produpd.exe

Vest's software office

Vest' Ltd

The executable produpd.exe, “Software updater service” has been detected as malware by 2 anti-virus scanners. It is set to automatically start when a user logs into Windows via the current user run registry key under the display name ‘produpd’.
Publisher:
Vest' Ltd

Product:
Vest's software office

Description:
Software updater service

Version:
2.2.0.99

MD5:
25fb97e2cf14dc80932f38d4433c850b

SHA-1:
28ef1cc692c2b4c396feb71122f8b233fdcbe728

SHA-256:
96a82dab2c0c042ebe7b49685d4aaa4a41df299d26ffbf899c990adfffb57f77

Scanner detections:
2 / 68

Status:
Malware

Analysis date:
12/26/2024 12:28:51 AM UTC  (today)

Scan engine
Detection
Engine version

ESET NOD32
Win32/Glupteba.AP trojan
6.3.12010.0

F-Secure
Variant.Razy.84351
5.15.154

File size:
544 KB (557,056 bytes)

Product version:
2.2.0.1

Copyright:
Copyright (C) 2016

Original file name:
produpd.exe

File type:
Executable application (Win32 EXE)

Language:
Russian (Russia)

Common path:
C:\users\{user}\appdata\roaming\vdi\shared\product updater\produpd.exe

File PE Metadata
Compilation timestamp:
11/9/2016 9:25:12 AM

OS version:
6.0

OS bitness:
Win32

Subsystem:
Windows GUI

Linker version:
14.0

CTPH (ssdeep):
12288:sFbJr/ABdTAComTjbhMolf5dC5wO7jkDjT/TpNpNKjOz543R98:sJ56NXbhM45dikHjTpNpNEOz543

Entry address:
0x24DDC

Entry point:
E8, 8A, 09, 00, 00, E9, 8E, FE, FF, FF, 8B, 4D, F4, 64, 89, 0D, 00, 00, 00, 00, 59, 5F, 5F, 5E, 5B, 8B, E5, 5D, 51, F2, C3, 8B, 4D, F0, 33, CD, F2, E8, 79, F8, FF, FF, F2, E9, DA, FF, FF, FF, 50, 64, FF, 35, 00, 00, 00, 00, 8D, 44, 24, 0C, 2B, 64, 24, 0C, 53, 56, 57, 89, 28, 8B, E8, A1, 78, A0, 47, 00, 33, C5, 50, FF, 75, FC, C7, 45, FC, FF, FF, FF, FF, 8D, 45, F4, 64, A3, 00, 00, 00, 00, F2, C3, 50, 64, FF, 35, 00, 00, 00, 00, 8D, 44, 24, 0C, 2B, 64, 24, 0C, 53, 56, 57, 89, 28, 8B, E8, A1, 78, A0, 47, 00...
 
[+]

Code size:
381 KB (390,144 bytes)

Startup File (User Run)
Registry location:
HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run

Name:
produpd

Command:
"C:\users\{user}\appdata\roaming\vdi\shared\product updater\produpd.exe"


The executing file has been seen to make the following network communications in live environments.

TCP:
Connects to p087.purple.myloc.de  (85.114.133.87:444)

TCP (HTTP SSL):
Connects to sigin.ebay.com  (66.135.204.237:443)

TCP (HTTP SSL):
Connects to ec2-54-148-105-120.us-west-2.compute.amazonaws.com  (54.148.105.120:443)

TCP (HTTP SSL):
Connects to ec2-52-71-101-99.compute-1.amazonaws.com  (52.71.101.99:443)

TCP (HTTP SSL):
Connects to a104-94-55-49.deploy.static.akamaitechnologies.com  (104.94.55.49:443)

TCP (HTTP SSL):
Connects to 254-142-140.csiweb.net  (66.254.142.140:443)

TCP (HTTP):
Connects to stewie.novahost.bg  (79.98.108.115:80)

TCP (HTTP):
Connects to showip.net  (23.253.100.206:80)

TCP (HTTP SSL):
Connects to ohtwbgdinet55-ns-mobile-vzw.verizonwireless.com  (137.188.82.210:443)

TCP (HTTP):
Connects to node001.adplexity.com  (107.6.167.194:80)

TCP:
Connects to imap-a-atc-a.mx.aol.com  (152.163.0.65:993)

TCP (HTTP SSL):
Connects to a95-101-124-239.deploy.akamaitechnologies.com  (95.101.124.239:443)

TCP (HTTP SSL):
Connects to a23-38-25-148.deploy.static.akamaitechnologies.com  (23.38.25.148:443)

Remove produpd.exe - Powered by Reason Core Security