citrio.exe

Citrio

Catalina Group Limited

The application citrio.exe by Catalina Group Limited has been detected as a potentially unwanted program by 6 anti-malware scanners. While running, it connects to the Internet address c-k330-u1106-49.webazilla.com on port 80 using the HTTP protocol.
Publisher:
Epom Ltd.  (signed by Catalina Group Limited)

Product:
Citrio

Version:
42.0.2311.258

MD5:
f8fd41abf88ad243720d53e9f45ff095

SHA-1:
01227a88ad3e336741cb79f2eee964f05cf89236

SHA-256:
383c6afb12fe60d8b00ace7dd0d6dd0beaefe5bb2c7d3c6d18c9d04a1e4fb001

Scanner detections:
6 / 68

Status:
Potentially unwanted

Analysis date:
11/24/2024 12:43:16 PM UTC  (today)

Scan engine
Detection
Engine version

Avira AntiVirus
W32/Ramnit.C
7.11.30.172

Bkav FE
W32.HfsAdware
1.3.0.6379

Dr.Web
Adware.Downware.10572
9.0.1.05190

Panda Antivirus
PUP/Citrio
15.06.15.11

Reason Heuristics
PUP.Catalina.CatalinaGroup
15.6.15.7

Trend Micro House Call
Suspicious_GEN.F47V0328
7.2.166

File size:
1 MB (1,084,304 bytes)

Product version:
42.0.2311.258

Copyright:
Copyright 2014 Epom Ltd. All rights reserved.

Original file name:
citrio.exe

File type:
Executable application (Win32 EXE)

Language:
English (United States)

Common path:
C:\users\{user}\appdata\local\catalinagroup\citrio\application\citrio.exe

Digital Signature
Authority:
Starfield Technologies, Inc.

Valid from:
1/12/2015 2:36:38 PM

Valid to:
9/27/2016 4:56:54 AM

Subject:
CN=Catalina Group Limited, O=Catalina Group Limited, L=Kwun Tong, S=Hong Kong, C=HK

Issuer:
CN=Starfield Secure Certificate Authority - G2, OU=http://certs.starfieldtech.com/repository/, O="Starfield Technologies, Inc.", L=Scottsdale, S=Arizona, C=US

Serial number:
1855136D47C1A483

File PE Metadata
Compilation timestamp:
6/11/2015 3:46:28 PM

OS version:
5.1

OS bitness:
Win32

Subsystem:
Windows GUI

Linker version:
12.0

CTPH (ssdeep):
12288:Ddx7RfARThkIhcFN39wBh7BRJ3KzLipeh/YIxnQIgj8G3Aj119dCE3bWOxloMR8P:D/7RC0iR3M1a6aEdUtkTh/

Entry address:
0x4C204

Entry point:
E8, F0, 9E, 00, 00, E9, 7F, FE, FF, FF, CC, CC, 8B, 44, 24, 08, 8B, 4C, 24, 10, 0B, C8, 8B, 4C, 24, 0C, 75, 09, 8B, 44, 24, 04, F7, E1, C2, 10, 00, 53, F7, E1, 8B, D8, 8B, 44, 24, 08, F7, 64, 24, 14, 03, D8, 8B, 44, 24, 08, F7, E1, 03, D3, 5B, C2, 10, 00, 55, 8B, EC, 83, EC, 14, 53, 56, 33, DB, 57, 8B, 7D, 08, 89, 5D, F8, 89, 5D, F4, 89, 5D, FC, 85, FF, 75, 18, E8, F0, 13, 00, 00, 6A, 16, 5E, 89, 30, E8, A0, D1, FF, FF, 8B, C6, 5F, 5E, 5B, 8B, E5, 5D, C3, 6A, 24, 68, FF, 00, 00, 00, 57, E8, CC, FA, FF, FF...
 
[+]

Entropy:
6.0201

Code size:
411 KB (420,864 bytes)

The executing file has been seen to make the following network communications in live environments.

TCP (HTTP):
Connects to c-k330-u1106-49.webazilla.com  (199.101.133.49:80)

TCP (HTTP SSL):
Connects to a104-96-156-109.deploy.static.akamaitechnologies.com  (104.96.156.109:443)

TCP (HTTP):
Connects to a5-22-191-241.deploy.akamaitechnologies.com  (5.22.191.241:80)

TCP (HTTP SSL):
Connects to a104-103-83-193.deploy.static.akamaitechnologies.com  (104.103.83.193:443)

TCP (HTTP):
Connects to 74.113.237.38.lv.iaccap.com  (74.113.237.38:80)

TCP (HTTP):
Connects to supplies.epson-europe.com  (193.172.19.154:80)

TCP (HTTP):
Connects to cdce.fra004.internap.com  (95.172.71.43:80)

TCP (HTTP):
Connects to 74.113.233.38.df.iaccap.com  (74.113.233.38:80)

Remove citrio.exe - Powered by Reason Core Security