home

citrio.exe

Citrio

Catalina Group Limited

The application citrio.exe by Catalina Group Limited has been detected as a potentially unwanted program by 5 anti-malware scanners. While running, it connects to the Internet address edge-atlas-shv-01-amt2.facebook.com on port 443.
Publisher:
Epom Ltd.  (signed by Catalina Group Limited)

Product:
Citrio

Version:
42.0.2311.259

MD5:
e253836f00f6f067517730d3592af5b4

SHA-1:
304886ab74af6122922996dcf03bdca7975fb13e

SHA-256:
1a83c12729d6d27c885d3a784fdb0713105d918a9eb1926791125e9ce0901d99

Scanner detections:
5 / 68

Status:
Potentially unwanted

Analysis date:
5/29/2024 7:30:52 PM UTC  (today)

Scan engine
Detection
Engine version

Bkav FE
W32.HfsAdware
1.3.0.6379

Dr.Web
Adware.Downware.10572
9.0.1.0195

Panda Antivirus
PUP/Citrio
15.07.14.09

Reason Heuristics
PUP.Catalina.CatalinaGroup (M)
15.7.14.21

Trend Micro House Call
Suspicious_GEN.F47V0328
7.2.195

File size:
1 MB (1,083,280 bytes)

Product version:
42.0.2311.259

Copyright:
Copyright 2014 Epom Ltd. All rights reserved.

Original file name:
citrio.exe

File type:
Executable application (Win32 EXE)

Language:
English (United States)

Common path:
C:\users\{user}\appdata\local\catalinagroup\citrio\application\citrio.exe

Digital Signature
Signed by:
Catalina Group Limited

Authority:
Starfield Technologies, Inc.

Valid from:
1/12/2015 2:36:38 PM

Valid to:
9/27/2016 4:56:54 AM

Subject:
CN=Catalina Group Limited, O=Catalina Group Limited, L=Kwun Tong, S=Hong Kong, C=HK

Issuer:
CN=Starfield Secure Certificate Authority - G2, OU=http://certs.starfieldtech.com/repository/, O="Starfield Technologies, Inc.", L=Scottsdale, S=Arizona, C=US

Serial number:
1855136D47C1A483

File PE Metadata
Compilation timestamp:
7/10/2015 9:13:33 PM

OS version:
5.1

OS bitness:
Win32

Subsystem:
Windows GUI

Linker version:
12.0

CTPH (ssdeep):
12288:8hPBTy1NkKm2gwNsRTpD2/7zVNVDuj32dGtAsEZokccfMcxHB/uz9X+pPChNn32f:8h5T6k0Vr//s2F13UvHJ8PJ

Entry address:
0x4C204

Entry point:
E8, 64, 9F, 00, 00, E9, 7F, FE, FF, FF, CC, CC, 8B, 44, 24, 08, 8B, 4C, 24, 10, 0B, C8, 8B, 4C, 24, 0C, 75, 09, 8B, 44, 24, 04, F7, E1, C2, 10, 00, 53, F7, E1, 8B, D8, 8B, 44, 24, 08, F7, 64, 24, 14, 03, D8, 8B, 44, 24, 08, F7, E1, 03, D3, 5B, C2, 10, 00, 55, 8B, EC, 83, EC, 14, 53, 56, 33, DB, 57, 8B, 7D, 08, 89, 5D, F8, 89, 5D, F4, 89, 5D, FC, 85, FF, 75, 18, E8, F0, 13, 00, 00, 6A, 16, 5E, 89, 30, E8, 9C, D1, FF, FF, 8B, C6, 5F, 5E, 5B, 8B, E5, 5D, C3, 6A, 24, 68, FF, 00, 00, 00, 57, E8, CC, FA, FF, FF...
 
[+]

Entropy:
5.8425

Code size:
411 KB (420,864 bytes)

The executing file has been seen to make the following network communications in live environments.

TCP (HTTP SSL):
Connects to xx-fbcdn-shv-01-amt2.fbcdn.net  (31.13.64.21:443)

TCP (HTTP):
Connects to c-k330-u1106-49.webazilla.com  (199.101.133.49:80)

TCP (HTTP SSL):
Connects to 212-39-82-173.ip.btc-net.bg  (212.39.82.173:443)

TCP (HTTP SSL):
Connects to edge-star-mini-shv-01-amt2.facebook.com  (31.13.64.35:443)

TCP (HTTP SSL):
Connects to edge-atlas-shv-01-amt2.facebook.com  (31.13.64.2:443)

TCP (HTTP SSL):
Connects to 212-39-82-167.ip.btc-net.bg  (212.39.82.167:443)

TCP (HTTP SSL):
Connects to xx-fbcdn-shv-01-fra3.fbcdn.net  (31.13.93.7:443)

TCP (HTTP SSL):
Connects to fra07s31-in-f3.1e100.net  (173.194.112.131:443)

TCP (HTTP SSL):
Connects to fra07s27-in-f6.1e100.net  (173.194.112.6:443)

TCP (HTTP SSL):
Connects to edge-star-shv-12-frc3.facebook.com  (173.252.120.6:443)

TCP (HTTP SSL):
Connects to edge-star-shv-01-fra3.facebook.com  (31.13.93.3:443)

TCP (HTTP SSL):
Connects to a88-221-133-73.deploy.akamaitechnologies.com  (88.221.133.73:443)

TCP (HTTP SSL):
Connects to a88-221-133-144.deploy.akamaitechnologies.com  (88.221.133.144:443)

Remove citrio.exe - Powered by Reason Core Security
herdProtect is a second line of defense malware removal platform powered by 68 anti-malware engines in the cloud. Since no single anti-malware program is perfect 100% of the time, herdProtect utilizes a 'herd' of multiple engines to guarantee the widest coverage and the earliest possible detection.