home

youtube-dl.exe

Catalina Group Limited

The application youtube-dl.exe by Catalina Group Limited has been detected as a potentially unwanted program by 1 anti-malware scanner with very strong indications that the file is a potential threat. While running, it connects to the Internet address 213-241-89-53.static.ip.netia.com.pl on port 443.
Publisher:
Catalina Group Limited  (signed and verified)

MD5:
c7ccf05fd7fa091df13dea500fde0690

SHA-1:
09fd1ad49c1cbeda0e2798e2a4cc40ce843e5ac1

SHA-256:
c7d5c37ee203f1725ddf609c458b8fd6e9ac36a7412af8d9ad70168b6ecf99a5

Scanner detections:
1 / 68

Status:
Potentially unwanted

Note:
Our current pool of anti-malware engines have not currently detected this file, however based on our own detection heuristics we feel that this file is unwanted.

Analysis date:
4/24/2024 1:10:02 PM UTC  (today)

Scan engine
Detection
Engine version

Reason Heuristics
PUP.Catalina (M)
16.3.25.20

File size:
3 MB (3,172,752 bytes)

File type:
Executable application (Win32 EXE)

Common path:
C:\users\{user}\appdata\local\catalinagroup\citrio\user data\default\extensions\dcagnhpbnggmbihndfkkhfjojgbaaedo\1.2.38_0\binaries\win\youtube-dl.exe

Digital Signature
Signed by:
Catalina Group Limited

Authority:
Starfield Technologies, Inc.

Valid from:
1/12/2015 9:36:38 AM

Valid to:
9/26/2016 10:56:54 PM

Subject:
CN=Catalina Group Limited, O=Catalina Group Limited, L=Kwun Tong, S=Hong Kong, C=HK

Issuer:
CN=Starfield Secure Certificate Authority - G2, OU=http://certs.starfieldtech.com/repository/, O="Starfield Technologies, Inc.", L=Scottsdale, S=Arizona, C=US

Serial number:
1855136D47C1A483

File PE Metadata
Compilation timestamp:
1/3/2015 9:24:03 PM

OS version:
4.0

OS bitness:
Win32

Subsystem:
Windows Console

Linker version:
2.23

CTPH (ssdeep):
49152:xeTXsBW0M0B5Rqp7cJ9WAGod0fptpcyZtAgeHyS+HD1iCsZcKXLRExfINrt7esf:xwsBO0J6gXWAvKfbpNMSRpiDZcKXexw/

Entry address:
0x1500

Entry point:
83, EC, 0C, C7, 05, F8, 20, 41, 00, 00, 00, 00, 00, E8, DE, 77, 00, 00, 83, C4, 0C, E9, 66, FC, FF, FF, 90, 90, 90, 90, 90, 90, 57, 83, EA, 58, 56, 53, 89, C3, 83, EC, 10, C7, 44, 24, 08, 00, 00, 00, 00, 89, 54, 24, 04, 8B, 00, 89, 04, 24, E8, 3F, 7F, 00, 00, 85, C0, 75, 40, 8B, 03, 8D, 73, 10, C7, 44, 24, 08, 01, 00, 00, 00, C7, 44, 24, 04, 58, 00, 00, 00, 89, 34, 24, 89, 44, 24, 0C, E8, 22, 7F, 00, 00, 85, C0, 74, 1B, BF, 5C, B0, 40, 00, B9, 08, 00, 00, 00, F3, A6, 0F, 95, C0, 83, C4, 10, 0F, B6, C0, 5B...
 
[+]

Code size:
34.5 KB (35,328 bytes)

The executing file has been seen to make the following network communications in live environments.

TCP (HTTP SSL):
Connects to e1.ycpi.vip.amb.yahoo.com  (87.248.116.11:443)

TCP (HTTP SSL):
Connects to ir2.fp.vip.ir2.yahoo.com  (46.228.47.114:443)

TCP (HTTP SSL):
Connects to ats1.member.vip.ir2.yahoo.com  (188.125.80.138:443)

TCP (HTTP):
Connects to s492985025.onlinehome.us  (74.208.221.63:80)

TCP (HTTP SSL):
Connects to edge-star-mini-shv-01-fra3.facebook.com  (31.13.93.36:443)

TCP (HTTP SSL):
Connects to rtr3.l7.search.vip.ir2.yahoo.com  (217.12.15.96:443)

TCP (HTTP SSL):
Connects to instagram-p3-shv-01-tpe1.fbcdn.net  (31.13.87.52:443)

TCP (HTTP SSL):
Connects to edge-z-1-p2-shv-01-hkg3.facebook.com  (31.13.95.46:443)

TCP (HTTP SSL):
Connects to edge-star-mini-shv-01-mxp1.facebook.com  (31.13.86.36:443)

TCP (HTTP SSL):
Connects to edge-star-mini-shv-01-eze1.facebook.com  (31.13.94.35:443)

TCP (HTTP SSL):
Connects to ec2-54-83-239-9.compute-1.amazonaws.com  (54.83.239.9:443)

TCP (HTTP SSL):
Connects to ec2-54-172-81-232.compute-1.amazonaws.com  (54.172.81.232:443)

TCP (HTTP SSL):
Connects to ec2-52-86-204-96.compute-1.amazonaws.com  (52.86.204.96:443)

TCP (HTTP SSL):
Connects to ec2-52-73-137-110.compute-1.amazonaws.com  (52.73.137.110:443)

TCP (HTTP):
Connects to ec2-52-6-199-17.compute-1.amazonaws.com  (52.6.199.17:80)

TCP (HTTP SSL):
Connects to ec2-52-43-223-181.us-west-2.compute.amazonaws.com  (52.43.223.181:443)

TCP (HTTP SSL):
Connects to ec2-52-4-113-218.compute-1.amazonaws.com  (52.4.113.218:443)

TCP (HTTP SSL):
Connects to ec2-52-204-41-181.compute-1.amazonaws.com  (52.204.41.181:443)

TCP (HTTP SSL):
Connects to ec2-52-200-137-220.compute-1.amazonaws.com  (52.200.137.220:443)

TCP (HTTP SSL):
Connects to 213-241-88-31.static.ip.netia.com.pl  (213.241.88.31:443)

Remove youtube-dl.exe - Powered by Reason Core Security
herdProtect is a second line of defense malware removal platform powered by 68 anti-malware engines in the cloud. Since no single anti-malware program is perfect 100% of the time, herdProtect utilizes a 'herd' of multiple engines to guarantee the widest coverage and the earliest possible detection.