produpd.exe

Vest's software office

Vest' Ltd

The executable produpd.exe, “Software updater service” has been detected as malware by 19 anti-virus scanners. It is set to automatically start when a user logs into Windows via the current user run registry key under the display name ‘produpd’. While running, it connects to the Internet address ip-static-94-242-253-30.server.lu on port 8000.
Publisher:
Vest' Ltd

Product:
Vest's software office

Description:
Software updater service

Version:
2.2.0.99

MD5:
5be4cd2617dbe097974ade8871c05bee

SHA-1:
3ec0016abbf72aed16c45027e0bb650cacbf7e0a

SHA-256:
9438d2be54dc76b01b403932e0036b8c7f72f0a4289e54a7e93b1f14a4ed19f2

Scanner detections:
19 / 68

Status:
Malware

Analysis date:
12/26/2024 11:46:26 AM UTC  (today)

Scan engine
Detection
Engine version

Lavasoft Ad-Aware
Gen:Variant.Strictor.113697
100

AhnLab V3 Security
Trojan/Win32.Generic.C1612235
3.8.1.15

Avira AntiVirus
TR/ATRAPS.wjyke
8.3.3.4

Arcabit
Trojan.Strictor.D1BC21
1.0.0.779

avast!
Win32:Malware-gen
2014.9-161027

AVG
Atros4
2017.0.2578

Bitdefender
Gen:Variant.Strictor.113697
1.0.20.1505

Emsisoft Anti-Malware
Gen:Variant.Strictor.113697
8.16.10.27.03

ESET NOD32
Win32/Glupteba.AP (variant)
10.14344

Fortinet FortiGate
W32/Glupteba.AO!tr
10/27/2016

F-Secure
Gen:Variant.Strictor.113697
11.2016-27-10_5

G Data
Gen:Variant.Strictor.113697
16.10.25

IKARUS anti.virus
Trojan.Win32.Glupteba
t3scan.2.1.16.0

K7 AntiVirus
Trojan
13.244.21303

Malwarebytes
Trojan.Downloader
v2016.10.27.03

MicroWorld eScan
Gen:Variant.Strictor.113697
17.0.0.903

Panda Antivirus
Trj/GdSda.A
16.10.27.03

Qihoo 360 Security
HEUR/QVM10.1.0000.Malware.Gen
1.0.0.1120

VIPRE Antivirus
Trojan.Win32.Generic
53328

File size:
590.5 KB (604,672 bytes)

Product version:
2.2.0.1

Copyright:
Copyright (C) 2016

Original file name:
produpd.exe

File type:
Executable application (Win32 EXE)

Language:
Russian (Russia)

Common path:
C:\users\{user}\appdata\roaming\vdi\shared\product updater\produpd.exe

File PE Metadata
Compilation timestamp:
10/27/2016 5:35:18 AM

OS version:
6.0

OS bitness:
Win32

Subsystem:
Windows GUI

Linker version:
14.0

CTPH (ssdeep):
12288:3KmUPmvUPZZ4vbFYNO2gPfHJByV5jqHL1l8BgVKE+Q72nzjy7Cb:3K5POvZYNO2iJBbLb8BgVKvQify

Entry address:
0x2A2BF

Entry point:
E8, 87, 09, 00, 00, E9, 8E, FE, FF, FF, 8B, 4D, F4, 64, 89, 0D, 00, 00, 00, 00, 59, 5F, 5F, 5E, 5B, 8B, E5, 5D, 51, F2, C3, 8B, 4D, F0, 33, CD, F2, E8, 96, F8, FF, FF, F2, E9, DA, FF, FF, FF, 50, 64, FF, 35, 00, 00, 00, 00, 8D, 44, 24, 0C, 2B, 64, 24, 0C, 53, 56, 57, 89, 28, 8B, E8, A1, 78, 50, 48, 00, 33, C5, 50, FF, 75, FC, C7, 45, FC, FF, FF, FF, FF, 8D, 45, F4, 64, A3, 00, 00, 00, 00, F2, C3, 50, 64, FF, 35, 00, 00, 00, 00, 8D, 44, 24, 0C, 2B, 64, 24, 0C, 53, 56, 57, 89, 28, 8B, E8, A1, 78, 50, 48, 00...
 
[+]

Entropy:
6.5548

Code size:
420.5 KB (430,592 bytes)

Startup File (User Run)
Registry location:
HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run

Name:
produpd

Command:
C:\users\{user}\appdata\roaming\vdi\shared\product updater\produpd.exe C:\users\{user}\appdata\local\temp\{random}.tmp\setup.exe


The executing file has been seen to make the following network communications in live environments.

TCP (HTTP SSL):
Connects to edge-star-mini-shv-01-frt3.facebook.com  (31.13.92.36:443)

TCP:
Connects to f755.fuchsia.servdiscount-customer.com  (85.14.243.91:8000)

TCP (HTTP SSL):
Connects to employsystem.nq.pl  (195.242.93.82:443)

TCP (WHOIS):
Connects to whois.tko2.verisign.com  (199.7.57.74:43)

TCP:
Connects to ip-static-94-242-254-135.server.lu  (94.242.254.135:444)

TCP (WHOIS):
Connects to whois.educause.edu  (216.85.144.196:43)

TCP (WHOIS):
Connects to whois.networksolutions.com  (205.178.188.12:43)

TCP (WHOIS):
Connects to whois.dns.pl  (193.59.201.49:43)

TCP (WHOIS):
Connects to whois.denic.de  (81.91.170.6:43)

TCP (WHOIS):
Connects to whois.arin.net  (199.5.26.46:43)

TCP:
Connects to ns3002298.ip-37-59-41.eu  (37.59.41.180:444)

TCP (HTTP SSL):
Connects to a104-122-249-170.deploy.static.akamaitechnologies.com  (104.122.249.170:443)

TCP (WHOIS):
Connects to whois.tcinet.ru  (212.193.111.1:43)

TCP:
Connects to icebergcone.com  (91.142.85.224:8000)

TCP:
Connects to static219.pppoe.kmv.ru  (217.13.217.219:4899)

TCP (HTTP SSL):
Connects to signin.g.ebay.com  (66.211.185.47:443)

TCP (HTTP SSL):
Connects to server-205-251-219-242.arn1.r.cloudfront.net  (205.251.219.242:443)

TCP (HTTP):
Connects to rev-90.go2.pl  (193.17.41.90:80)

TCP:
Connects to ooo-tipograf.ccl.ru  (195.222.134.98:4899)

TCP (HTTP SSL):
Connects to nowy.tlen.pl  (193.222.135.131:443)

Remove produpd.exe - Powered by Reason Core Security