citrio.exe

Citrio

Catalina Group Limited

The application citrio.exe by Catalina Group Limited has been detected as a potentially unwanted program by 1 anti-malware scanner with very strong indications that the file is a potential threat. While running, it connects to the Internet address 5-226-127-224.static.ip.netia.com.pl on port 443.
Publisher:
CatalinaGroup Ltd.  (signed by Catalina Group Limited)

Product:
Citrio

Version:
50.0.2661.273

MD5:
8827e46f1513b7f57ddcdaf3775d180f

SHA-1:
d953801da131d0a5a8a038a1b72f173ecb4ea52d

SHA-256:
dd945d23ef5cfc987a56f6cbcec85ab90362f45fd77be98f5f3a4ce702c4f3ad

Scanner detections:
1 / 68

Status:
Potentially unwanted

Note:
Our current pool of anti-malware engines have not currently detected this file, however based on our own detection heuristics we feel that this file is unwanted.

Analysis date:
12/25/2024 3:14:04 AM UTC  (today)

Scan engine
Detection
Engine version

Reason Heuristics
PUP.Catalina (M)
16.9.27.9

File size:
1 MB (1,083,792 bytes)

Product version:
50.0.2661.273

Copyright:
Copyright 2015 CatalinaGroup Ltd. All rights reserved.

Original file name:
citrio.exe

File type:
Executable application (Win32 EXE)

Language:
English (United States)

Common path:
C:\users\{user}\appdata\local\catalinagroup\citrio\application\citrio.exe

Digital Signature
Authority:
Starfield Technologies, Inc.

Valid from:
1/12/2015 6:36:38 PM

Valid to:
9/27/2016 8:56:54 AM

Subject:
CN=Catalina Group Limited, O=Catalina Group Limited, L=Kwun Tong, S=Hong Kong, C=HK

Issuer:
CN=Starfield Secure Certificate Authority - G2, OU=http://certs.starfieldtech.com/repository/, O="Starfield Technologies, Inc.", L=Scottsdale, S=Arizona, C=US

Serial number:
1855136D47C1A483

File PE Metadata
Compilation timestamp:
9/23/2016 6:05:09 PM

OS version:
5.1

OS bitness:
Win32

Subsystem:
Windows GUI

Linker version:
12.0

CTPH (ssdeep):
12288:t/QMbgsfKBOtLL8jmA22K7dbU1vTMI8lMxi18EnsB7gb3h4M8T1R6O4DqnLeUE3H:t/QsEq7zif1RWqKU5kJ1X

Entry address:
0x4D0F4

Entry point:
E8, 86, 97, 00, 00, E9, 7F, FE, FF, FF, CC, CC, 57, 56, 53, 33, FF, 8B, 44, 24, 14, 0B, C0, 7D, 14, 47, 8B, 54, 24, 10, F7, D8, F7, DA, 83, D8, 00, 89, 44, 24, 14, 89, 54, 24, 10, 8B, 44, 24, 1C, 0B, C0, 7D, 14, 47, 8B, 54, 24, 18, F7, D8, F7, DA, 83, D8, 00, 89, 44, 24, 1C, 89, 54, 24, 18, 0B, C0, 75, 18, 8B, 4C, 24, 18, 8B, 44, 24, 14, 33, D2, F7, F1, 8B, D8, 8B, 44, 24, 10, F7, F1, 8B, D3, EB, 41, 8B, D8, 8B, 4C, 24, 18, 8B, 54, 24, 14, 8B, 44, 24, 10, D1, EB, D1, D9, D1, EA, D1, D8, 0B, DB, 75, F4, F7...
 
[+]

Entropy:
6.0508

Code size:
415 KB (424,960 bytes)

Shell Open Command
Open type:
ftp

Command:
"C:\users\{user}\appdata\local\catalinagroup\citrio\application\citrio.exe" -- "%1"


The executing file has been seen to make the following network communications in live environments.

TCP (HTTP):
Connects to server-54-192-229-205.waw50.r.cloudfront.net  (54.192.229.205:80)

TCP (HTTP SSL):
Connects to lr-in-f157.1e100.net  (209.85.233.157:443)

TCP (HTTP SSL):
Connects to cache.google.com  (77.252.2.88:443)

TCP (HTTP SSL):
Connects to a104-81-215-123.deploy.static.akamaitechnologies.com  (104.81.215.123:443)

TCP (HTTP SSL):
Connects to a104-81-123-199.deploy.static.akamaitechnologies.com  (104.81.123.199:443)

TCP (HTTP SSL):
Connects to 5-226-127-224.static.ip.netia.com.pl  (5.226.127.224:443)

TCP (HTTP):
Connects to 5-226-127-159.static.ip.netia.com.pl  (5.226.127.159:80)

TCP (HTTP SSL):
Connects to spdc.pbp.vip.ir2.yahoo.com  (188.125.66.33:443)

TCP (HTTP SSL):
Connects to 213-241-89-59.static.ip.netia.com.pl  (213.241.89.59:443)

TCP (HTTP):
Connects to 213-241-89-53.static.ip.netia.com.pl  (213.241.89.53:80)

TCP (HTTP SSL):
Connects to rev-194-9-24-80.atman.pl  (194.9.24.80:443)

TCP (HTTP SSL):
Connects to edge-star-mini-shv-01-waw1.facebook.com  (31.13.81.36:443)

TCP (HTTP SSL):
Connects to 213-241-87-24.static.ip.netia.com.pl  (213.241.87.24:443)

TCP (HTTP):
Connects to 61-91-17-109.static.asianet.co.th  (61.91.17.109:80)

TCP (HTTP SSL):
Connects to a104-87-166-229.deploy.static.akamaitechnologies.com  (104.87.166.229:443)

TCP (HTTP SSL):
Connects to root.omnitagjs.com  (5.196.119.249:443)

TCP (HTTP SSL):
Connects to ec2-107-21-112-119.compute-1.amazonaws.com  (107.21.112.119:443)

TCP (HTTP):
Connects to a104-81-219-173.deploy.static.akamaitechnologies.com  (104.81.219.173:80)

TCP (HTTP):
Connects to 85.242.178.107.bc.googleusercontent.com  (107.178.242.85:80)

TCP (HTTP SSL):
Connects to 213-241-89-32.static.ip.netia.com.pl  (213.241.89.32:443)

Remove citrio.exe - Powered by Reason Core Security