Windows Analysis Report
swift-bootstrapper.exe

Overview

General Information

Sample name:	swift-bootstrapper.exe
Analysis ID:	1579391
MD5:	26e350b6f17a777a79b8be46e1b06ac0
SHA1:	acdbbef171b2361604bb7678645acf62fc2cc7af
SHA256:	29c535c85ca221059c46b364b9b6a81e68a0e0a6aef5da460dcb0daddf90d2f1
Tags:	exeuser-loco
Infos:

Detection

Score:	64
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

Machine Learning detection for dropped file

PE file contains section with special chars

Drops PE files

Entry point lies outside standard sections

Found dropped PE file which has not been started or loaded

HTTP GET or POST without a user agent

IP address seen in connection with other malware

Installs a raw input device (often for capturing keystrokes)

JA3 SSL client fingerprint seen in connection with other malware

Monitors certain registry keys / values for changes (often done to protect autostart functionality)

PE file contains more sections than normal

PE file contains sections with non-standard names

Sample execution stops while process was sleeping (likely an evasion)

Classification

Signatures

AV Detection

Multi AV Scanner detection for dropped file

Source: C:\Users\user\Desktop\bin\injector.exe

ReversingLabs: Detection: 47%

Multi AV Scanner detection for submitted file

Source: swift-bootstrapper.exe	ReversingLabs: Detection: 36%
Source: swift-bootstrapper.exe	Virustotal: Detection: 47%			Perma Link

Machine Learning detection for dropped file

Source: C:\Users\user\Desktop\bin\injector.exe

Joe Sandbox ML: detected

Source: swift-bootstrapper.exe, 00000000.00000003.2488038515.000001B2BA686000.00000004.00000020.00020000.00000000.sdmp

Binary or memory string: -----BEGIN PUBLIC KEY-----

memstr_34a2b555-8

Source: unknown	HTTPS traffic detected: 128.116.119.3:443 -> 192.168.2.4:49731 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.46.236:443 -> 192.168.2.4:49732 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.46.236:443 -> 192.168.2.4:49733 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.18.38.10:443 -> 192.168.2.4:49740 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.18.38.10:443 -> 192.168.2.4:49743 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.18.38.10:443 -> 192.168.2.4:49767 version: TLS 1.2

Source: swift-bootstrapper.exe

Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE

Source:	Binary string: Swift.pdb source: swift-bootstrapper.exe, 00000000.00000003.2262258118.000001B2BCE12000.00000004.00000020.00020000.00000000.sdmp, swift-bootstrapper.exe, 00000000.00000003.2249307786.000001B2BBD0C000.00000004.00000020.00020000.00000000.sdmp, Swift.exe.0.dr
Source:	Binary string: bunni_bootstrapper.pdb* source: swift-bootstrapper.exe
Source:	Binary string: C:\Users\matic\source\repos\Dll3\Dll3\x64\Release\Dll3.pdb source: swift-bootstrapper.exe, 00000000.00000003.2502561829.000001B2BC2D8000.00000004.00000020.00020000.00000000.sdmp, swift-bootstrapper.exe, 00000000.00000003.2506922351.000001B2BC412000.00000004.00000020.00020000.00000000.sdmp, swift-bootstrapper.exe, 00000000.00000003.2499011093.000001B2BC2D8000.00000004.00000020.00020000.00000000.sdmp, Dll3.dll.0.dr
Source:	Binary string: bunni_bootstrapper.pdb source: swift-bootstrapper.exe
Source:	Binary string: C:\Users\matic\source\repos\Dll3\Dll3\x64\Release\Dll3.pdb- source: swift-bootstrapper.exe, 00000000.00000003.2502561829.000001B2BC2D8000.00000004.00000020.00020000.00000000.sdmp, swift-bootstrapper.exe, 00000000.00000003.2506922351.000001B2BC412000.00000004.00000020.00020000.00000000.sdmp, swift-bootstrapper.exe, 00000000.00000003.2499011093.000001B2BC2D8000.00000004.00000020.00020000.00000000.sdmp, Dll3.dll.0.dr

HTTP GET or POST without a user agent

Source: global traffic	HTTP traffic detected: GET /v2/client-version/WindowsPlayer/channel/Live HTTP/1.1accept: /host: clientsettings.roblox.com
Source: global traffic	HTTP traffic detected: POST /api/status HTTP/1.1accept: /host: bunni.lol
Source: global traffic	HTTP traffic detected: POST /api/files/downloadfiles HTTP/1.1accept: /host: bunni.lolcontent-length: 36
Source: global traffic	HTTP traffic detected: GET /storage/v1/object/public/swift-storage/ui/Swift.exe HTTP/1.1accept: /host: fkajsebjpvqftdgzyitk.supabase.co
Source: global traffic	HTTP traffic detected: GET /storage/v1/object/public/swift-storage/injector/injector.exe HTTP/1.1accept: /host: fkajsebjpvqftdgzyitk.supabase.co
Source: global traffic	HTTP traffic detected: GET /storage/v1/object/public/swift-storage/dlls/Dll3.dll HTTP/1.1accept: /host: fkajsebjpvqftdgzyitk.supabase.co

IP address seen in connection with other malware

Source: Joe Sandbox View

IP Address: 128.116.119.3 128.116.119.3

JA3 SSL client fingerprint seen in connection with other malware

Source: Joe Sandbox View

JA3 fingerprint: 3b5074b1b5d032e5620f69f9f700ff0e

Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: global traffic	HTTP traffic detected: GET /v2/client-version/WindowsPlayer/channel/Live HTTP/1.1accept: /host: clientsettings.roblox.com
Source: global traffic	HTTP traffic detected: GET /storage/v1/object/public/swift-storage/ui/Swift.exe HTTP/1.1accept: /host: fkajsebjpvqftdgzyitk.supabase.co
Source: global traffic	HTTP traffic detected: GET /storage/v1/object/public/swift-storage/injector/injector.exe HTTP/1.1accept: /host: fkajsebjpvqftdgzyitk.supabase.co
Source: global traffic	HTTP traffic detected: GET /storage/v1/object/public/swift-storage/dlls/Dll3.dll HTTP/1.1accept: /host: fkajsebjpvqftdgzyitk.supabase.co

Source: global traffic	DNS traffic detected: DNS query: clientsettings.roblox.com
Source: global traffic	DNS traffic detected: DNS query: bunni.lol
Source: global traffic	DNS traffic detected: DNS query: fkajsebjpvqftdgzyitk.supabase.co

Source: unknown

HTTP traffic detected: POST /api/status HTTP/1.1accept: */*host: bunni.lol

Source: swift-bootstrapper.exe, 00000000.00000003.2262258118.000001B2BCE12000.00000004.00000020.00020000.00000000.sdmp, swift-bootstrapper.exe, 00000000.00000003.2243850276.000001B2BBBB4000.00000004.00000020.00020000.00000000.sdmp, Swift.exe.0.dr	String found in binary or memory: http://.css
Source: swift-bootstrapper.exe, 00000000.00000003.2243850276.000001B2BBB88000.00000004.00000020.00020000.00000000.sdmp, swift-bootstrapper.exe, 00000000.00000003.2262258118.000001B2BCE12000.00000004.00000020.00020000.00000000.sdmp, Swift.exe.0.dr	String found in binary or memory: http://.jpg
Source: swift-bootstrapper.exe, 00000000.00000003.2243850276.000001B2BBBA8000.00000004.00000020.00020000.00000000.sdmp, swift-bootstrapper.exe, 00000000.00000003.2262258118.000001B2BCE12000.00000004.00000020.00020000.00000000.sdmp, Swift.exe.0.dr	String found in binary or memory: http://html4/loose.dtd
Source: Swift.exe.0.dr	String found in binary or memory: https://bunni.lol/api/bauth/login
Source: Swift.exe.0.dr	String found in binary or memory: https://bunni.lol/api/bauth/register
Source: Swift.exe.0.dr	String found in binary or memory: https://bunni.lol/api/bauth/sessionBearer
Source: Swift.exe.0.dr	String found in binary or memory: https://bunni.lol/api/files/downloadfilesCouldn
Source: swift-bootstrapper.exe	String found in binary or memory: https://bunni.lol/api/files/downloadfilesSWIFT
Source: Swift.exe.0.dr	String found in binary or memory: https://bunni.lol/api/keys/link
Source: Swift.exe.0.dr	String found in binary or memory: https://bunni.lol/api/status
Source: swift-bootstrapper.exe	String found in binary or memory: https://bunni.lol/api/statusCouldn
Source: swift-bootstrapper.exe	String found in binary or memory: https://clientsettings.roblox.com/v2/client-version/WindowsPlayer/channel/LiveCoulnd
Source: swift-bootstrapper.exe, 00000000.00000003.2488038515.000001B2BA692000.00000004.00000020.00020000.00000000.sdmp, swift-bootstrapper.exe, 00000000.00000003.2506922351.000001B2BC412000.00000004.00000020.00020000.00000000.sdmp, Dll3.dll.0.dr	String found in binary or memory: https://curl.se/docs/alt-svc.html
Source: swift-bootstrapper.exe, 00000000.00000003.2488038515.000001B2BA692000.00000004.00000020.00020000.00000000.sdmp, swift-bootstrapper.exe, 00000000.00000003.2506922351.000001B2BC412000.00000004.00000020.00020000.00000000.sdmp, Dll3.dll.0.dr	String found in binary or memory: https://curl.se/docs/hsts.html
Source: swift-bootstrapper.exe, 00000000.00000003.2488038515.000001B2BA686000.00000004.00000020.00020000.00000000.sdmp, swift-bootstrapper.exe, 00000000.00000003.2506922351.000001B2BC412000.00000004.00000020.00020000.00000000.sdmp, Dll3.dll.0.dr	String found in binary or memory: https://curl.se/docs/http-cookies.html
Source: Swift.exe.0.dr	String found in binary or memory: https://docs.rs/getrandom#nodejs-es-module-support
Source: swift-bootstrapper.exe, 00000000.00000003.2262258118.000001B2BCE12000.00000004.00000020.00020000.00000000.sdmp, swift-bootstrapper.exe, 00000000.00000003.2242425465.000001B2BBB1C000.00000004.00000020.00020000.00000000.sdmp, Swift.exe.0.dr	String found in binary or memory: https://docs.rs/tauri/1/tauri/scope/struct.IpcScope.html#method.configure_remote_access
Source: swift-bootstrapper.exe, 00000000.00000002.2945495102.000001B2B9FFB000.00000004.00000020.00020000.00000000.sdmp, swift-bootstrapper.exe, 00000000.00000003.2192147602.000001B2BA050000.00000004.00000020.00020000.00000000.sdmp, swift-bootstrapper.exe, 00000000.00000002.2945495102.000001B2BA052000.00000004.00000020.00020000.00000000.sdmp, swift-bootstrapper.exe, 00000000.00000003.2469343510.000001B2BA051000.00000004.00000020.00020000.00000000.sdmp, swift-bootstrapper.exe, 00000000.00000003.2350127326.000001B2BA051000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://fkajsebjpvqftdgzyitk.supabase.co/storage/v1/object/public/swift-storage/dlls/Dll3.dll
Source: swift-bootstrapper.exe, 00000000.00000003.2469343510.000001B2BA051000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://fkajsebjpvqftdgzyitk.supabase.co/storage/v1/object/public/swift-storage/dlls/Dll3.dllctor.ex
Source: swift-bootstrapper.exe, 00000000.00000003.2350127326.000001B2BA051000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://fkajsebjpvqftdgzyitk.supabase.co/storage/v1/object/public/swift-storage/injector/injector.ex
Source: swift-bootstrapper.exe, 00000000.00000002.2945495102.000001B2B9FFB000.00000004.00000020.00020000.00000000.sdmp, swift-bootstrapper.exe, 00000000.00000003.2192147602.000001B2BA050000.00000004.00000020.00020000.00000000.sdmp, swift-bootstrapper.exe, 00000000.00000002.2945495102.000001B2BA052000.00000004.00000020.00020000.00000000.sdmp, swift-bootstrapper.exe, 00000000.00000003.2469343510.000001B2BA051000.00000004.00000020.00020000.00000000.sdmp, swift-bootstrapper.exe, 00000000.00000003.2350127326.000001B2BA051000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://fkajsebjpvqftdgzyitk.supabase.co/storage/v1/object/public/swift-storage/ui/Swift.exe
Source: swift-bootstrapper.exe, 00000000.00000003.2253397530.000001B2BA051000.00000004.00000020.00020000.00000000.sdmp, swift-bootstrapper.exe, 00000000.00000003.2192147602.000001B2BA050000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://fkajsebjpvqftdgzyitk.supabase.co/storage/v1/object/public/swift-storage/ui/Swift.exe#
Source: swift-bootstrapper.exe, 00000000.00000003.2506922351.000001B2BC412000.00000004.00000020.00020000.00000000.sdmp, swift-bootstrapper.exe, 00000000.00000003.2497284770.000001B2BC276000.00000004.00000020.00020000.00000000.sdmp, Dll3.dll.0.dr	String found in binary or memory: https://github.com/dharma
Source: Swift.exe.0.dr	String found in binary or memory: https://github.com/rust-windowing/taoC:
Source: swift-bootstrapper.exe, 00000000.00000003.2262258118.000001B2BC412000.00000004.00000020.00020000.00000000.sdmp, swift-bootstrapper.exe, 00000000.00000003.2236534316.000001B2BBA20000.00000004.00000020.00020000.00000000.sdmp, Swift.exe.0.dr	String found in binary or memory: https://github.com/tauri-apps/tauri/issues/2549#issuecomment-1250036908
Source: swift-bootstrapper.exe, 00000000.00000003.2236534316.000001B2BBA1C000.00000004.00000020.00020000.00000000.sdmp, swift-bootstrapper.exe, 00000000.00000003.2262258118.000001B2BC412000.00000004.00000020.00020000.00000000.sdmp, Swift.exe.0.dr	String found in binary or memory: https://github.com/tauri-apps/tauri/issues/8306)
Source: swift-bootstrapper.exe, 00000000.00000003.1817877682.000001B2BA06E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://ncs.roblox.com/upload
Source: Swift.exe.0.dr	String found in binary or memory: https://scriptblox.com/api/script/search?q=&max=&mode=free
Source: swift-bootstrapper.exe, 00000000.00000003.2242425465.000001B2BBB00000.00000004.00000020.00020000.00000000.sdmp, swift-bootstrapper.exe, 00000000.00000003.2262258118.000001B2BCE12000.00000004.00000020.00020000.00000000.sdmp, Swift.exe.0.dr	String found in binary or memory: https://tauri.app/docs/api/config#tauri.allowlist)
Source: Swift.exe.0.dr	String found in binary or memory: https://tauri.app/docs/api/config#tauri.allowlist)C:
Source: swift-bootstrapper.exe, 00000000.00000003.2262258118.000001B2BCE12000.00000004.00000020.00020000.00000000.sdmp, swift-bootstrapper.exe, 00000000.00000003.2236534316.000001B2BBA24000.00000004.00000020.00020000.00000000.sdmp, Swift.exe.0.dr	String found in binary or memory: https://tauri.app/docs/api/config#tauri.allowlist)GetAppVersionGetAppNameGetTauriVersionCouldn
Source: swift-bootstrapper.exe, 00000000.00000003.2262258118.000001B2BCE12000.00000004.00000020.00020000.00000000.sdmp, swift-bootstrapper.exe, 00000000.00000003.2242425465.000001B2BBB1C000.00000004.00000020.00020000.00000000.sdmp, Swift.exe.0.dr	String found in binary or memory: https://tauri.app/v1/api/config/#securityconfig.dangerousremotedomainipcaccess

Source: unknown	Network traffic detected: HTTP traffic on port 49733 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49733
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49732
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49743
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49731
Source: unknown	Network traffic detected: HTTP traffic on port 49731 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49732 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49740
Source: unknown	Network traffic detected: HTTP traffic on port 49740 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49743 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49767 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49767

Source: unknown	HTTPS traffic detected: 128.116.119.3:443 -> 192.168.2.4:49731 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.46.236:443 -> 192.168.2.4:49732 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.46.236:443 -> 192.168.2.4:49733 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.18.38.10:443 -> 192.168.2.4:49740 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.18.38.10:443 -> 192.168.2.4:49743 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.18.38.10:443 -> 192.168.2.4:49767 version: TLS 1.2

Installs a raw input device (often for capturing keystrokes)

Source: swift-bootstrapper.exe, 00000000.00000003.2262258118.000001B2BCE12000.00000004.00000020.00020000.00000000.sdmp

Binary or memory string: RegisterRawInputDevices

memstr_31b93f88-4

System Summary

PE file contains section with special chars

Source: injector.exe.0.dr	Static PE information: section name:
Source: injector.exe.0.dr	Static PE information: section name:
Source: injector.exe.0.dr	Static PE information: section name:
Source: injector.exe.0.dr	Static PE information: section name:
Source: injector.exe.0.dr	Static PE information: section name:
Source: injector.exe.0.dr	Static PE information: section name:

PE file contains more sections than normal

Source: injector.exe.0.dr

Static PE information: Number of sections : 12 > 10

Source: injector.exe.0.dr	Static PE information: Section: ZLIB complexity 1.000343780222437
Source: injector.exe.0.dr	Static PE information: Section: ZLIB complexity 0.9983979985955056
Source: injector.exe.0.dr	Static PE information: Section: ZLIB complexity 1.0107421875
Source: injector.exe.0.dr	Static PE information: Section: .reloc ZLIB complexity 1.5

Source: Swift.exe.0.dr	Binary string: \Device\Afd\Mio
Source: Swift.exe.0.dr	Binary string: Failed to open \Device\Afd\Mio:

Source: classification engine

Classification label: mal64.winEXE@2/3@3/3

Source: C:\Users\user\Desktop\swift-bootstrapper.exe

File created: C:\Users\user\Desktop\bin

Jump to behavior

Source: C:\Windows\System32\conhost.exe

Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7544:120:WilError_03

Source: swift-bootstrapper.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\swift-bootstrapper.exe

Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: swift-bootstrapper.exe	ReversingLabs: Detection: 36%
Source: swift-bootstrapper.exe	Virustotal: Detection: 47%

Source: swift-bootstrapper.exe

String found in binary or memory: /load_hpack; header malformed -- pseudo not at head of block

Source: unknown	Process created: C:\Users\user\Desktop\swift-bootstrapper.exe "C:\Users\user\Desktop\swift-bootstrapper.exe"
Source: C:\Users\user\Desktop\swift-bootstrapper.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

Source: C:\Users\user\Desktop\swift-bootstrapper.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\swift-bootstrapper.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Users\user\Desktop\swift-bootstrapper.exe	Section loaded: vcruntime140.dll	Jump to behavior
Source: C:\Users\user\Desktop\swift-bootstrapper.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\swift-bootstrapper.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\Desktop\swift-bootstrapper.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\swift-bootstrapper.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\swift-bootstrapper.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Users\user\Desktop\swift-bootstrapper.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\user\Desktop\swift-bootstrapper.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Users\user\Desktop\swift-bootstrapper.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Users\user\Desktop\swift-bootstrapper.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\swift-bootstrapper.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Users\user\Desktop\swift-bootstrapper.exe	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\Users\user\Desktop\swift-bootstrapper.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\swift-bootstrapper.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\swift-bootstrapper.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\swift-bootstrapper.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\swift-bootstrapper.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\swift-bootstrapper.exe	Section loaded: cryptnet.dll	Jump to behavior

Source: swift-bootstrapper.exe

Static PE information: Virtual size of .text is bigger than: 0x100000

Source: swift-bootstrapper.exe

Static PE information: Image base 0x140000000 > 0x60000000

Source: swift-bootstrapper.exe

Static file information: File size 5979648 > 1048576

Source: swift-bootstrapper.exe	Static PE information: Raw size of .text is bigger than: 0x100000 < 0x3f8600
Source: swift-bootstrapper.exe	Static PE information: Raw size of .rdata is bigger than: 0x100000 < 0x169c00

Source: swift-bootstrapper.exe

Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE

Source: swift-bootstrapper.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Source:	Binary string: Swift.pdb source: swift-bootstrapper.exe, 00000000.00000003.2262258118.000001B2BCE12000.00000004.00000020.00020000.00000000.sdmp, swift-bootstrapper.exe, 00000000.00000003.2249307786.000001B2BBD0C000.00000004.00000020.00020000.00000000.sdmp, Swift.exe.0.dr
Source:	Binary string: bunni_bootstrapper.pdb* source: swift-bootstrapper.exe
Source:	Binary string: C:\Users\matic\source\repos\Dll3\Dll3\x64\Release\Dll3.pdb source: swift-bootstrapper.exe, 00000000.00000003.2502561829.000001B2BC2D8000.00000004.00000020.00020000.00000000.sdmp, swift-bootstrapper.exe, 00000000.00000003.2506922351.000001B2BC412000.00000004.00000020.00020000.00000000.sdmp, swift-bootstrapper.exe, 00000000.00000003.2499011093.000001B2BC2D8000.00000004.00000020.00020000.00000000.sdmp, Dll3.dll.0.dr
Source:	Binary string: bunni_bootstrapper.pdb source: swift-bootstrapper.exe
Source:	Binary string: C:\Users\matic\source\repos\Dll3\Dll3\x64\Release\Dll3.pdb- source: swift-bootstrapper.exe, 00000000.00000003.2502561829.000001B2BC2D8000.00000004.00000020.00020000.00000000.sdmp, swift-bootstrapper.exe, 00000000.00000003.2506922351.000001B2BC412000.00000004.00000020.00020000.00000000.sdmp, swift-bootstrapper.exe, 00000000.00000003.2499011093.000001B2BC2D8000.00000004.00000020.00020000.00000000.sdmp, Dll3.dll.0.dr

Entry point lies outside standard sections

Source: initial sample

Static PE information: section where entry point is pointing to: .boot

PE file contains sections with non-standard names

Source: Dll3.dll.0.dr	Static PE information: section name: .fptable
Source: injector.exe.0.dr	Static PE information: section name:
Source: injector.exe.0.dr	Static PE information: section name:
Source: injector.exe.0.dr	Static PE information: section name:
Source: injector.exe.0.dr	Static PE information: section name:
Source: injector.exe.0.dr	Static PE information: section name:
Source: injector.exe.0.dr	Static PE information: section name:
Source: injector.exe.0.dr	Static PE information: section name: .themida
Source: injector.exe.0.dr	Static PE information: section name: .boot

Source: injector.exe.0.dr

Static PE information: section name: entropy: 7.9778573291038075

Drops PE files

Source: C:\Users\user\Desktop\swift-bootstrapper.exe	File created: C:\Users\user\Desktop\bin\injector.exe	Jump to dropped file
Source: C:\Users\user\Desktop\swift-bootstrapper.exe	File created: C:\Users\user\Desktop\bin\Dll3.dll	Jump to dropped file
Source: C:\Users\user\Desktop\swift-bootstrapper.exe	File created: C:\Users\user\Desktop\Swift.exe	Jump to dropped file

Monitors certain registry keys / values for changes (often done to protect autostart functionality)

Source: C:\Users\user\Desktop\swift-bootstrapper.exe	Registry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\AutoUpdate			Jump to behavior
Source: C:\Users\user\Desktop\swift-bootstrapper.exe	Registry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot			Jump to behavior

Found dropped PE file which has not been started or loaded

Source: C:\Users\user\Desktop\swift-bootstrapper.exe	Dropped PE file which has not been started: C:\Users\user\Desktop\bin\injector.exe	Jump to dropped file
Source: C:\Users\user\Desktop\swift-bootstrapper.exe	Dropped PE file which has not been started: C:\Users\user\Desktop\bin\Dll3.dll	Jump to dropped file
Source: C:\Users\user\Desktop\swift-bootstrapper.exe	Dropped PE file which has not been started: C:\Users\user\Desktop\Swift.exe	Jump to dropped file

Sample execution stops while process was sleeping (likely an evasion)

Source: C:\Windows\System32\conhost.exe

Last function: Thread delayed

Source: swift-bootstrapper.exe, 00000000.00000003.2219675030.000001B2BB5C2000.00000004.00000020.00020000.00000000.sdmp, swift-bootstrapper.exe, 00000000.00000003.2262258118.000001B2BC412000.00000004.00000020.00020000.00000000.sdmp, swift-bootstrapper.exe, 00000000.00000003.2217336712.000001B2BB5C2000.00000004.00000020.00020000.00000000.sdmp, Swift.exe.0.dr	Binary or memory string: iHGFs
Source: swift-bootstrapper.exe, 00000000.00000002.2945495102.000001B2B9FFB000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll

Source: C:\Users\user\Desktop\swift-bootstrapper.exe

Memory allocated: page read and write | page guard

Jump to behavior

Source: C:\Users\user\Desktop\swift-bootstrapper.exe

Code function: 0_2_00007FF78AE16820 GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter,

0_2_00007FF78AE16820

Source: C:\Users\user\Desktop\swift-bootstrapper.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Screenshots

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Network Map

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Contacted Public IPs

IP	Domain	Country	ASN	ASN Name	Malicious
128.116.119.3	edge-term4-lhr2.roblox.com	United States	22697	ROBLOX-PRODUCTIONUS	false
104.21.46.236	bunni.lol	United States	13335	CLOUDFLARENETUS	false
104.18.38.10	fkajsebjpvqftdgzyitk.supabase.co	United States	13335	CLOUDFLARENETUS	false

Contacted Domains

Name	IP	Active
fkajsebjpvqftdgzyitk.supabase.co	104.18.38.10	true
edge-term4-lhr2.roblox.com	128.116.119.3	true
bunni.lol	104.21.46.236	true
clientsettings.roblox.com	unknown	unknown

AV Detection

Multi AV Scanner detection for dropped file

Source: C:\Users\user\Desktop\bin\injector.exe

ReversingLabs: Detection: 47%

Multi AV Scanner detection for submitted file

Source: swift-bootstrapper.exe	ReversingLabs: Detection: 36%
Source: swift-bootstrapper.exe	Virustotal: Detection: 47%			Perma Link

Machine Learning detection for dropped file

Source: C:\Users\user\Desktop\bin\injector.exe

Joe Sandbox ML: detected

Source: swift-bootstrapper.exe, 00000000.00000003.2488038515.000001B2BA686000.00000004.00000020.00020000.00000000.sdmp

Binary or memory string: -----BEGIN PUBLIC KEY-----

memstr_34a2b555-8

Source: unknown	HTTPS traffic detected: 128.116.119.3:443 -> 192.168.2.4:49731 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.46.236:443 -> 192.168.2.4:49732 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.46.236:443 -> 192.168.2.4:49733 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.18.38.10:443 -> 192.168.2.4:49740 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.18.38.10:443 -> 192.168.2.4:49743 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.18.38.10:443 -> 192.168.2.4:49767 version: TLS 1.2

Source: swift-bootstrapper.exe

Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE

Source:	Binary string: Swift.pdb source: swift-bootstrapper.exe, 00000000.00000003.2262258118.000001B2BCE12000.00000004.00000020.00020000.00000000.sdmp, swift-bootstrapper.exe, 00000000.00000003.2249307786.000001B2BBD0C000.00000004.00000020.00020000.00000000.sdmp, Swift.exe.0.dr
Source:	Binary string: bunni_bootstrapper.pdb* source: swift-bootstrapper.exe
Source:	Binary string: C:\Users\matic\source\repos\Dll3\Dll3\x64\Release\Dll3.pdb source: swift-bootstrapper.exe, 00000000.00000003.2502561829.000001B2BC2D8000.00000004.00000020.00020000.00000000.sdmp, swift-bootstrapper.exe, 00000000.00000003.2506922351.000001B2BC412000.00000004.00000020.00020000.00000000.sdmp, swift-bootstrapper.exe, 00000000.00000003.2499011093.000001B2BC2D8000.00000004.00000020.00020000.00000000.sdmp, Dll3.dll.0.dr
Source:	Binary string: bunni_bootstrapper.pdb source: swift-bootstrapper.exe
Source:	Binary string: C:\Users\matic\source\repos\Dll3\Dll3\x64\Release\Dll3.pdb- source: swift-bootstrapper.exe, 00000000.00000003.2502561829.000001B2BC2D8000.00000004.00000020.00020000.00000000.sdmp, swift-bootstrapper.exe, 00000000.00000003.2506922351.000001B2BC412000.00000004.00000020.00020000.00000000.sdmp, swift-bootstrapper.exe, 00000000.00000003.2499011093.000001B2BC2D8000.00000004.00000020.00020000.00000000.sdmp, Dll3.dll.0.dr

HTTP GET or POST without a user agent

Source: global traffic	HTTP traffic detected: GET /v2/client-version/WindowsPlayer/channel/Live HTTP/1.1accept: /host: clientsettings.roblox.com
Source: global traffic	HTTP traffic detected: POST /api/status HTTP/1.1accept: /host: bunni.lol
Source: global traffic	HTTP traffic detected: POST /api/files/downloadfiles HTTP/1.1accept: /host: bunni.lolcontent-length: 36
Source: global traffic	HTTP traffic detected: GET /storage/v1/object/public/swift-storage/ui/Swift.exe HTTP/1.1accept: /host: fkajsebjpvqftdgzyitk.supabase.co
Source: global traffic	HTTP traffic detected: GET /storage/v1/object/public/swift-storage/injector/injector.exe HTTP/1.1accept: /host: fkajsebjpvqftdgzyitk.supabase.co
Source: global traffic	HTTP traffic detected: GET /storage/v1/object/public/swift-storage/dlls/Dll3.dll HTTP/1.1accept: /host: fkajsebjpvqftdgzyitk.supabase.co

IP address seen in connection with other malware

Source: Joe Sandbox View

IP Address: 128.116.119.3 128.116.119.3

JA3 SSL client fingerprint seen in connection with other malware

Source: Joe Sandbox View

JA3 fingerprint: 3b5074b1b5d032e5620f69f9f700ff0e

Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: global traffic	HTTP traffic detected: GET /v2/client-version/WindowsPlayer/channel/Live HTTP/1.1accept: /host: clientsettings.roblox.com
Source: global traffic	HTTP traffic detected: GET /storage/v1/object/public/swift-storage/ui/Swift.exe HTTP/1.1accept: /host: fkajsebjpvqftdgzyitk.supabase.co
Source: global traffic	HTTP traffic detected: GET /storage/v1/object/public/swift-storage/injector/injector.exe HTTP/1.1accept: /host: fkajsebjpvqftdgzyitk.supabase.co
Source: global traffic	HTTP traffic detected: GET /storage/v1/object/public/swift-storage/dlls/Dll3.dll HTTP/1.1accept: /host: fkajsebjpvqftdgzyitk.supabase.co

Source: global traffic	DNS traffic detected: DNS query: clientsettings.roblox.com
Source: global traffic	DNS traffic detected: DNS query: bunni.lol
Source: global traffic	DNS traffic detected: DNS query: fkajsebjpvqftdgzyitk.supabase.co

Source: unknown

HTTP traffic detected: POST /api/status HTTP/1.1accept: */*host: bunni.lol

Source: swift-bootstrapper.exe, 00000000.00000003.2262258118.000001B2BCE12000.00000004.00000020.00020000.00000000.sdmp, swift-bootstrapper.exe, 00000000.00000003.2243850276.000001B2BBBB4000.00000004.00000020.00020000.00000000.sdmp, Swift.exe.0.dr	String found in binary or memory: http://.css
Source: swift-bootstrapper.exe, 00000000.00000003.2243850276.000001B2BBB88000.00000004.00000020.00020000.00000000.sdmp, swift-bootstrapper.exe, 00000000.00000003.2262258118.000001B2BCE12000.00000004.00000020.00020000.00000000.sdmp, Swift.exe.0.dr	String found in binary or memory: http://.jpg
Source: swift-bootstrapper.exe, 00000000.00000003.2243850276.000001B2BBBA8000.00000004.00000020.00020000.00000000.sdmp, swift-bootstrapper.exe, 00000000.00000003.2262258118.000001B2BCE12000.00000004.00000020.00020000.00000000.sdmp, Swift.exe.0.dr	String found in binary or memory: http://html4/loose.dtd
Source: Swift.exe.0.dr	String found in binary or memory: https://bunni.lol/api/bauth/login
Source: Swift.exe.0.dr	String found in binary or memory: https://bunni.lol/api/bauth/register
Source: Swift.exe.0.dr	String found in binary or memory: https://bunni.lol/api/bauth/sessionBearer
Source: Swift.exe.0.dr	String found in binary or memory: https://bunni.lol/api/files/downloadfilesCouldn
Source: swift-bootstrapper.exe	String found in binary or memory: https://bunni.lol/api/files/downloadfilesSWIFT
Source: Swift.exe.0.dr	String found in binary or memory: https://bunni.lol/api/keys/link
Source: Swift.exe.0.dr	String found in binary or memory: https://bunni.lol/api/status
Source: swift-bootstrapper.exe	String found in binary or memory: https://bunni.lol/api/statusCouldn
Source: swift-bootstrapper.exe	String found in binary or memory: https://clientsettings.roblox.com/v2/client-version/WindowsPlayer/channel/LiveCoulnd
Source: swift-bootstrapper.exe, 00000000.00000003.2488038515.000001B2BA692000.00000004.00000020.00020000.00000000.sdmp, swift-bootstrapper.exe, 00000000.00000003.2506922351.000001B2BC412000.00000004.00000020.00020000.00000000.sdmp, Dll3.dll.0.dr	String found in binary or memory: https://curl.se/docs/alt-svc.html
Source: swift-bootstrapper.exe, 00000000.00000003.2488038515.000001B2BA692000.00000004.00000020.00020000.00000000.sdmp, swift-bootstrapper.exe, 00000000.00000003.2506922351.000001B2BC412000.00000004.00000020.00020000.00000000.sdmp, Dll3.dll.0.dr	String found in binary or memory: https://curl.se/docs/hsts.html
Source: swift-bootstrapper.exe, 00000000.00000003.2488038515.000001B2BA686000.00000004.00000020.00020000.00000000.sdmp, swift-bootstrapper.exe, 00000000.00000003.2506922351.000001B2BC412000.00000004.00000020.00020000.00000000.sdmp, Dll3.dll.0.dr	String found in binary or memory: https://curl.se/docs/http-cookies.html
Source: Swift.exe.0.dr	String found in binary or memory: https://docs.rs/getrandom#nodejs-es-module-support
Source: swift-bootstrapper.exe, 00000000.00000003.2262258118.000001B2BCE12000.00000004.00000020.00020000.00000000.sdmp, swift-bootstrapper.exe, 00000000.00000003.2242425465.000001B2BBB1C000.00000004.00000020.00020000.00000000.sdmp, Swift.exe.0.dr	String found in binary or memory: https://docs.rs/tauri/1/tauri/scope/struct.IpcScope.html#method.configure_remote_access
Source: swift-bootstrapper.exe, 00000000.00000002.2945495102.000001B2B9FFB000.00000004.00000020.00020000.00000000.sdmp, swift-bootstrapper.exe, 00000000.00000003.2192147602.000001B2BA050000.00000004.00000020.00020000.00000000.sdmp, swift-bootstrapper.exe, 00000000.00000002.2945495102.000001B2BA052000.00000004.00000020.00020000.00000000.sdmp, swift-bootstrapper.exe, 00000000.00000003.2469343510.000001B2BA051000.00000004.00000020.00020000.00000000.sdmp, swift-bootstrapper.exe, 00000000.00000003.2350127326.000001B2BA051000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://fkajsebjpvqftdgzyitk.supabase.co/storage/v1/object/public/swift-storage/dlls/Dll3.dll
Source: swift-bootstrapper.exe, 00000000.00000003.2469343510.000001B2BA051000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://fkajsebjpvqftdgzyitk.supabase.co/storage/v1/object/public/swift-storage/dlls/Dll3.dllctor.ex
Source: swift-bootstrapper.exe, 00000000.00000003.2350127326.000001B2BA051000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://fkajsebjpvqftdgzyitk.supabase.co/storage/v1/object/public/swift-storage/injector/injector.ex
Source: swift-bootstrapper.exe, 00000000.00000002.2945495102.000001B2B9FFB000.00000004.00000020.00020000.00000000.sdmp, swift-bootstrapper.exe, 00000000.00000003.2192147602.000001B2BA050000.00000004.00000020.00020000.00000000.sdmp, swift-bootstrapper.exe, 00000000.00000002.2945495102.000001B2BA052000.00000004.00000020.00020000.00000000.sdmp, swift-bootstrapper.exe, 00000000.00000003.2469343510.000001B2BA051000.00000004.00000020.00020000.00000000.sdmp, swift-bootstrapper.exe, 00000000.00000003.2350127326.000001B2BA051000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://fkajsebjpvqftdgzyitk.supabase.co/storage/v1/object/public/swift-storage/ui/Swift.exe
Source: swift-bootstrapper.exe, 00000000.00000003.2253397530.000001B2BA051000.00000004.00000020.00020000.00000000.sdmp, swift-bootstrapper.exe, 00000000.00000003.2192147602.000001B2BA050000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://fkajsebjpvqftdgzyitk.supabase.co/storage/v1/object/public/swift-storage/ui/Swift.exe#
Source: swift-bootstrapper.exe, 00000000.00000003.2506922351.000001B2BC412000.00000004.00000020.00020000.00000000.sdmp, swift-bootstrapper.exe, 00000000.00000003.2497284770.000001B2BC276000.00000004.00000020.00020000.00000000.sdmp, Dll3.dll.0.dr	String found in binary or memory: https://github.com/dharma
Source: Swift.exe.0.dr	String found in binary or memory: https://github.com/rust-windowing/taoC:
Source: swift-bootstrapper.exe, 00000000.00000003.2262258118.000001B2BC412000.00000004.00000020.00020000.00000000.sdmp, swift-bootstrapper.exe, 00000000.00000003.2236534316.000001B2BBA20000.00000004.00000020.00020000.00000000.sdmp, Swift.exe.0.dr	String found in binary or memory: https://github.com/tauri-apps/tauri/issues/2549#issuecomment-1250036908
Source: swift-bootstrapper.exe, 00000000.00000003.2236534316.000001B2BBA1C000.00000004.00000020.00020000.00000000.sdmp, swift-bootstrapper.exe, 00000000.00000003.2262258118.000001B2BC412000.00000004.00000020.00020000.00000000.sdmp, Swift.exe.0.dr	String found in binary or memory: https://github.com/tauri-apps/tauri/issues/8306)
Source: swift-bootstrapper.exe, 00000000.00000003.1817877682.000001B2BA06E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://ncs.roblox.com/upload
Source: Swift.exe.0.dr	String found in binary or memory: https://scriptblox.com/api/script/search?q=&max=&mode=free
Source: swift-bootstrapper.exe, 00000000.00000003.2242425465.000001B2BBB00000.00000004.00000020.00020000.00000000.sdmp, swift-bootstrapper.exe, 00000000.00000003.2262258118.000001B2BCE12000.00000004.00000020.00020000.00000000.sdmp, Swift.exe.0.dr	String found in binary or memory: https://tauri.app/docs/api/config#tauri.allowlist)
Source: Swift.exe.0.dr	String found in binary or memory: https://tauri.app/docs/api/config#tauri.allowlist)C:
Source: swift-bootstrapper.exe, 00000000.00000003.2262258118.000001B2BCE12000.00000004.00000020.00020000.00000000.sdmp, swift-bootstrapper.exe, 00000000.00000003.2236534316.000001B2BBA24000.00000004.00000020.00020000.00000000.sdmp, Swift.exe.0.dr	String found in binary or memory: https://tauri.app/docs/api/config#tauri.allowlist)GetAppVersionGetAppNameGetTauriVersionCouldn
Source: swift-bootstrapper.exe, 00000000.00000003.2262258118.000001B2BCE12000.00000004.00000020.00020000.00000000.sdmp, swift-bootstrapper.exe, 00000000.00000003.2242425465.000001B2BBB1C000.00000004.00000020.00020000.00000000.sdmp, Swift.exe.0.dr	String found in binary or memory: https://tauri.app/v1/api/config/#securityconfig.dangerousremotedomainipcaccess

Source: unknown	Network traffic detected: HTTP traffic on port 49733 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49733
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49732
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49743
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49731
Source: unknown	Network traffic detected: HTTP traffic on port 49731 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49732 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49740
Source: unknown	Network traffic detected: HTTP traffic on port 49740 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49743 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49767 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49767

Source: unknown	HTTPS traffic detected: 128.116.119.3:443 -> 192.168.2.4:49731 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.46.236:443 -> 192.168.2.4:49732 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.46.236:443 -> 192.168.2.4:49733 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.18.38.10:443 -> 192.168.2.4:49740 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.18.38.10:443 -> 192.168.2.4:49743 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.18.38.10:443 -> 192.168.2.4:49767 version: TLS 1.2

Installs a raw input device (often for capturing keystrokes)

Source: swift-bootstrapper.exe, 00000000.00000003.2262258118.000001B2BCE12000.00000004.00000020.00020000.00000000.sdmp

Binary or memory string: RegisterRawInputDevices

memstr_31b93f88-4

System Summary

PE file contains section with special chars

Source: injector.exe.0.dr	Static PE information: section name:
Source: injector.exe.0.dr	Static PE information: section name:
Source: injector.exe.0.dr	Static PE information: section name:
Source: injector.exe.0.dr	Static PE information: section name:
Source: injector.exe.0.dr	Static PE information: section name:
Source: injector.exe.0.dr	Static PE information: section name:

PE file contains more sections than normal

Source: injector.exe.0.dr

Static PE information: Number of sections : 12 > 10

Source: injector.exe.0.dr	Static PE information: Section: ZLIB complexity 1.000343780222437
Source: injector.exe.0.dr	Static PE information: Section: ZLIB complexity 0.9983979985955056
Source: injector.exe.0.dr	Static PE information: Section: ZLIB complexity 1.0107421875
Source: injector.exe.0.dr	Static PE information: Section: .reloc ZLIB complexity 1.5

Source: Swift.exe.0.dr	Binary string: \Device\Afd\Mio
Source: Swift.exe.0.dr	Binary string: Failed to open \Device\Afd\Mio:

Source: classification engine

Classification label: mal64.winEXE@2/3@3/3

Source: C:\Users\user\Desktop\swift-bootstrapper.exe

File created: C:\Users\user\Desktop\bin

Jump to behavior

Source: C:\Windows\System32\conhost.exe

Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7544:120:WilError_03

Source: swift-bootstrapper.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\swift-bootstrapper.exe

Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: swift-bootstrapper.exe	ReversingLabs: Detection: 36%
Source: swift-bootstrapper.exe	Virustotal: Detection: 47%

Source: swift-bootstrapper.exe

String found in binary or memory: /load_hpack; header malformed -- pseudo not at head of block

Source: unknown	Process created: C:\Users\user\Desktop\swift-bootstrapper.exe "C:\Users\user\Desktop\swift-bootstrapper.exe"
Source: C:\Users\user\Desktop\swift-bootstrapper.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

Source: C:\Users\user\Desktop\swift-bootstrapper.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\swift-bootstrapper.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Users\user\Desktop\swift-bootstrapper.exe	Section loaded: vcruntime140.dll	Jump to behavior
Source: C:\Users\user\Desktop\swift-bootstrapper.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\swift-bootstrapper.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\Desktop\swift-bootstrapper.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\swift-bootstrapper.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\swift-bootstrapper.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Users\user\Desktop\swift-bootstrapper.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\user\Desktop\swift-bootstrapper.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Users\user\Desktop\swift-bootstrapper.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Users\user\Desktop\swift-bootstrapper.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\swift-bootstrapper.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Users\user\Desktop\swift-bootstrapper.exe	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\Users\user\Desktop\swift-bootstrapper.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\swift-bootstrapper.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\swift-bootstrapper.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\swift-bootstrapper.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\swift-bootstrapper.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\swift-bootstrapper.exe	Section loaded: cryptnet.dll	Jump to behavior

Source: swift-bootstrapper.exe

Static PE information: Virtual size of .text is bigger than: 0x100000

Source: swift-bootstrapper.exe

Static PE information: Image base 0x140000000 > 0x60000000

Source: swift-bootstrapper.exe

Static file information: File size 5979648 > 1048576

Source: swift-bootstrapper.exe	Static PE information: Raw size of .text is bigger than: 0x100000 < 0x3f8600
Source: swift-bootstrapper.exe	Static PE information: Raw size of .rdata is bigger than: 0x100000 < 0x169c00

Source: swift-bootstrapper.exe

Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE

Source: swift-bootstrapper.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Source:	Binary string: Swift.pdb source: swift-bootstrapper.exe, 00000000.00000003.2262258118.000001B2BCE12000.00000004.00000020.00020000.00000000.sdmp, swift-bootstrapper.exe, 00000000.00000003.2249307786.000001B2BBD0C000.00000004.00000020.00020000.00000000.sdmp, Swift.exe.0.dr
Source:	Binary string: bunni_bootstrapper.pdb* source: swift-bootstrapper.exe
Source:	Binary string: C:\Users\matic\source\repos\Dll3\Dll3\x64\Release\Dll3.pdb source: swift-bootstrapper.exe, 00000000.00000003.2502561829.000001B2BC2D8000.00000004.00000020.00020000.00000000.sdmp, swift-bootstrapper.exe, 00000000.00000003.2506922351.000001B2BC412000.00000004.00000020.00020000.00000000.sdmp, swift-bootstrapper.exe, 00000000.00000003.2499011093.000001B2BC2D8000.00000004.00000020.00020000.00000000.sdmp, Dll3.dll.0.dr
Source:	Binary string: bunni_bootstrapper.pdb source: swift-bootstrapper.exe
Source:	Binary string: C:\Users\matic\source\repos\Dll3\Dll3\x64\Release\Dll3.pdb- source: swift-bootstrapper.exe, 00000000.00000003.2502561829.000001B2BC2D8000.00000004.00000020.00020000.00000000.sdmp, swift-bootstrapper.exe, 00000000.00000003.2506922351.000001B2BC412000.00000004.00000020.00020000.00000000.sdmp, swift-bootstrapper.exe, 00000000.00000003.2499011093.000001B2BC2D8000.00000004.00000020.00020000.00000000.sdmp, Dll3.dll.0.dr

Entry point lies outside standard sections

Source: initial sample

Static PE information: section where entry point is pointing to: .boot

PE file contains sections with non-standard names

Source: Dll3.dll.0.dr	Static PE information: section name: .fptable
Source: injector.exe.0.dr	Static PE information: section name:
Source: injector.exe.0.dr	Static PE information: section name:
Source: injector.exe.0.dr	Static PE information: section name:
Source: injector.exe.0.dr	Static PE information: section name:
Source: injector.exe.0.dr	Static PE information: section name:
Source: injector.exe.0.dr	Static PE information: section name:
Source: injector.exe.0.dr	Static PE information: section name: .themida
Source: injector.exe.0.dr	Static PE information: section name: .boot

Source: injector.exe.0.dr

Static PE information: section name: entropy: 7.9778573291038075

Drops PE files

Source: C:\Users\user\Desktop\swift-bootstrapper.exe	File created: C:\Users\user\Desktop\bin\injector.exe	Jump to dropped file
Source: C:\Users\user\Desktop\swift-bootstrapper.exe	File created: C:\Users\user\Desktop\bin\Dll3.dll	Jump to dropped file
Source: C:\Users\user\Desktop\swift-bootstrapper.exe	File created: C:\Users\user\Desktop\Swift.exe	Jump to dropped file

Monitors certain registry keys / values for changes (often done to protect autostart functionality)

Source: C:\Users\user\Desktop\swift-bootstrapper.exe	Registry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\AutoUpdate			Jump to behavior
Source: C:\Users\user\Desktop\swift-bootstrapper.exe	Registry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot			Jump to behavior

Found dropped PE file which has not been started or loaded

Source: C:\Users\user\Desktop\swift-bootstrapper.exe	Dropped PE file which has not been started: C:\Users\user\Desktop\bin\injector.exe	Jump to dropped file
Source: C:\Users\user\Desktop\swift-bootstrapper.exe	Dropped PE file which has not been started: C:\Users\user\Desktop\bin\Dll3.dll	Jump to dropped file
Source: C:\Users\user\Desktop\swift-bootstrapper.exe	Dropped PE file which has not been started: C:\Users\user\Desktop\Swift.exe	Jump to dropped file

Sample execution stops while process was sleeping (likely an evasion)

Source: C:\Windows\System32\conhost.exe

Last function: Thread delayed

Source: swift-bootstrapper.exe, 00000000.00000003.2219675030.000001B2BB5C2000.00000004.00000020.00020000.00000000.sdmp, swift-bootstrapper.exe, 00000000.00000003.2262258118.000001B2BC412000.00000004.00000020.00020000.00000000.sdmp, swift-bootstrapper.exe, 00000000.00000003.2217336712.000001B2BB5C2000.00000004.00000020.00020000.00000000.sdmp, Swift.exe.0.dr	Binary or memory string: iHGFs
Source: swift-bootstrapper.exe, 00000000.00000002.2945495102.000001B2B9FFB000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll

Source: C:\Users\user\Desktop\swift-bootstrapper.exe

Memory allocated: page read and write | page guard

Jump to behavior

Source: C:\Users\user\Desktop\swift-bootstrapper.exe

Code function: 0_2_00007FF78AE16820 GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter,

0_2_00007FF78AE16820

Source: C:\Users\user\Desktop\swift-bootstrapper.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

ID:	1579391
Product:	CloudBasic
Start time:	02:37:07
Start date:	22.12.2024
Sample:	swift-bootstrapper.exe
Cookbook:	default.jbs
System description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Architecture:	WINDOWS
MD5:	26e350b6f17a777a79b8be46e1b06ac0
SHA1:	acdbbef171b2361604bb7678645acf62fc2cc7af
SHA256:	29c535c85ca221059c46b364b9b6a81e68a0e0a6aef5da460dcb0daddf90d2f1
Filetype:	Win64 Executable Console (202006/5) 92.65%

Name	Type	MD5	SHA1	SHA256
C:\Users\user\Desktop\Swift.exe	PE32+ executable (GUI) x86-64, for MS Windows	64B0517790437B071FEF6CD6782D4B9F	F804E0E4A5464D52AD5441D420A4840E5068A363	E12D17C65A31989079774E3E465178CDD9FB5D07E101D4654BDF8EA618F6B1F5
C:\Users\user\Desktop\bin\Dll3.dll	PE32+ executable (DLL) (GUI) x86-64, for MS Windows	698C3F3DB843636AE87F77B5D9D3D549	CE809F3DE3B3464F31DCEAA42C0928763254A709	D5D47DFE801C5DAD6A753CEDE9D6350251621D1CE418D66C1F9C2B803D7B5E3E
C:\Users\user\Desktop\bin\injector.exe	PE32+ executable (console) x86-64, for MS Windows	A5CCAEC11B613A44116B6EFF8230664A	C4420B52F88657AB99B02804E0AB88BA216579A9	07409D4ADC7D4F9DB6AD642C1D7F989C69516F0B356214A8C1C1E6BB58F43EF4

Windows Analysis Report
swift-bootstrapper.exe

Overview

General Information

Detection

Signatures

Classification

Signatures

AV Detection

Cryptography

Compliance

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

System Summary

Data Obfuscation

Persistence and Installation Behavior

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

Language, Device and Operating System Detection

Screenshots

Behavior Graph

Network Map

Contacted Public IPs

Contacted Domains

Windows Analysis Report swift-bootstrapper.exe

Overview

General Information

Detection

Signatures

Classification

Signatures

AV Detection

Cryptography

Compliance

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

System Summary

Data Obfuscation

Persistence and Installation Behavior

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

Language, Device and Operating System Detection

Screenshots

Behavior Graph

Network Map

Contacted Public IPs

Contacted Domains

Windows Analysis Report
swift-bootstrapper.exe