Windows Analysis Report
swift.exe

Overview

General Information

Sample Name: swift.exe
Analysis ID: 1338838
MD5: eea7fccc3de8ebbadd3544e662eb8772
SHA1: 8552e772701d0cbced43a35740cb8b42e8e694cb
SHA256: b84816d9d514fbc53fba7cbabfc3d6e7f313e6726df10c30e5c426ccf1d1922e
Infos:

Detection

CobaltStrike
Score: 80
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Found malware configuration
Multi AV Scanner detection for submitted file
Malicious sample detected (through community Yara rule)
Yara detected CobaltStrike
C2 URLs / IPs found in malware configuration
Contains functionality to detect sleep reduction / modifications
Yara signature match
Contains functionality to check if a debugger is running (IsDebuggerPresent)
May sleep (evasive loops) to hinder dynamic analysis
Uses code obfuscation techniques (call, push, ret)
Found evasive API chain (date check)
Contains functionality to execute programs as a different user
Detected potential crypto function
Contains functionality to launch a process as a different user
Contains functionality to check if a debugger is running (OutputDebugString,GetLastError)
Contains functionality to call native functions
Contains functionality to dynamically determine API calls
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Extensive use of GetProcAddress (often used to hide API calls)
Contains functionality to open a port and listen for incoming connection (possibly a backdoor)
Found large amount of non-executed APIs
Uses Microsoft's Enhanced Cryptographic Provider
May check if the current machine is a sandbox (GetTickCount - Sleep)

Classification

RansomwareSpreadingPhishingBankerTrojan / BotAdwareSpywareExploiterEvaderMinercleansuspiciousmalicious
Name Description Attribution Blogpost URLs Link
Cobalt Strike, CobaltStrike Cobalt Strike is a paid penetration testing product that allows an attacker to deploy an agent named 'Beacon' on the victim machine. Beacon includes a wealth of functionality to the attacker, including, but not limited to command execution, key logging, file transfer, SOCKS proxying, privilege escalation, mimikatz, port scanning and lateral movement. Beacon is in-memory/file-less, in that it consists of stageless or multi-stage shellcode that once loaded by exploiting a vulnerability or executing a shellcode loader, will reflectively load itself into the memory of a process without touching the disk. It supports C2 and staging over HTTP, HTTPS, DNS, SMB named pipes as well as forward and reverse TCP; Beacons can be daisy-chained. Cobalt Strike comes with a toolkit for developing shellcode loaders, called Artifact Kit.The Beacon implant has become popular amongst targeted attackers and criminal users as it is well written, stable, and highly customizable.
  • APT 29
  • APT32
  • APT41
  • AQUATIC PANDA
  • Anunak
  • Cobalt
  • Codoso
  • CopyKittens
  • DarkHydrus
  • FIN6
  • FIN7
  • Leviathan
  • Mustang Panda
  • Shell Crew
  • Stone Panda
  • TianWu
  • UNC1878
  • UNC2452
  • Winnti Umbrella
 https://malpedia.caad.fkie.fraunhofer.de/details/win.cobalt_strike

AV Detection
barindex
Found malware configuration
Source: 00000000.00000003.2093946625.000001E357C82000.00000040.00000001.00020000.00000000.sdmp Malware Configuration Extractor: CobaltStrike {"BeaconType": ["Hybrid HTTP DNS"], "Port": 1, "SleepTime": 5000, "MaxGetSize": 2798028, "Jitter": 45, "MaxDNS": 247, "C2Server": "dns.investmentrealtyhp.net,/dev/coke/CQHL5IYQF", "DNS_Idle": "140.82.26.90", "DNS_Sleep": 0, "HttpGet_Verb": "GET", "HttpPost_Verb": "POST", "HttpPostChunk": 0, "Spawnto_x86": "%windir%\\syswow64\\w32tm.exe", "Spawnto_x64": "%windir%\\sysnative\\systray.exe", "CryptoScheme": 0, "Proxy_Behavior": "Use IE settings", "Watermark": 587247372, "bStageCleanup": "True", "bCFGCaution": "False", "KillDate": 0, "bProcInject_StartRWX": "False", "bProcInject_UseRWX": "True", "bProcInject_MinAllocSize": 6477, "ProcInject_PrependAppend_x86": ["Zg8fRAAAZg8fRAAAUFgPHwBmDx9EAABmDx+EAAAAAAAPH0QAAA8fAJAPH4QAAAAAAA8fRAAADx+AAAAAAJAPH0QAAA8fRAAAZpAPH0QAAFBYDx+EAAAAAAA=", "Dx9EAABQWA8fRAAAZg8fhAAAAAAADx+EAAAAAAAPH4AAAAAADx9AAJCQDx9AAGYPH4QAAAAAAA8fgAAAAAAPH0QAAGaQkGYPH4QAAAAAAGaQZg8fhAAAAAAADx9EAAA="], "ProcInject_PrependAppend_x64": ["Dx+EAAAAAABQWGYPH4QAAAAAAA8fRAAADx9EAABQWGYPH0QAAGYPH0QAAJBmDx+EAAAAAABmDx+EAAAAAABQWA==", "Zg8fhAAAAAAADx9AAA8fAA8fAA8fhAAAAAAAkGaQDx8AZpAPH0QAAA8fhAAAAAAAZg8fRAAADx9EAAAPHwAPH4QAAAAAAA8fAA8fgAAAAABQWA=="], "ProcInject_Execute": ["ntdll:RtlUserThreadStart", "CreateThread", "NtQueueApcThread-s", "CreateRemoteThread", "RtlCreateUserThread"], "ProcInject_AllocationMethod": "VirtualAllocEx", "bUsesCookies": "True", "HostHeader": ""}
Multi AV Scanner detection for submitted file
Source: swift.exe Virustotal: Detection: 27% Perma Link
Uses Microsoft's Enhanced Cryptographic Provider
Source: C:\Users\user\Desktop\swift.exe Code function: 0_2_000001E357C91184 CryptAcquireContextA,CryptAcquireContextA,CryptGenRandom,CryptReleaseContext, 0_2_000001E357C91184
Source: swift.exe Static PE information: certificate valid
Source: swift.exe Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
Source: C:\Users\user\Desktop\swift.exe Code function: 0_2_000001E357CA1980 malloc,GetCurrentDirectoryA,FindFirstFileA,GetLastError,free,free,FileTimeToSystemTime,SystemTimeToTzSpecificLocalTime,FindNextFileA,FindClose, 0_2_000001E357CA1980
Source: C:\Users\user\Desktop\swift.exe Code function: 0_2_000001E357CA7770 malloc,_snprintf,FindFirstFileA,free,malloc,_snprintf,free,FindNextFileA,FindClose, 0_2_000001E357CA7770

Networking
barindex
C2 URLs / IPs found in malware configuration
Source: Malware configuration extractor URLs: dns.investmentrealtyhp.net
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: swift.exe String found in binary or memory: http://cert.ssl.com/SSL.com-timeStamping-I-RSA-R1.cer0Q
Source: swift.exe String found in binary or memory: http://cert.ssl.com/SSLcom-SubCA-EV-CodeSigning-RSA-4096-R3.cer0_
Source: swift.exe String found in binary or memory: http://crls.ssl.com/SSL.com-timeStamping-I-RSA-R1.crl0
Source: swift.exe String found in binary or memory: http://crls.ssl.com/SSLcom-RootCA-EV-RSA-4096-R2.crl0
Source: swift.exe String found in binary or memory: http://crls.ssl.com/SSLcom-SubCA-EV-CodeSigning-RSA-4096-R3.crl0
Source: swift.exe String found in binary or memory: http://crls.ssl.com/ssl.com-rsa-RootCA.crl0
Source: swift.exe String found in binary or memory: http://ocsps.ssl.com0
Source: swift.exe String found in binary or memory: http://ocsps.ssl.com0?
Source: swift.exe String found in binary or memory: http://www.ssl.com/repository/SSLcom-RootCA-EV-RSA-4096-R2.crt0
Source: swift.exe String found in binary or memory: http://www.ssl.com/repository/SSLcomRootCertificationAuthorityRSA.crt0
Source: swift.exe String found in binary or memory: https://www.ssl.com/repository0
Source: unknown DNS traffic detected: queries for: ridoj4.645b0efa.dns.investmentrealtyhp.net
Source: C:\Users\user\Desktop\swift.exe Code function: 0_2_000001E357CA4D60 recv, 0_2_000001E357CA4D60

System Summary
barindex
Malicious sample detected (through community Yara rule)
Source: 0.2.swift.exe.1e357c90000.0.raw.unpack, type: UNPACKEDPE Matched rule: Identifies CobaltStrike via unidentified function code Author: unknown
Source: 0.2.swift.exe.1e357c90000.0.unpack, type: UNPACKEDPE Matched rule: Identifies CobaltStrike via unidentified function code Author: unknown
Source: 00000000.00000002.3335359753.000001E357C90000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY Matched rule: Identifies CobaltStrike via unidentified function code Author: unknown
Source: 00000000.00000003.2093946625.000001E357C40000.00000040.00000001.00020000.00000000.sdmp, type: MEMORY Matched rule: Identifies CobaltStrike via unidentified function code Author: unknown
Yara signature match
Source: 0.2.swift.exe.1e357c90000.0.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_CobaltStrike_663fc95d os = windows, severity = x86, description = Identifies CobaltStrike via unidentified function code, creation_date = 2021-04-01, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.CobaltStrike, fingerprint = d0f781d7e485a7ecfbbfd068601e72430d57ef80fc92a993033deb1ddcee5c48, id = 663fc95d-2472-4d52-ad75-c5d86cfc885f, last_modified = 2021-12-17
Source: 0.2.swift.exe.1e357c90000.0.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_CobaltStrike_663fc95d os = windows, severity = x86, description = Identifies CobaltStrike via unidentified function code, creation_date = 2021-04-01, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.CobaltStrike, fingerprint = d0f781d7e485a7ecfbbfd068601e72430d57ef80fc92a993033deb1ddcee5c48, id = 663fc95d-2472-4d52-ad75-c5d86cfc885f, last_modified = 2021-12-17
Source: 00000000.00000002.3335359753.000001E357C90000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_CobaltStrike_663fc95d os = windows, severity = x86, description = Identifies CobaltStrike via unidentified function code, creation_date = 2021-04-01, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.CobaltStrike, fingerprint = d0f781d7e485a7ecfbbfd068601e72430d57ef80fc92a993033deb1ddcee5c48, id = 663fc95d-2472-4d52-ad75-c5d86cfc885f, last_modified = 2021-12-17
Source: 00000000.00000003.2093946625.000001E357C40000.00000040.00000001.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_CobaltStrike_663fc95d os = windows, severity = x86, description = Identifies CobaltStrike via unidentified function code, creation_date = 2021-04-01, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.CobaltStrike, fingerprint = d0f781d7e485a7ecfbbfd068601e72430d57ef80fc92a993033deb1ddcee5c48, id = 663fc95d-2472-4d52-ad75-c5d86cfc885f, last_modified = 2021-12-17
Detected potential crypto function
Source: C:\Users\user\Desktop\swift.exe Code function: 0_3_000001E357C5D44C 0_3_000001E357C5D44C
Source: C:\Users\user\Desktop\swift.exe Code function: 0_3_000001E357C601A4 0_3_000001E357C601A4
Source: C:\Users\user\Desktop\swift.exe Code function: 0_3_000001E357C5F078 0_3_000001E357C5F078
Source: C:\Users\user\Desktop\swift.exe Code function: 0_3_000001E357C5F73C 0_3_000001E357C5F73C
Source: C:\Users\user\Desktop\swift.exe Code function: 0_3_000001E357C4C5A0 0_3_000001E357C4C5A0
Source: C:\Users\user\Desktop\swift.exe Code function: 0_2_000001E357CB0D74 0_2_000001E357CB0D74
Source: C:\Users\user\Desktop\swift.exe Code function: 0_2_000001E357CB94A0 0_2_000001E357CB94A0
Source: C:\Users\user\Desktop\swift.exe Code function: 0_2_000001E357CA0C98 0_2_000001E357CA0C98
Source: C:\Users\user\Desktop\swift.exe Code function: 0_2_000001E357CAFC48 0_2_000001E357CAFC48
Source: C:\Users\user\Desktop\swift.exe Code function: 0_2_000001E357C99C20 0_2_000001E357C99C20
Source: C:\Users\user\Desktop\swift.exe Code function: 0_2_000001E357CA6C14 0_2_000001E357CA6C14
Source: C:\Users\user\Desktop\swift.exe Code function: 0_2_000001E357CB030C 0_2_000001E357CB030C
Source: C:\Users\user\Desktop\swift.exe Code function: 0_2_000001E357CB4304 0_2_000001E357CB4304
Source: C:\Users\user\Desktop\swift.exe Code function: 0_2_000001E357CBB9F0 0_2_000001E357CBB9F0
Source: C:\Users\user\Desktop\swift.exe Code function: 0_2_000001E357CBA1B0 0_2_000001E357CBA1B0
Source: C:\Users\user\Desktop\swift.exe Code function: 0_2_000001E357C9D170 0_2_000001E357C9D170
Source: C:\Users\user\Desktop\swift.exe Code function: 0_2_000001E357C9A134 0_2_000001E357C9A134
Source: C:\Users\user\Desktop\swift.exe Code function: 0_2_000001E357CBB080 0_2_000001E357CBB080
Source: C:\Users\user\Desktop\swift.exe Code function: 0_2_000001E357CAE01C 0_2_000001E357CAE01C
Source: C:\Users\user\Desktop\swift.exe Code function: 0_2_000001E357CBD000 0_2_000001E357CBD000
Source: C:\Users\user\Desktop\swift.exe Code function: 0_2_000001E357CAEDE4 0_2_000001E357CAEDE4
Source: C:\Users\user\Desktop\swift.exe Code function: 0_2_000001E357CBAD97 0_2_000001E357CBAD97
Source: C:\Users\user\Desktop\swift.exe Code function: 0_2_00007FF6D63B3E20 0_2_00007FF6D63B3E20
Source: C:\Users\user\Desktop\swift.exe Code function: 0_2_00007FF6D63D1874 0_2_00007FF6D63D1874
Source: C:\Users\user\Desktop\swift.exe Code function: 0_2_00007FF6D63AB570 0_2_00007FF6D63AB570
Source: C:\Users\user\Desktop\swift.exe Code function: 0_2_00007FF6D63D0E24 0_2_00007FF6D63D0E24
Source: C:\Users\user\Desktop\swift.exe Code function: 0_2_00007FF6D63CE66C 0_2_00007FF6D63CE66C
Source: C:\Users\user\Desktop\swift.exe Code function: 0_2_00007FF6D63AC720 0_2_00007FF6D63AC720
Source: C:\Users\user\Desktop\swift.exe Code function: 0_2_00007FF6D63C5350 0_2_00007FF6D63C5350
Source: C:\Users\user\Desktop\swift.exe Code function: 0_2_00007FF6D63CDC84 0_2_00007FF6D63CDC84
Source: C:\Users\user\Desktop\swift.exe Code function: 0_2_00007FF6D63CB454 0_2_00007FF6D63CB454
Source: C:\Users\user\Desktop\swift.exe Code function: 0_2_00007FF6D63C6154 0_2_00007FF6D63C6154
Source: C:\Users\user\Desktop\swift.exe Code function: 0_2_00007FF6D63CEA1C 0_2_00007FF6D63CEA1C
Source: C:\Users\user\Desktop\swift.exe Code function: 0_2_00007FF6D63CAA90 0_2_00007FF6D63CAA90
Source: C:\Users\user\Desktop\swift.exe Code function: 0_2_00007FF6D63AD2E0 0_2_00007FF6D63AD2E0
Contains functionality to launch a process as a different user
Source: C:\Users\user\Desktop\swift.exe Code function: 0_2_000001E357CA0C98 CreateProcessAsUserA,GetLastError,GetLastError,CreateProcessA,GetLastError,GetCurrentDirectoryW,GetCurrentDirectoryW,CreateProcessWithTokenW,GetLastError,GetLastError,GetLastError,GetLastError, 0_2_000001E357CA0C98
Contains functionality to call native functions
Source: C:\Users\user\Desktop\swift.exe Code function: 0_2_00007FF6D63A1000 NtAllocateVirtualMemory, 0_2_00007FF6D63A1000
Source: swift.exe Virustotal: Detection: 27%
Source: swift.exe Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: C:\Users\user\Desktop\swift.exe Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: C:\Users\user\Desktop\swift.exe Code function: 0_2_000001E357CA0B54 LookupPrivilegeValueA,AdjustTokenPrivileges,GetLastError, 0_2_000001E357CA0B54
Source: classification engine Classification label: mal80.troj.evad.winEXE@1/0@26/0
Source: C:\Users\user\Desktop\swift.exe Code function: 0_2_00007FF6D63AFEA0 CoCreateInstance, 0_2_00007FF6D63AFEA0
Source: C:\Users\user\Desktop\swift.exe Code function: 0_2_000001E357CA6C14 TerminateProcess,GetLastError,GetCurrentProcess,CreateToolhelp32Snapshot,Process32First,ProcessIdToSessionId,Process32Next,GetCurrentThread,OpenThreadToken,GetCurrentProcess,OpenProcessToken,htonl,htonl,GetLastError,OpenProcessToken,GetLastError,ImpersonateLoggedOnUser,GetLastError,DuplicateTokenEx,GetLastError,ImpersonateLoggedOnUser,GetLastError, 0_2_000001E357CA6C14
Source: C:\Users\user\Desktop\swift.exe Code function: 0_2_00007FF6D63C2740 FindResourceW,LoadResource,LockResource,ImageList_GetImageCount,Concurrency::details::_Scheduler::_Scheduler,LoadImageW,UnDecorator::getVbTableType,Concurrency::details::_Scheduler::_Scheduler,ImageList_AddMasked,ImageList_GetImageCount, 0_2_00007FF6D63C2740
Source: swift.exe Static PE information: Image base 0x140000000 > 0x60000000
Source: swift.exe Static PE information: certificate valid
Source: swift.exe Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
Source: swift.exe Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
Source: swift.exe Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
Source: swift.exe Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
Source: swift.exe Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
Source: swift.exe Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata
Uses code obfuscation techniques (call, push, ret)
Source: C:\Users\user\Desktop\swift.exe Code function: 0_3_000001E357C58C7C push 8B4C0003h; ret 0_3_000001E357C58C81
Source: C:\Users\user\Desktop\swift.exe Code function: 0_3_000001E357C68A8F push ebp; iretd 0_3_000001E357C68A90
Source: C:\Users\user\Desktop\swift.exe Code function: 0_3_000001E357C68AB8 push ebp; iretd 0_3_000001E357C68AB9
Source: C:\Users\user\Desktop\swift.exe Code function: 0_3_000001E357C68A6F push ebp; iretd 0_3_000001E357C68A70
Source: C:\Users\user\Desktop\swift.exe Code function: 0_3_000001E357C49A02 push cs; retf 0_3_000001E357C49A03
Source: C:\Users\user\Desktop\swift.exe Code function: 0_3_000001E357C4B03C push ebp; iretd 0_3_000001E357C4B03D
Source: C:\Users\user\Desktop\swift.exe Code function: 0_3_000001E357C49641 push edi; iretd 0_3_000001E357C49642
Contains functionality to dynamically determine API calls
Source: C:\Users\user\Desktop\swift.exe Code function: 0_2_000001E357CB7534 RtlEncodePointer,__crtIsPackagedApp,LoadLibraryExW,GetLastError,LoadLibraryW,GetProcAddress,RtlEncodePointer,GetProcAddress,RtlEncodePointer,GetProcAddress,RtlEncodePointer,GetProcAddress,RtlEncodePointer,GetProcAddress,RtlEncodePointer,IsDebuggerPresent,OutputDebugStringW,RtlDecodePointer,RtlDecodePointer,RtlDecodePointer,RtlDecodePointer,RtlDecodePointer,RtlDecodePointer, 0_2_000001E357CB7534
Extensive use of GetProcAddress (often used to hide API calls)
Source: C:\Users\user\Desktop\swift.exe Code function: 0_2_000001E357CAE01C RtlEncodePointer,GetModuleHandleW,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress, 0_2_000001E357CAE01C

Malware Analysis System Evasion
barindex
Contains functionality to detect sleep reduction / modifications
Source: C:\Users\user\Desktop\swift.exe Code function: 0_2_000001E357CA4A00 0_2_000001E357CA4A00
Source: C:\Users\user\Desktop\swift.exe Code function: 0_2_000001E357C9FE84 0_2_000001E357C9FE84
May sleep (evasive loops) to hinder dynamic analysis
Source: C:\Users\user\Desktop\swift.exe TID: 2532 Thread sleep time: -33621s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\swift.exe TID: 2532 Thread sleep time: -34958s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\swift.exe TID: 2532 Thread sleep time: -32557s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\swift.exe TID: 2532 Thread sleep time: -31792s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\swift.exe TID: 2532 Thread sleep time: -33936s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\swift.exe TID: 2532 Thread sleep time: -33348s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\swift.exe TID: 2532 Thread sleep time: -38232s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\swift.exe TID: 2532 Thread sleep time: -32508s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\swift.exe TID: 2532 Thread sleep time: -36675s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\swift.exe TID: 2532 Thread sleep time: -32512s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\swift.exe TID: 2532 Thread sleep time: -33112s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\swift.exe TID: 2532 Thread sleep time: -31899s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\swift.exe TID: 2532 Thread sleep time: -30597s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\swift.exe TID: 2532 Thread sleep time: -31962s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\swift.exe TID: 2532 Thread sleep time: -32452s >= -30000s Jump to behavior
Found evasive API chain (date check)
Source: C:\Users\user\Desktop\swift.exe Evasive API call chain: GetSystemTimeAsFileTime,DecisionNodes
Source: C:\Users\user\Desktop\swift.exe Evasive API call chain: GetLocalTime,DecisionNodes
Found large amount of non-executed APIs
Source: C:\Users\user\Desktop\swift.exe API coverage: 8.4 %
May check if the current machine is a sandbox (GetTickCount - Sleep)
Source: C:\Users\user\Desktop\swift.exe Code function: 0_2_000001E357C9FE84 0_2_000001E357C9FE84
Source: C:\Users\user\Desktop\swift.exe Code function: 0_2_000001E357CA1980 malloc,GetCurrentDirectoryA,FindFirstFileA,GetLastError,free,free,FileTimeToSystemTime,SystemTimeToTzSpecificLocalTime,FindNextFileA,FindClose, 0_2_000001E357CA1980
Source: C:\Users\user\Desktop\swift.exe Code function: 0_2_000001E357CA7770 malloc,_snprintf,FindFirstFileA,free,malloc,_snprintf,free,FindNextFileA,FindClose, 0_2_000001E357CA7770
Source: C:\Users\user\Desktop\swift.exe API call chain: ExitProcess graph end node
Source: C:\Users\user\Desktop\swift.exe API call chain: ExitProcess graph end node
Source: swift.exe, 00000000.00000002.3335059797.000001E354697000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Source: C:\Users\user\Desktop\swift.exe Code function: 0_2_000001E357CB7534 RtlEncodePointer,__crtIsPackagedApp,LoadLibraryExW,GetLastError,LoadLibraryW,GetProcAddress,RtlEncodePointer,GetProcAddress,RtlEncodePointer,GetProcAddress,RtlEncodePointer,GetProcAddress,RtlEncodePointer,GetProcAddress,RtlEncodePointer,IsDebuggerPresent,OutputDebugStringW,RtlDecodePointer,RtlDecodePointer,RtlDecodePointer,RtlDecodePointer,RtlDecodePointer,RtlDecodePointer, 0_2_000001E357CB7534
Contains functionality to check if a debugger is running (OutputDebugString,GetLastError)
Source: C:\Users\user\Desktop\swift.exe Code function: 0_2_000001E357CB7534 RtlEncodePointer,__crtIsPackagedApp,LoadLibraryExW,GetLastError,LoadLibraryW,GetProcAddress,RtlEncodePointer,GetProcAddress,RtlEncodePointer,GetProcAddress,RtlEncodePointer,GetProcAddress,RtlEncodePointer,GetProcAddress,RtlEncodePointer,IsDebuggerPresent,OutputDebugStringW,RtlDecodePointer,RtlDecodePointer,RtlDecodePointer,RtlDecodePointer,RtlDecodePointer,RtlDecodePointer, 0_2_000001E357CB7534
Contains functionality to dynamically determine API calls
Source: C:\Users\user\Desktop\swift.exe Code function: 0_2_000001E357CB7534 RtlEncodePointer,__crtIsPackagedApp,LoadLibraryExW,GetLastError,LoadLibraryW,GetProcAddress,RtlEncodePointer,GetProcAddress,RtlEncodePointer,GetProcAddress,RtlEncodePointer,GetProcAddress,RtlEncodePointer,GetProcAddress,RtlEncodePointer,IsDebuggerPresent,OutputDebugStringW,RtlDecodePointer,RtlDecodePointer,RtlDecodePointer,RtlDecodePointer,RtlDecodePointer,RtlDecodePointer, 0_2_000001E357CB7534
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Source: C:\Users\user\Desktop\swift.exe Code function: 0_2_000001E357CAFB6C GetProcessHeap, 0_2_000001E357CAFB6C
Source: C:\Users\user\Desktop\swift.exe Code function: 0_2_000001E357CB22B4 SetUnhandledExceptionFilter,UnhandledExceptionFilter, 0_2_000001E357CB22B4
Source: C:\Users\user\Desktop\swift.exe Code function: 0_2_00007FF6D63C5FC0 SetUnhandledExceptionFilter,UnhandledExceptionFilter, 0_2_00007FF6D63C5FC0
Source: C:\Users\user\Desktop\swift.exe Code function: 0_2_00007FF6D63C7434 SetUnhandledExceptionFilter, 0_2_00007FF6D63C7434
Contains functionality to execute programs as a different user
Source: C:\Users\user\Desktop\swift.exe Code function: 0_2_000001E357CABE24 LogonUserA,GetLastError,ImpersonateLoggedOnUser,GetLastError, 0_2_000001E357CABE24
Source: C:\Users\user\Desktop\swift.exe Code function: 0_2_000001E357CABD9C AllocateAndInitializeSid,CheckTokenMembership,FreeSid, 0_2_000001E357CABD9C
Source: C:\Users\user\Desktop\swift.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid Jump to behavior
Source: C:\Users\user\Desktop\swift.exe Code function: 0_2_000001E357CA0904 CreateNamedPipeA, 0_2_000001E357CA0904
Source: C:\Users\user\Desktop\swift.exe Code function: 0_2_000001E357CBCADC GetSystemTimeAsFileTime, 0_2_000001E357CBCADC
Source: C:\Users\user\Desktop\swift.exe Code function: 0_2_000001E357CA4FD0 GetUserNameA,GetComputerNameA,GetModuleFileNameA,strrchr,GetVersionExA,GetProcAddress,GetModuleHandleA,GetProcAddress,_snprintf, 0_2_000001E357CA4FD0
Source: C:\Users\user\Desktop\swift.exe Code function: 0_2_000001E357CA4FD0 GetUserNameA,GetComputerNameA,GetModuleFileNameA,strrchr,GetVersionExA,GetProcAddress,GetModuleHandleA,GetProcAddress,_snprintf, 0_2_000001E357CA4FD0

Remote Access Functionality
barindex
Yara detected CobaltStrike
Source: Yara match File source: 0.2.swift.exe.1e357c90000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000000.00000002.3335359753.000001E357CC0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.2093946625.000001E357C40000.00000040.00000001.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: swift.exe PID: 2656, type: MEMORYSTR
Contains functionality to open a port and listen for incoming connection (possibly a backdoor)
Source: C:\Users\user\Desktop\swift.exe Code function: 0_2_000001E357CACD44 socket,closesocket,htons,bind,listen, 0_2_000001E357CACD44
Source: C:\Users\user\Desktop\swift.exe Code function: 0_2_000001E357CA5B54 socket,htons,ioctlsocket,closesocket,bind,listen, 0_2_000001E357CA5B54
Source: C:\Users\user\Desktop\swift.exe Code function: 0_2_000001E357CA574C htonl,htons,socket,closesocket,bind,ioctlsocket, 0_2_000001E357CA574C
windows-stand
Behavior
Click here to start
Slideshow Behavior Animation
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1338838 Sample: swift.exe Startdate: 08/11/2023 Architecture: WINDOWS Score: 80 9 ridoj4.645b0efa.dns.investmentrealtyhp.net 2->9 11 Found malware configuration 2->11 13 Malicious sample detected (through community Yara rule) 2->13 15 Multi AV Scanner detection for submitted file 2->15 17 2 other signatures 2->17 6 swift.exe 2->6         started        signatures3 process4 signatures5 19 Contains functionality to detect sleep reduction / modifications 6->19
No contacted IP infos

Contacted Domains

Name IP Active
ridoj4.645b0efa.dns.investmentrealtyhp.net 140.82.26.90 true

Contacted URLs

Name Malicious Antivirus Detection Reputation
dns.investmentrealtyhp.net true
  • 0%, Virustotal, Browse
  • Avira URL Cloud: safe
 unknown