produpd.exe

VDI Shared Product Update Tools

VDI

The executable produpd.exe, “Product updater system service” has been detected as malware by 1 anti-virus scanner. It is set to automatically start when a user logs into Windows via the current user run registry key under the display name ‘produpd’. While running, it connects to the Internet address whois.chi2.verisign.com on port 43.
Publisher:
VDI

Product:
VDI Shared Product Update Tools

Description:
Product updater system service

Version:
2, 0, 0, 163

MD5:
44fc8cae67cb87997982b1a5442103fe

SHA-1:
467806ebf05a89d0e6e409e54b725996a756bd2f

SHA-256:
97aae805fdcc21b87c45421ff637ad045d094332becf549313a0828a288d7225

Scanner detections:
1 / 68

Status:
Malware

Analysis date:
12/25/2024 3:29:49 PM UTC  (today)

Scan engine
Detection
Engine version

Reason Heuristics
Trojan.Glupteba (M)
16.11.12.14

File size:
641.5 KB (656,896 bytes)

Product version:
2.0.0.1

Copyright:
Copyright (C) 2016

Original file name:
produpd.exe

File type:
Executable application (Win32 EXE)

Language:
Russian (Russia)

Common path:
C:\users\{user}\appdata\roaming\vdi\shared\product updater\produpd.exe

File PE Metadata
Compilation timestamp:
9/21/2016 11:09:59 AM

OS version:
6.0

OS bitness:
Win32

Subsystem:
Windows GUI

Linker version:
14.0

CTPH (ssdeep):
12288:fNmlRuOOZ/DfUKbZE9o+n/tWdl5kHWe1oiN555VZG/Z08KOb9Dp7Ggde:lXOOZ/DfUKbZE9o+nVW3M1oyg/Z08KQx

Entry address:
0x353E6

Entry point:
E8, 80, 09, 00, 00, E9, 8E, FE, FF, FF, FF, 25, 38, 62, 47, 00, 8B, 4D, F4, 64, 89, 0D, 00, 00, 00, 00, 59, 5F, 5F, 5E, 5B, 8B, E5, 5D, 51, F2, C3, 8B, 4D, F0, 33, CD, F2, E8, A8, F8, FF, FF, F2, E9, DA, FF, FF, FF, 8B, 4D, EC, 33, CD, F2, E8, 97, F8, FF, FF, F2, E9, C9, FF, FF, FF, 50, 64, FF, 35, 00, 00, 00, 00, 8D, 44, 24, 0C, 2B, 64, 24, 0C, 53, 56, 57, 89, 28, 8B, E8, A1, 70, 10, 49, 00, 33, C5, 50, FF, 75, FC, C7, 45, FC, FF, FF, FF, FF, 8D, 45, F4, 64, A3, 00, 00, 00, 00, F2, C3, 50, 64, FF, 35, 00...
 
[+]

Code size:
467 KB (478,208 bytes)

Startup File (User Run)
Registry location:
HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run

Name:
produpd

Command:
C:\users\{user}\appdata\roaming\vdi\shared\product updater\produpd.exe


The executing file has been seen to make the following network communications in live environments.

TCP:
Connects to f755.fuchsia.servdiscount-customer.com  (85.14.243.91:444)

TCP:
Connects to ih425675.dedic.myihor.ru  (193.124.177.10:444)

TCP (HTTP SSL):
Connects to o2.mail.ru  (217.69.139.61:443)

TCP:
Connects to nodomen.ru  (89.184.67.224:444)

TCP (HTTP SSL):
Connects to mail.yandex.ru  (93.158.134.25:443)

TCP (HTTP SSL):
Connects to ip5.23.odnoklassniki.ru  (5.61.23.5:443)

TCP (HTTP SSL):
Connects to a104-94-55-27.deploy.static.akamaitechnologies.com  (104.94.55.27:443)

TCP (HTTP SSL):
Connects to a104-122-243-148.deploy.static.akamaitechnologies.com  (104.122.243.148:443)

TCP (HTTP):
Connects to is-dccache02.i.smailru.net  (188.93.56.113:80)

TCP (HTTP SSL):
Connects to e9430.b.akamaiedge.net  (66.211.185.57:443)

TCP (HTTP SSL):
Connects to cs-http.yandex.ru  (213.180.204.22:443)

TCP (HTTP):
Connects to autosug.g.ebay.com  (66.135.212.230:80)

TCP (WHOIS):
Connects to whois.1and1.org  (212.227.15.229:43)

TCP:
Connects to ip-static-94-242-254-135.server.lu  (94.242.254.135:444)

TCP (HTTP):
Connects to grey.voxoft.pl  (79.133.220.71:80)

TCP (WHOIS):
Connects to whois.ripe.net  (193.0.6.135:43)

TCP (WHOIS):
Connects to whois.chi2.verisign.com  (199.7.48.74:43)

TCP (WHOIS):
Connects to whois.arin.net  (199.71.0.46:43)

TCP (HTTP SSL):
Connects to signin.g.ebay.com  (66.211.185.47:443)

TCP (HTTP SSL):
Connects to reg.g.ebay.com  (66.135.213.240:443)

Remove produpd.exe - Powered by Reason Core Security