produpd.exe

VDI Shared Product Update Tools

VDI

The executable produpd.exe, “Product updater system service” has been detected as malware by 2 anti-virus scanners. It is set to automatically start when a user logs into Windows via the current user run registry key under the display name ‘produpd’.
Publisher:
VDI

Product:
VDI Shared Product Update Tools

Description:
Product updater system service

Version:
2, 0, 0, 163

MD5:
9fd43a49ced631b92cea22a54b58a60d

SHA-1:
b40c9b525ab38f56077d9da1be28023414d7624a

SHA-256:
12497eb3ac7729418c99b825884fdc1f9afe08aca574d67f46408d6ab375cfb9

Scanner detections:
2 / 68

Status:
Malware

Analysis date:
12/26/2024 11:22:42 AM UTC  (today)

Scan engine
Detection
Engine version

avast!
Win32:Dropper-gen [Drp]
160917-0

Reason Heuristics
Trojan.Glupteba (M)
16.11.12.14

File size:
642 KB (657,408 bytes)

Product version:
2.0.0.1

Copyright:
Copyright (C) 2016

Original file name:
produpd.exe

File type:
Executable application (Win32 EXE)

Language:
Russian (Russia)

Common path:
C:\users\{user}\appdata\roaming\vdi\shared\product updater\produpd.exe

File PE Metadata
Compilation timestamp:
9/13/2016 2:28:20 PM

OS version:
6.0

OS bitness:
Win32

Subsystem:
Windows GUI

Linker version:
14.0

CTPH (ssdeep):
12288:XW8loTOO3/DfUKbZE9oU1OwVkz5k2eaihN5m5DZWeZjozV6LuGgdUpk:mvOO3/DfUKbZE9oU1/VwMaigYeZjozVh

Entry address:
0x353E6

Entry point:
E8, 80, 09, 00, 00, E9, 8E, FE, FF, FF, FF, 25, 38, 62, 47, 00, 8B, 4D, F4, 64, 89, 0D, 00, 00, 00, 00, 59, 5F, 5F, 5E, 5B, 8B, E5, 5D, 51, F2, C3, 8B, 4D, F0, 33, CD, F2, E8, A8, F8, FF, FF, F2, E9, DA, FF, FF, FF, 8B, 4D, EC, 33, CD, F2, E8, 97, F8, FF, FF, F2, E9, C9, FF, FF, FF, 50, 64, FF, 35, 00, 00, 00, 00, 8D, 44, 24, 0C, 2B, 64, 24, 0C, 53, 56, 57, 89, 28, 8B, E8, A1, 70, 10, 49, 00, 33, C5, 50, FF, 75, FC, C7, 45, FC, FF, FF, FF, FF, 8D, 45, F4, 64, A3, 00, 00, 00, 00, F2, C3, 50, 64, FF, 35, 00...
 
[+]

Entropy:
6.5825

Code size:
467 KB (478,208 bytes)

Startup File (User Run)
Registry location:
HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run

Name:
produpd

Command:
C:\users\{user}\appdata\roaming\vdi\shared\product updater\produpd.exe


The executing file has been seen to make the following network communications in live environments.

TCP:
Connects to nodomen.ru  (89.184.67.224:444)

TCP:
Connects to ip-static-94-242-254-135.server.lu  (94.242.254.135:444)

TCP (HTTP SSL):
Connects to a104-94-55-27.deploy.static.akamaitechnologies.com  (104.94.55.27:443)

TCP (HTTP SSL):
Connects to edge-star-mini-shv-01-frt3.facebook.com  (31.13.92.36:443)

TCP (HTTP SSL):
Connects to a23-61-211-183.deploy.static.akamaitechnologies.com  (23.61.211.183:443)

TCP (WHOIS):
Connects to whois.1and1.org  (212.227.15.229:43)

TCP (HTTP):
Connects to videos.sapo.pt  (213.13.145.69:80)

TCP:
Connects to Uicp.UTnet.ru  (195.12.68.42:4899)

TCP (HTTP SSL):
Connects to server-205-251-219-69.arn1.r.cloudfront.net  (205.251.219.69:443)

TCP (HTTP):
Connects to recover-assure.graykind.com  (5.45.79.161:80)

TCP (HTTP):
Connects to node002.adplexity.com  (107.6.186.178:80)

TCP:
Connects to media-router-rc1.prod.media.vip.ir2.yahoo.com  (217.12.15.37:993)

TCP:
Connects to kard.ssau.ru  (91.222.128.111:4899)

TCP (HTTP):
Connects to ip230.ip-5-135-168.eu  (5.135.168.230:80)

TCP:
Connects to ip-184-168-221-36.ip.secureserver.net  (184.168.221.36:8000)

TCP (HTTP SSL):
Connects to e9430.b.akamaiedge.net  (66.211.185.43:443)

TCP (HTTP SSL):
Connects to cascrmdinet55-ns-mobile-vzw.verizonwireless.com  (162.115.18.210:443)

TCP (HTTP):
Connects to acchosting.cloudapp.net  (104.45.152.109:80)

TCP (HTTP):
Connects to a104-122-243-191.deploy.static.akamaitechnologies.com  (104.122.243.191:80)

TCP:
Connects to 90.188.53.115.stbur.ru  (90.188.53.115:4899)

Remove produpd.exe - Powered by Reason Core Security