produpd.exe

produpd.exe

Vested Development, Inc

The executable produpd.exe has been detected as malware by 1 anti-virus scanner. It is set to automatically start when a user logs into Windows via the current user run registry key under the display name ‘produpd’. While running, it connects to the Internet address g1.formy.net on port 80 using the HTTP protocol.
Publisher:
Vested Development, Inc

Product:
produpd.exe

Version:
2.2.1.23

MD5:
0411b13109935fa34c7bb1479c640e0a

SHA-1:
f9091e7fc847d48c3ca35c5b518b73278d3939cd

SHA-256:
e06920778da45db0d62e4e7c5596e34b0df972937ef5768f991da3d7733a074c

Scanner detections:
1 / 68

Status:
Malware

Analysis date:
11/15/2024 2:51:02 AM UTC  (today)

Scan engine
Detection
Engine version

Reason Heuristics
Trojan.Glupteba
16.12.6.13

File size:
542 KB (555,008 bytes)

Product version:
2.2.0.2

Copyright:
Copyright © 2016

Original file name:
produpd.exe

File type:
Executable application (Win32 EXE)

Language:
English (United States)

Common path:
C:\users\{user}\appdata\roaming\vdi\shared\product updater\produpd.exe

File PE Metadata
Compilation timestamp:
11/29/2016 11:47:37 AM

OS version:
6.0

OS bitness:
Win32

Subsystem:
Windows GUI

Linker version:
14.0

CTPH (ssdeep):
12288:1YkcDFhrTiq45i/rFdh05DW5D+syA623kpLNu1Ts:18iT5UdhNDRyA620pLNu1

Entry address:
0x2575C

Entry point:
E8, AA, 09, 00, 00, E9, 8E, FE, FF, FF, FF, 25, B0, F2, 45, 00, 8B, 4D, F4, 64, 89, 0D, 00, 00, 00, 00, 59, 5F, 5F, 5E, 5B, 8B, E5, 5D, 51, F2, C3, 8B, 4D, F0, 33, CD, F2, E8, 73, F8, FF, FF, F2, E9, DA, FF, FF, FF, 50, 64, FF, 35, 00, 00, 00, 00, 8D, 44, 24, 0C, 2B, 64, 24, 0C, 53, 56, 57, 89, 28, 8B, E8, A1, 78, 90, 47, 00, 33, C5, 50, FF, 75, FC, C7, 45, FC, FF, FF, FF, FF, 8D, 45, F4, 64, A3, 00, 00, 00, 00, F2, C3, 50, 64, FF, 35, 00, 00, 00, 00, 8D, 44, 24, 0C, 2B, 64, 24, 0C, 53, 56, 57, 89, 28, 8B...
 
[+]

Entropy:
6.5445

Code size:
374.5 KB (383,488 bytes)

Startup File (User Run)
Registry location:
HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run

Name:
produpd

Command:
"C:\users\{user}\appdata\roaming\vdi\shared\product updater\produpd.exe"


The executing file has been seen to make the following network communications in live environments.

TCP:
Connects to p087.purple.myloc.de  (85.114.133.87:444)

TCP:
Connects to l094.lemon.myloc.de  (93.186.192.94:444)

TCP:
Connects to icebergcone.com  (91.142.85.224:444)

TCP:
Connects to nodomen.ru  (89.184.67.224:8000)

TCP (HTTP):
Connects to ec2-54-167-21-11.compute-1.amazonaws.com  (54.167.21.11:80)

TCP:
Connects to awm.com  (185.31.161.100:444)

TCP:
Connects to 473.FR.mserv.xyz  (195.154.230.100:444)

TCP (HTTP):
Connects to ftp.receita.fazenda.gov.br  (161.148.231.100:80)

TCP (HTTP SSL):
Connects to edge-star-mini-shv-01-fra3.facebook.com  (31.13.93.36:443)

TCP (HTTP):
Connects to static.37.58.243.136.clients.your-server.de  (136.243.58.37:80)

TCP (HTTP SSL):
Connects to srv81-165-240-87.vk.com  (87.240.165.81:443)

TCP (HTTP):
Connects to server-54-192-11-86.lhr3.r.cloudfront.net  (54.192.11.86:80)

TCP (HTTP SSL):
Connects to o2.mail.ru  (217.69.139.61:443)

TCP (HTTP SSL):
Connects to nyorbgdinet55-ns-mobile-vzw.verizonwireless.com  (162.115.210.210:443)

TCP (HTTP SSL):
Connects to mobileproxy.passport.yandex.net  (213.180.193.115:443)

TCP:
Connects to ip-static-94-242-254-135.server.lu  (94.242.254.135:8000)

TCP (HTTP SSL):
Connects to ip234.152.odnoklassniki.ru  (217.20.152.234:443)

TCP:
Connects to interviewder.net  (91.203.5.26:8000)

TCP (HTTP SSL):
Connects to edge-star-mini-shv-01-ams3.facebook.com  (31.13.91.36:443)

TCP (HTTP SSL):
Connects to ec2-54-77-38-116.eu-west-1.compute.amazonaws.com  (54.77.38.116:443)

Remove produpd.exe - Powered by Reason Core Security