» partial_update_39.0.2171.248_39.0.2171.249_2.exe
Overview
Analysis
File Details

partial_update_39.0.2171.248_39.0.2171.249_2.exe

Citrio Installer

Catalina Group Limited

The application partial_update_39.0.2171.248_39.0.2171.249_2.exe by Catalina Group Limited has been detected as a potentially unwanted program by 1 anti-malware scanner with very strong indications that the file is a potential threat.

File name:

Publisher:

Epom Ltd. (signed by Catalina Group Limited)

Product:

Citrio Installer

Version:

39.0.2171.249

MD5:

65f8a4bde29152326699881b585af248

SHA-1:

2baf845719fa1589ab794ed6ba3a86df3d271b88

SHA-256:

8507247141907999f3362361f389b73fc1b9cfee936860936a67d5d00f175553

Scanner detections:

1 / 68

Status:

Potentially unwanted

Note:

Our current pool of anti-malware engines have not currently detected this file, however based on our own detection heuristics we feel that this file is unwanted.

Analysis date:

4/26/2024 3:20:22 PM UTC (today)

Scan engine

Detection

Engine version

Reason Heuristics

PUP.Installer.CatalinaGroup

15.1.31.8

File size:

141.9 KB (145,296 bytes)

Product version:

39.0.2171.249

File type:

Executable application (Win32 EXE)

Common path:

C:\users\{user}\appdata\local\catalinagroup\update\install\{73528436-6360-432f-a67f-ac8a515be68c}\partial_update_39.0.2171.248_39.0.2171.249_2.exe

Digital Signature

Signed by:

Catalina Group Limited

Authority:

Starfield Technologies, Inc.

Valid from:

1/12/2015 7:36:38 PM

Valid to:

9/27/2016 9:56:54 AM

Subject:

CN=Catalina Group Limited, O=Catalina Group Limited, L=Kwun Tong, S=Hong Kong, C=HK

Issuer:

CN=Starfield Secure Certificate Authority - G2, OU=http://certs.starfieldtech.com/repository/, O="Starfield Technologies, Inc.", L=Scottsdale, S=Arizona, C=US

Serial number:

1855136D47C1A483

File PE Metadata

Compilation timestamp:

1/23/2015 1:44:33 AM

OS version:

5.1

OS bitness:

Win32

Subsystem:

Windows GUI

Linker version:

12.0

CTPH (ssdeep):

3072:/+TTRAKKIo3g/hbzI1iHAIscSte/p6/PyXSrr11Zj0wv5giePUQt2pvd:/wRA6JXr0Xd

Entry address:

0x21BD

Entry point:

6A, 00, FF, 15, A8, 50, 40, 00, 50, E8, 63, 0A, 00, 00, 59, 50, FF, 15, 94, 50, 40, 00, CC, 55, 8B, EC, 81, EC, 14, 02, 00, 00, 53, 56, 8B, 75, 14, 85, F6, 0F, 84, BE, 00, 00, 00, FF, 75, 08, 8D, 4D, F8, FF, 75, 0C, FF, 75, 10, E8, AF, 0E, 00, 00, 8D, 4D, F8, E8, CC, 0E, 00, 00, 84, C0, 0F, 84, 9D, 00, 00, 00, 8D, 4D, F8, E8, C4, 0E, 00, 00, 83, F8, 01, 0F, 82, 8C, 00, 00, 00, 8D, 4D, F8, E8, B3, 0E, 00, 00, 3B, 05, 54, 15, 40, 00, 77, 7C, FF, 36, 33, C0, BB, 04, 01, 00, 00, 66, 89, 45, F4, 66, 89, 85, EC... 
[+]

Entropy:

5.2995

Packer / compiler:

FASM v1.3x

Code size:

8.5 KB (8,704 bytes)

Remove partial_update_39.0.2171.248_39.0.2171.249_2.exe - Powered by Reason Core Security

herdProtect is a second line of defense malware removal platform powered by 68 anti-malware engines in the cloud. Since no single anti-malware program is perfect 100% of the time, herdProtect utilizes a 'herd' of multiple engines to guarantee the widest coverage and the earliest possible detection.