» colhost.exe
Overview
Analysis
File Details
Downloads (169)
Network (8)

colhost.exe

The executable colhost.exe has been detected as malware by 22 anti-virus scanners. This is a setup program which is used to install the application. This is a malicious Bitcoin miner. Bitcoin-mining malware is designed to force computers to generate Bitcoins for cybercriminals' use and consumes computing power. The file has been seen being downloaded from m.xxxl84675900374.com and multiple other hosts. While running, it connects to the Internet address hosted-by.leaseweb.com on port 1001.

File name:

colhost.exe

MD5:

eedb9d86ae8abc65fa7ac7c6323d4e8f

SHA-1:

ce1fbf382e89146ea5a22ae551b68198c45f40e4

SHA-256:

d0326f0ddce4c00f93682e3a6f55a3125f6387e959e9ed6c5e5584e78e737078

Scanner detections:

22 / 68

Status:

Malware

Explanation:

The program will mine for BitCoins using the computer's GPU in the background and may be installed and run without the user's knowledge.

Analysis date:

11/15/2024 7:11:51 PM UTC (today)

Scan engine

Detection

Engine version

Agnitum Outpost

Trojan.CoinMiner

7.1.1

AhnLab V3 Security

Trojan/Win64.BitCoinMiner

2014.09.11

Avira AntiVirus

TR/CoinMiner.J

7.11.171.150

AVG

Skodna.BitCoinMiner

2015.0.3352

Baidu Antivirus

Hacktool.Win32.Bitcoinminer

4.0.3.14913

Bkav FE

HW64.Paked

1.3.0.4959

Clam AntiVirus

Win.Trojan.Coinminer-9

0.98/23041

Comodo Security

UnclassifiedMalware

19471

Dr.Web

hacktool program Tool.BtcMine.431

9.0.1.05190

Emsisoft Anti-Malware

Application.Bitcoinminer.HH

11.5.0.6191

ESET NOD32

Win64/CoinMiner.J trojan

6.3.12010.0

F-Prot

W64/BitCoinMiner.E

4.6.5.141

F-Secure

Trojan:W32/BitCoinMiner.G

5.15.154

IKARUS anti.virus

Trojan.Win64.CoinMiner

t3scan.1.7.8.0

Kaspersky

not-a-virus:RiskTool.Win64.BitCoinMiner

15.0.2.529

McAfee

Artemis!EEDB9D86AE8A

5600.7008

Norman

Application.Bitcoinminer.HH

28.05.2016 13:03:37

Rising Antivirus

PE:Trojan.Win32.Generic.1724D5DA!388290010

23.00.65.14911

Trend Micro House Call

TROJ_GEN.R0CBH05I314

7.2.256

VIPRE Antivirus

Threat.4150696

47432

ViRobot

Trojan.Win64.S.BitCoinMiner.1563136

2011.4.7.4223

File size:

1.5 MB (1,563,136 bytes)

File type:

Executable application (Win64 EXE)

File PE Metadata

Compilation timestamp:

7/23/2014 2:54:38 PM

OS version:

5.2

OS bitness:

Win64

Subsystem:

Windows Console

Linker version:

11.0

CTPH (ssdeep):

24576:Mf79KQimeoyEgM8dSGDeCAQ4GYwEkYEDI3BiiVzKJo23bvH5xh8wtDzgClYAdC51:b3EciPG9E/LBVeJo2Vsw57lYAA51

Entry address:

0x32228A

Entry point:

E9, D5, 7D, 07, 00, E9, 98, 47, 00, 00, 8C, 1D, BB, 8C, F9, 50, B3, 58, E5, EB, 69, 62, 61, 0B, 5E, 1C, CF, 7D, F8, D2, 3E, 56, BF, 0F, A6, 18, 60, 70, 7B, 19, 28, 9E, ED, E3, 82, 10, F8, F8, 63, 01, 79, 61, F4, A6, 05, A7, FE, A0, 07, ED, DF, 71, 36, 2C, BD, 00, 34, 18, 87, 31, 05, AD, AD, 39, D0, 14, ED, 4C, B6, 9D, 14, BD, FF, FF, FF, 9A, 1D, DF, 52, 85, 49, C1, 35, 03, F4, AC, EC, 61, 3C, AF, D9, 32, 5E, BC, FF, FF, FF, 8E, AB, 71, D8, 8B, E7, FF, FF, FF, 48, F5, E2, 4F, 87, 2C, 50, DB, 67, 96, 69, 10... 
[+]

Packer / compiler:

Xtreme-Protector v1.05

Code size:

669 KB (685,056 bytes)

The file colhost.exe has been seen being distributed by the following 50 URLs.

http://m.xxxl84675900374.com/foo/YK9irRWbEepJ2wm_KP_5MQ/1458139751/.../svchost.exe

http://m.sony4gamesman.com/foo/N_qrCScE7d0xAntftx8ymg/1484852007/.../svchost.exe

http://m.sony4gamesman.com/foo/DVBeBgn371VKvQUQB6_L_Q/1481445299/.../svchost.exe

http://m.sony4gamesman.com/foo/Hx3Rl2d9AmKIk8zSDKPplQ/1480770250/.../svchost.exe

http://m.girl8349237543.com/foo/TJaxrkc4nENDe2E3bmoeLQ/1437336404/.../svchost.exe

http://m.sony4gamesman.com/foo/DBwsS_p95nos425IbYnvgg/1483467519/.../svchost.exe

http://m.sony4gamesman.com/foo/V0n1dFwJyHYp1fLKkYB0bQ/1485264840/.../svchost.exe

http://m.sony4gamesman.com/foo/64D8O9pq-4oxsG3PT1QZzA/1485877762/.../svchost.exe

http://m.sony4gamesman.com/foo/nikceH-T8QllD2_EYDw9XQ/1478842242/.../svchost.exe

http://m.sony4gamesman.com/foo/K5UxytnGl5VSW1ltoPjdaQ/1481557275/.../svchost.exe

http://m.sony4gamesman.com/foo/EK9IKgepmZahGF0zgIvrHA/1482181737/.../svchost.exe

http://m.sony4gamesman.com/foo/XhXdwGBDkBCuRQdyAM5N3g/1483132840/.../svchost.exe

http://m.xxxl84675900374.com/foo/5B_EnISnniY8Y6-wb7dy9Q/1477956679/.../svchost.exe

http://m.xxxl84675900374.com/foo/N9QbCesBvLfHdV2Zf3OK9g/1482048000/.../svchost.exe

http://m.sony4gamesman.com/foo/XCu_VjTyhhTonafYAKWOxA/1483710016/.../svchost.exe

http://m.sony4gamesman.com/foo/UBqgZKm5MUsDUfdlP67hOg/1484315245/.../svchost.exe

http://m.icolor19495344.com/foo/QCdDLnDhVHENPyEs_gYCxQ/1485721988/.../svchost.exe

http://m.sony4gamesman.com/foo/9yDHyDaSMTVv349hX2KdWQ/1483910299/.../svchost.exe

http://m.sony4gamesman.com/foo/lMbARbB4WmB2MML8XrOIxQ/1480441065/.../svchost.exe

http://m.sony4gamesman.com/foo/G0qFPCSRfq131QxR_6h_2Q/1487309769/.../svchost.exe

http://m.sony4gamesman.com/foo/4URPgUFglBfjs0bX5147dA/1483004748/.../svchost.exe

http://m.cn94857395.com/foo/-_xBrzV1wBMoGcPLcb-Dyw/1455365378/.../svchost.exe

http://m.sony4gamesman.com/foo/Hc5daCT8XU4v6ne7F8SCyQ/1480587256/.../svchost.exe

http://m.sony4gamesman.com/foo/H6sHYf1QHTFMkH6HOKzKAQ/1482661286/.../svchost.exe

http://m.xxxl84675900374.com/foo/aeBUvyE8R7dj68-471Bmhg/1478182695/.../svchost.exe

http://m.sony4gamesman.com/foo/OvrX4opKzvO46aa15JEHOQ/1482005501/.../svchost.exe

http://m.sony4gamesman.com/foo/fozbYFPGr7axsZF7dzxczQ/1470940460/.../svchost.exe

http://m.sony4gamesman.com/foo/MHLD2elNpU1V9-cmBEinPg/1479123696/.../svchost.exe

http://m.sony4gamesman.com/foo/SjYdxemCqI7fH_nQWQs4QQ/1480444788/.../svchost.exe

http://m.xxxl84675900374.com/foo/O_UERnxvdGhNvXcLvPyIiQ/1481216575/.../svchost.exe

Latest 30 of 169 download URLs

The executing file has been seen to make the following network communications in live environments.

TCP:

Connects to static.13.31.201.138.clients.your-server.de (138.201.31.13:3333)

TCP:

Connects to static.14.31.201.138.clients.your-server.de (138.201.31.14:3333)

TCP:

Connects to static.12.31.201.138.clients.your-server.de (138.201.31.12:3336)

TCP:

Connects to hosted-by.leaseweb.com (46.165.232.77:1001)

TCP:

Connects to 163-172-38-13.rev.poneytelecom.eu (163.172.38.13:1111)

Remove colhost.exe - Powered by Reason Core Security

herdProtect is a second line of defense malware removal platform powered by 68 anti-malware engines in the cloud. Since no single anti-malware program is perfect 100% of the time, herdProtect utilizes a 'herd' of multiple engines to guarantee the widest coverage and the earliest possible detection.