produpd.exe

VDI Shared Product Update Tools

VDI

The executable produpd.exe, “Product updater system service” has been detected as malware by 3 anti-virus scanners. It is set to automatically start when a user logs into Windows via the current user run registry key under the display name ‘produpd’.
Publisher:
VDI

Product:
VDI Shared Product Update Tools

Description:
Product updater system service

Version:
2, 0, 0, 163

MD5:
470e73c92a151066b12b3a49fd8c516c

SHA-1:
ce9fdd8e841aeb94266a663746be925473b1fd63

SHA-256:
aa599382b38fb4e2e0ec390d4ba2449f63709f93342a90de9c5ff82fe1dd8b9d

Scanner detections:
3 / 68

Status:
Malware

Analysis date:
11/23/2024 9:35:58 AM UTC  (today)

Scan engine
Detection
Engine version

avast!
Win32:Dropper-gen [Drp]
160917-0

F-Secure
Variant.Strictor.113697
5.15.154

Reason Heuristics
Trojan.Glupteba
16.10.24.14

File size:
563.5 KB (577,024 bytes)

Product version:
2.0.0.1

Copyright:
Copyright (C) 2016

Original file name:
produpd.exe

File type:
Executable application (Win32 EXE)

Language:
Russian (Russia)

Common path:
C:\users\{user}\appdata\roaming\vdi\shared\product updater\produpd.exe

File PE Metadata
Compilation timestamp:
9/27/2016 5:05:18 PM

OS version:
6.0

OS bitness:
Win32

Subsystem:
Windows GUI

Linker version:
14.0

CTPH (ssdeep):
12288:x7L0TKsVwOlGAqnoMZL55WuFl01iyirZginTwLpbuto:JIK2lGA/OLdlEiyirZ7wFb

Entry address:
0x256DC

Entry point:
E8, 8A, 09, 00, 00, E9, 8E, FE, FF, FF, 8B, 4D, F4, 64, 89, 0D, 00, 00, 00, 00, 59, 5F, 5F, 5E, 5B, 8B, E5, 5D, 51, F2, C3, 8B, 4D, F0, 33, CD, F2, E8, 79, F8, FF, FF, F2, E9, DA, FF, FF, FF, 50, 64, FF, 35, 00, 00, 00, 00, 8D, 44, 24, 0C, 2B, 64, 24, 0C, 53, 56, 57, 89, 28, 8B, E8, A1, 78, F0, 47, 00, 33, C5, 50, FF, 75, FC, C7, 45, FC, FF, FF, FF, FF, 8D, 45, F4, 64, A3, 00, 00, 00, 00, F2, C3, 50, 64, FF, 35, 00, 00, 00, 00, 8D, 44, 24, 0C, 2B, 64, 24, 0C, 53, 56, 57, 89, 28, 8B, E8, A1, 78, F0, 47, 00...
 
[+]

Entropy:
6.5489

Code size:
397.5 KB (407,040 bytes)

Startup File (User Run)
Registry location:
HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run

Name:
produpd

Command:
"C:\users\{user}\appdata\roaming\vdi\shared\product updater\produpd.exe" \2140


The executing file has been seen to make the following network communications in live environments.

TCP:
Connects to ih371556.dedic.myihor.ru  (193.124.179.165:444)

TCP:
Connects to ns342617.ip-176-31-106.eu  (176.31.106.23:444)

TCP:
Connects to pls.com  (213.159.212.188:444)

TCP (HTTP):
Connects to node001.adplexity.com  (107.6.167.194:80)

TCP (HTTP SSL):
Connects to sso.suntrust.com  (167.181.46.184:443)

TCP (SMTP):
Connects to mta-v6.mail.vip.bf1.yahoo.com  (66.196.118.240:25)

TCP (HTTP):
Connects to yandex.ru  (77.88.55.66:80)

TCP (HTTP):
Connects to static.77.202.76.144.clients.your-server.de  (144.76.202.77:80)

TCP (HTTP):
Connects to static.170.23.251.148.clients.your-server.de  (148.251.23.170:80)

TCP (HTTP SSL):
Connects to signin.ea.com  (159.153.228.140:443)

TCP (HTTP):
Connects to server.akafi.net  (51.254.196.198:80)

TCP (HTTP):
Connects to rpc.weblogs.com  (70.39.246.54:80)

TCP (HTTP):
Connects to psk-asp-win-sh-03.silicontower.net  (93.189.91.12:80)

TCP (HTTP):
Connects to pat.gemnet.cz  (77.48.53.13:80)

TCP (HTTP):
Connects to mhennig.de  (87.106.209.26:80)

TCP (HTTP):
Connects to is-dccache02.i.smailru.net  (188.93.56.113:80)

TCP:
Connects to ip-static-94-242-254-135.server.lu  (94.242.254.135:444)

TCP (HTTP):
Connects to ec2-54-209-103-4.compute-1.amazonaws.com  (54.209.103.4:80)

TCP (HTTP):
Connects to ec2-52-72-151-107.compute-1.amazonaws.com  (52.72.151.107:80)

TCP (HTTP SSL):
Connects to ec2-52-50-51-37.eu-west-1.compute.amazonaws.com  (52.50.51.37:443)

Remove produpd.exe - Powered by Reason Core Security