaster.yandex.ru  (93.158.134.62:80)

TCP (HTTP):
Connects to srv5.3net.pl  (188.116.37.123:80)

TCP:
Connects to n249-h61.gw-net.metromax.ru  (145.255.249.61:4899)

TCP:
Connects to khb.pc-mail.ru  (188.128.4.14:4899)

TCP:
Connects to f755.fuchsia.servdiscount-customer.com  (85.14.243.91:8000)

TCP:
Connects to broadband-109-173-18-190.moscow.rt.ru  (109.173.18.190:4899)

TCP (HTTP):
Connects to adc57-rev.netart.pl  (77.55.80.57:80)

TCP (HTTP):
Connects to acd201.rev.netart.pl  (77.55.55.201:80)

TCP (HTTP):
Connects to 91-220-181-87.mvideo.ru  (91.220.181.87:80)

Remove produpd.exe - Powered by Reason Core Security