home

produpd.exe

VDI Shared Product Update Tools

VDI

The executable produpd.exe, “Product updater system service” has been detected as malware by 2 anti-virus scanners. It is set to automatically start when a user logs into Windows via the current user run registry key under the display name ‘produpd’. While running, it connects to the Internet address signin.g.ebay.com on port 443.
Publisher:
VDI

Product:
VDI Shared Product Update Tools

Description:
Product updater system service

Version:
2, 0, 0, 163

MD5:
875df1249b09c2dc997706dbfab2f61e

SHA-1:
5bbd66643045f634645d302208f708ed2e572925

SHA-256:
50cb85f28824202910a6c25bec79765428b64757a2face4e1eb348566e6331dd

Scanner detections:
2 / 68

Status:
Malware

Analysis date:
4/24/2024 10:40:35 PM UTC  (today)

Scan engine
Detection
Engine version

avast!
Win32:Malware-gen
160906-2

ESET NOD32
Win32/Glupteba.AL trojan
6.3.12010.0

File size:
509 KB (521,216 bytes)

Product version:
2.0.0.1

Copyright:
Copyright (C) 2016

Original file name:
produpd.exe

File type:
Executable application (Win32 EXE)

Language:
Russian (Russia)

Common path:
C:\users\{user}\appdata\roaming\vdi\shared\product updater\produpd.exe

File PE Metadata
Compilation timestamp:
9/7/2016 10:40:49 AM

OS version:
6.0

OS bitness:
Win32

Subsystem:
Windows GUI

Linker version:
14.0

CTPH (ssdeep):
12288:XaIKRfxb//ssW8YtXWvNgfCZla5Q2wqTvATEVG4v2jLGjQgHkzDH:Xh5ldWviCZlVqjATEs4v2mjQgHkHH

Entry address:
0x1CC98

Entry point:
E8, 3E, 09, 00, 00, E9, 8E, FE, FF, FF, FF, 25, AC, B2, 45, 00, 8B, 4D, F4, 64, 89, 0D, 00, 00, 00, 00, 59, 5F, 5F, 5E, 5B, 8B, E5, 5D, 51, F2, C3, 8B, 4D, F0, 33, CD, F2, E8, 8C, F8, FF, FF, F2, E9, DA, FF, FF, FF, 50, 64, FF, 35, 00, 00, 00, 00, 8D, 44, 24, 0C, 2B, 64, 24, 0C, 53, 56, 57, 89, 28, 8B, E8, A1, 70, 20, 47, 00, 33, C5, 50, FF, 75, FC, C7, 45, FC, FF, FF, FF, FF, 8D, 45, F4, 64, A3, 00, 00, 00, 00, F2, C3, 50, 64, FF, 35, 00, 00, 00, 00, 8D, 44, 24, 0C, 2B, 64, 24, 0C, 53, 56, 57, 89, 28, 8B...
 
[+]

Entropy:
6.5521

Code size:
358.5 KB (367,104 bytes)

Startup File (User Run)
Registry location:
HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run

Name:
produpd

Command:
C:\users\{user}\appdata\roaming\vdi\shared\product updater\produpd.exe


The executing file has been seen to make the following network communications in live environments.

TCP:
Connects to sfwd01.sul.t-online.com  (194.25.134.110:587)

TCP (HTTP):
Connects to static.213.80.243.136.clients.your-server.de  (136.243.80.213:80)

TCP (HTTP SSL):
Connects to server-205-251-219-87.arn1.r.cloudfront.net  (205.251.219.87:443)

TCP (HTTP SSL):
Connects to o2.mail.ru  (94.100.180.61:443)

TCP (HTTP SSL):
Connects to a23-53-33-174.deploy.static.akamaitechnologies.com  (23.53.33.174:443)

TCP (HTTP):
Connects to yandex.ru  (5.255.255.5:80)

TCP (HTTP):
Connects to l2top.ru  (91.121.37.31:80)

TCP:
Connects to icebergcone.com  (91.142.85.224:444)

TCP (HTTP SSL):
Connects to ec2-54-247-184-177.eu-west-1.compute.amazonaws.com  (54.247.184.177:443)

TCP (HTTP SSL):
Connects to signin.g.ebay.com  (66.211.181.81:443)

TCP (HTTP SSL):
Connects to sso.suntrust.com  (167.181.46.184:443)

TCP (HTTP SSL):
Connects to sigin.ebay.com  (66.135.204.237:443)

TCP (HTTP):
Connects to rightnow.cdn.promodj.com  (91.213.196.100:80)

TCP (HTTP):
Connects to p3slh155.shr.phx3.secureserver.net  (72.167.131.16:80)

TCP (HTTP):
Connects to is-dccache02.i.smailru.net  (188.93.56.113:80)

TCP:
Connects to ip-static-94-242-254-135.server.lu  (94.242.254.135:444)

TCP (HTTP SSL):
Connects to ip159.156.odnoklassniki.ru  (217.20.156.159:443)

TCP:
Connects to ih425675.dedic.myihor.ru  (193.124.177.10:444)

TCP (HTTP SSL):
Connects to ec2-52-89-83-8.us-west-2.compute.amazonaws.com  (52.89.83.8:443)

TCP (HTTP):
Connects to ec2-52-8-128-181.us-west-1.compute.amazonaws.com  (52.8.128.181:80)

Remove produpd.exe - Powered by Reason Core Security
herdProtect is a second line of defense malware removal platform powered by 68 anti-malware engines in the cloud. Since no single anti-malware program is perfect 100% of the time, herdProtect utilizes a 'herd' of multiple engines to guarantee the widest coverage and the earliest possible detection.