colhost.exe

The executable colhost.exe has been detected as malware by 22 anti-virus scanners. This is a setup program which is used to install the application. This is a malicious Bitcoin miner. Bitcoin-mining malware is designed to force computers to generate Bitcoins for cybercriminals' use and consumes computing power. The file has been seen being downloaded from m.xxxl84675900374.com and multiple other hosts. While running, it connects to the Internet address hosted-by.leaseweb.com on port 1001.
MD5:
eedb9d86ae8abc65fa7ac7c6323d4e8f

SHA-1:
ce1fbf382e89146ea5a22ae551b68198c45f40e4

SHA-256:
d0326f0ddce4c00f93682e3a6f55a3125f6387e959e9ed6c5e5584e78e737078

Scanner detections:
22 / 68

Status:
Malware

Explanation:
The program will mine for BitCoins using the computer's GPU in the background and may be installed and run without the user's knowledge.

Analysis date:
12/29/2024 6:50:49 AM UTC  (today)

Scan engine
Detection
Engine version

Agnitum Outpost
Trojan.CoinMiner
7.1.1

AhnLab V3 Security
Trojan/Win64.BitCoinMiner
2014.09.11

Avira AntiVirus
TR/CoinMiner.J
7.11.171.150

AVG
Skodna.BitCoinMiner
2015.0.3352

Baidu Antivirus
Hacktool.Win32.Bitcoinminer
4.0.3.14913

Bkav FE
HW64.Paked
1.3.0.4959

Clam AntiVirus
Win.Trojan.Coinminer-9
0.98/23041

Comodo Security
UnclassifiedMalware
19471

Dr.Web
hacktool program Tool.BtcMine.431
9.0.1.05190

Emsisoft Anti-Malware
Application.Bitcoinminer.HH
11.5.0.6191

ESET NOD32
Win64/CoinMiner.J trojan
6.3.12010.0

F-Prot
W64/BitCoinMiner.E
4.6.5.141

F-Secure
Trojan:W32/BitCoinMiner.G
5.15.154

IKARUS anti.virus
Trojan.Win64.CoinMiner
t3scan.1.7.8.0

Kaspersky
not-a-virus:RiskTool.Win64.BitCoinMiner
15.0.2.529

McAfee
Artemis!EEDB9D86AE8A
5600.7008

Norman
Application.Bitcoinminer.HH
28.05.2016 13:03:37

Rising Antivirus
PE:Trojan.Win32.Generic.1724D5DA!388290010
23.00.65.14911

Trend Micro House Call
TROJ_GEN.R0CBH05I314
7.2.256

VIPRE Antivirus
Threat.4150696
47432

ViRobot
Trojan.Win64.S.BitCoinMiner.1563136
2011.4.7.4223

File size:
1.5 MB (1,563,136 bytes)

File type:
Executable application (Win64 EXE)

File PE Metadata
Compilation timestamp:
7/23/2014 2:54:38 PM

OS version:
5.2

OS bitness:
Win64

Subsystem:
Windows Console

Linker version:
11.0

CTPH (ssdeep):
24576:Mf79KQimeoyEgM8dSGDeCAQ4GYwEkYEDI3BiiVzKJo23bvH5xh8wtDzgClYAdC51:b3EciPG9E/LBVeJo2Vsw57lYAA51

Entry address:
0x32228A

Entry point:
E9, D5, 7D, 07, 00, E9, 98, 47, 00, 00, 8C, 1D, BB, 8C, F9, 50, B3, 58, E5, EB, 69, 62, 61, 0B, 5E, 1C, CF, 7D, F8, D2, 3E, 56, BF, 0F, A6, 18, 60, 70, 7B, 19, 28, 9E, ED, E3, 82, 10, F8, F8, 63, 01, 79, 61, F4, A6, 05, A7, FE, A0, 07, ED, DF, 71, 36, 2C, BD, 00, 34, 18, 87, 31, 05, AD, AD, 39, D0, 14, ED, 4C, B6, 9D, 14, BD, FF, FF, FF, 9A, 1D, DF, 52, 85, 49, C1, 35, 03, F4, AC, EC, 61, 3C, AF, D9, 32, 5E, BC, FF, FF, FF, 8E, AB, 71, D8, 8B, E7, FF, FF, FF, 48, F5, E2, 4F, 87, 2C, 50, DB, 67, 96, 69, 10...
 
[+]

Packer / compiler:
Xtreme-Protector v1.05

Code size:
669 KB (685,056 bytes)

The file colhost.exe has been seen being distributed by the following 50 URLs.

http://m.xxxl84675900374.com/foo/YK9irRWbEepJ2wm_KP_5MQ/1458139751/.../svchost.exe

http://m.sony4gamesman.com/foo/N_qrCScE7d0xAntftx8ymg/1484852007/.../svchost.exe

http://m.sony4gamesman.com/foo/DVBeBgn371VKvQUQB6_L_Q/1481445299/.../svchost.exe

http://m.sony4gamesman.com/foo/Hx3Rl2d9AmKIk8zSDKPplQ/1480770250/.../svchost.exe

http://m.girl8349237543.com/foo/TJaxrkc4nENDe2E3bmoeLQ/1437336404/.../svchost.exe

http://m.sony4gamesman.com/foo/DBwsS_p95nos425IbYnvgg/1483467519/.../svchost.exe

http://m.sony4gamesman.com/foo/V0n1dFwJyHYp1fLKkYB0bQ/1485264840/.../svchost.exe

http://m.sony4gamesman.com/foo/64D8O9pq-4oxsG3PT1QZzA/1485877762/.../svchost.exe

http://m.sony4gamesman.com/foo/nikceH-T8QllD2_EYDw9XQ/1478842242/.../svchost.exe

http://m.sony4gamesman.com/foo/K5UxytnGl5VSW1ltoPjdaQ/1481557275/.../svchost.exe

http://m.sony4gamesman.com/foo/EK9IKgepmZahGF0zgIvrHA/1482181737/.../svchost.exe

http://m.sony4gamesman.com/foo/XhXdwGBDkBCuRQdyAM5N3g/1483132840/.../svchost.exe

http://m.xxxl84675900374.com/foo/5B_EnISnniY8Y6-wb7dy9Q/1477956679/.../svchost.exe

http://m.xxxl84675900374.com/foo/N9QbCesBvLfHdV2Zf3OK9g/1482048000/.../svchost.exe

http://m.sony4gamesman.com/foo/XCu_VjTyhhTonafYAKWOxA/1483710016/.../svchost.exe

http://m.sony4gamesman.com/foo/UBqgZKm5MUsDUfdlP67hOg/1484315245/.../svchost.exe

http://m.icolor19495344.com/foo/QCdDLnDhVHENPyEs_gYCxQ/1485721988/.../svchost.exe

http://m.sony4gamesman.com/foo/9yDHyDaSMTVv349hX2KdWQ/1483910299/.../svchost.exe

http://m.sony4gamesman.com/foo/lMbARbB4WmB2MML8XrOIxQ/1480441065/.../svchost.exe

http://m.sony4gamesman.com/foo/G0qFPCSRfq131QxR_6h_2Q/1487309769/.../svchost.exe

http://m.sony4gamesman.com/foo/4URPgUFglBfjs0bX5147dA/1483004748/.../svchost.exe

http://m.cn94857395.com/foo/-_xBrzV1wBMoGcPLcb-Dyw/1455365378/.../svchost.exe

http://m.sony4gamesman.com/foo/Hc5daCT8XU4v6ne7F8SCyQ/1480587256/.../svchost.exe

http://m.sony4gamesman.com/foo/H6sHYf1QHTFMkH6HOKzKAQ/1482661286/.../svchost.exe

http://m.xxxl84675900374.com/foo/aeBUvyE8R7dj68-471Bmhg/1478182695/.../svchost.exe

http://m.sony4gamesman.com/foo/OvrX4opKzvO46aa15JEHOQ/1482005501/.../svchost.exe

http://m.sony4gamesman.com/foo/fozbYFPGr7axsZF7dzxczQ/1470940460/.../svchost.exe

http://m.sony4gamesman.com/foo/MHLD2elNpU1V9-cmBEinPg/1479123696/.../svchost.exe

http://m.sony4gamesman.com/foo/SjYdxemCqI7fH_nQWQs4QQ/1480444788/.../svchost.exe

http://m.xxxl84675900374.com/foo/O_UERnxvdGhNvXcLvPyIiQ/1481216575/.../svchost.exe

Latest 30 of 169 download URLs

The executing file has been seen to make the following network communications in live environments.

TCP:
Connects to static.13.31.201.138.clients.your-server.de  (138.201.31.13:3333)

TCP:
Connects to static.14.31.201.138.clients.your-server.de  (138.201.31.14:3333)

TCP:
Connects to static.12.31.201.138.clients.your-server.de  (138.201.31.12:3336)

TCP:
Connects to hosted-by.leaseweb.com  (46.165.232.77:1001)

TCP:
Connects to 163-172-38-13.rev.poneytelecom.eu  (163.172.38.13:1111)

Remove colhost.exe - Powered by Reason Core Security