citrio.exe

Citrio

Catalina Group Limited

The application citrio.exe by Catalina Group Limited has been detected as a potentially unwanted program by 1 anti-malware scanner with very strong indications that the file is a potential threat. While running, it connects to the Internet address santarem-ip-179-124-24-50.zumtelecom.net.br on port 45949.
Publisher:
CatalinaGroup Ltd.  (signed by Catalina Group Limited)

Product:
Citrio

Version:
50.0.2661.274

MD5:
c544f72253805397d3da60879f232bcd

SHA-1:
35bdcc9876846f797ceabeac92823cb685708e16

SHA-256:
5d50c9d595adaea2aaaa3d854231bcf35e68d7dede73d49f1210d808875c5a5a

Scanner detections:
1 / 68

Status:
Potentially unwanted

Note:
Our current pool of anti-malware engines have not currently detected this file, however based on our own detection heuristics we feel that this file is unwanted.

Analysis date:
2/20/2017 8:48:07 PM UTC  (seven months ago)

Scan engine
Detection
Engine version

Reason Heuristics
PUP.Catalina (M)
17.2.20.15

File size:
1 MB (1,083,264 bytes)

Product version:
50.0.2661.274

Copyright:
Copyright 2015 CatalinaGroup Ltd. All rights reserved.

Original file name:
citrio.exe

File type:
Executable application (Win32 EXE)

Language:
English (United States)

Common path:
C:\users\{user}\appdata\local\catalinagroup\citrio\application\citrio.exe

Digital Signature
Authority:
Starfield Technologies, Inc.

Valid from:
2/17/2017 12:38:00 AM

Valid to:
2/17/2018 12:38:00 AM

Subject:
CN=Catalina Group Limited, O=Catalina Group Limited, S=Kowloon, C=HK

Issuer:
CN=Starfield Secure Certificate Authority - G2, OU=http://certs.starfieldtech.com/repository/, O="Starfield Technologies, Inc.", L=Scottsdale, S=Arizona, C=US

Serial number:
00D1F54DBD687BD33F

File PE Metadata
Compilation timestamp:
2/18/2017 10:45:42 AM

OS version:
5.1

OS bitness:
Win32

Subsystem:
Windows GUI

Linker version:
12.0

Entry address:
0x4D0F4

Entry point:
E8, 86, 97, 00, 00, E9, 7F, FE, FF, FF, CC, CC, 57, 56, 53, 33, FF, 8B, 44, 24, 14, 0B, C0, 7D, 14, 47, 8B, 54, 24, 10, F7, D8, F7, DA, 83, D8, 00, 89, 44, 24, 14, 89, 54, 24, 10, 8B, 44, 24, 1C, 0B, C0, 7D, 14, 47, 8B, 54, 24, 18, F7, D8, F7, DA, 83, D8, 00, 89, 44, 24, 1C, 89, 54, 24, 18, 0B, C0, 75, 18, 8B, 4C, 24, 18, 8B, 44, 24, 14, 33, D2, F7, F1, 8B, D8, 8B, 44, 24, 10, F7, F1, 8B, D3, EB, 41, 8B, D8, 8B, 4C, 24, 18, 8B, 54, 24, 14, 8B, 44, 24, 10, D1, EB, D1, D9, D1, EA, D1, D8, 0B, DB, 75, F4, F7...
 
[+]

Entropy:
5.8706

Code size:
415 KB (424,960 bytes)

Shell Open Command
Open type:
ftp

Command:
"C:\users\{user}\appdata\local\catalinagroup\citrio\application\citrio.exe" -- "%1"


The executing file has been seen to make the following network communications in live environments.

TCP:
Connects to hosted.by.seedbox.io  (185.45.195.192:20173)

TCP (HTTP SSL):
Connects to algartelecom-fac001.cache.google.com  (189.112.10.18:443)

TCP (HTTP):
Connects to tracker.janky.solutions  (5.196.95.20:80)

TCP:
Connects to 189-041-033-6.xd-dynamic.algarnetsuper.com.br  (189.41.33.6:6800)

TCP (HTTP SSL):
Connects to mx-ll-110.164.16-49.static.3bb.co.th  (110.164.16.49:443)

TCP (HTTP SSL):
Connects to mx-ll-110.164.10-88.static.3bb.co.th  (110.164.10.88:443)

TCP (HTTP SSL):
Connects to mx-ll-110.164.10-108.static.3bb.co.th  (110.164.10.108:443)

TCP:
Connects to santarem-ip-179-124-24-50.zumtelecom.net.br  (179.124.24.50:45949)

TCP (HTTP SSL):
Connects to mx-ll-110.164.19-13.static.3bb.co.th  (110.164.19.13:443)

TCP:
Connects to ip-5-189-188-23.rz3.sivagooo.fr  (5.189.188.23:6882)

TCP:
Connects to bb24fd41.virtua.com.br  (187.36.253.65:14339)

TCP:
Connects to b3d8974b.virtua.com.br  (179.216.151.75:34132)

TCP:
Connects to 131.221.226.7.isp.linkceara.com.br  (131.221.226.7:10085)

TCP:
Connects to 186-243-83-182.user3g.veloxzone.com.br  (186.243.83.182:45481)

TCP:
Connects to 177.72.168.26.lucasnet.com.br  (177.72.168.26:64526)

TCP:
Connects to 137-118-194-183.htcnet.org  (137.118.194.183:51622)

TCP:
Connects to 131-0-217-102.cgnat-dyn-pool.reg.hughesnet.com.br  (131.0.217.102:33696)

TCP (HTTP SSL):
Connects to xx-fbcdn-shv-01-kut2.fbcdn.net  (157.240.10.23:443)

TCP (HTTP SSL):
Connects to TIG-Net241-18.trueintergateway.com  (113.21.241.18:443)

TCP (HTTP SSL):
Connects to TIG-Net241-17.trueintergateway.com  (113.21.241.17:443)

Remove citrio.exe - Powered by Reason Core Security