File name:

swift-bootstrapper.exe

Full analysis: https://app.any.run/tasks/412d4d94-28bf-468d-a3c4-148ff70fd463
Verdict: Malicious activity
Threats:

A loader is malicious software that infiltrates devices to deliver malicious payloads. This malware is capable of infecting victims’ computers, analyzing their system information, and installing other types of threats, such as trojans or stealers. Criminals usually deliver loaders through phishing emails and links by relying on social engineering to trick users into downloading and running their executables. Loaders employ advanced evasion and persistence tactics to avoid detection.

Malware Trends Tracker     >>>
Analysis date: December 26, 2024, 08:17:14
OS: Windows 10 Professional (build: 19045, 64 bit)
Tags:
auto
generic
rust
loader
Indicators:
MIME: application/vnd.microsoft.portable-executable
File info: PE32+ executable (console) x86-64, for MS Windows, 5 sections
MD5:

26E350B6F17A777A79B8BE46E1B06AC0

SHA1:

ACDBBEF171B2361604BB7678645ACF62FC2CC7AF

SHA256:

29C535C85CA221059C46B364B9B6A81E68A0E0A6AEF5DA460DCB0DADDF90D2F1

SSDEEP:

98304:9HSxyqAQYZCPUOdLT5W0rQlKW0AKP7k3ApjBYEQ3jd60roAKCuEJQMUpEPd9B/NX:JI

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • GENERIC has been found (auto)

      • swift-bootstrapper.exe (PID: 6428)

  • SUSPICIOUS

    • Executable content was dropped or overwritten

      • swift-bootstrapper.exe (PID: 6428)

  • INFO

    • Reads the computer name

      • swift-bootstrapper.exe (PID: 6428)

    • Checks supported languages

      • swift-bootstrapper.exe (PID: 6428)

    • Reads the software policy settings

      • swift-bootstrapper.exe (PID: 6428)

    • Reads the machine GUID from the registry

      • swift-bootstrapper.exe (PID: 6428)

    • Checks proxy server information

      • swift-bootstrapper.exe (PID: 6428)

    • Application based on Rust

      • swift-bootstrapper.exe (PID: 6428)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | Win64 Executable (generic) (87.3)
.exe | Generic Win/DOS Executable (6.3)
.exe | DOS Executable Generic (6.3)

EXIF

EXE

MachineType: AMD AMD64
TimeStamp: 2024:12:06 18:09:31+00:00
ImageFileCharacteristics: Executable, Large address aware
PEType: PE32+
LinkerVersion: 14.41
CodeSize: 4163072
InitializedDataSize: 1816064
UninitializedDataSize: -
EntryPoint: 0x3f65a0
OSVersion: 6
ImageVersion: -
SubsystemVersion: 6
Subsystem: Windows command line
No data.
screenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
121
Monitored processes
2
Malicious processes
1
Suspicious processes
0

Behavior graph

Click at the process to see the details
start swift-bootstrapper.exe conhost.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
6428"C:\Users\admin\Desktop\swift-bootstrapper.exe" C:\Users\admin\Desktop\swift-bootstrapper.exe
explorer.exe
User:
admin
Integrity Level:
MEDIUM
Modules
Images
c:\users\admin\desktop\swift-bootstrapper.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\bcryptprimitives.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
6436\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.exeswift-bootstrapper.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Console Window Host
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
Total events
3 277
Read events
3 277
Write events
0
Delete events
0

Modification events

No data
Executable files
3
Suspicious files
0
Text files
0
Unknown types
0

Dropped files

PID
Process
Filename
Type
6428swift-bootstrapper.exeC:\Users\admin\Desktop\Swift.exeexecutable
MD5:64B0517790437B071FEF6CD6782D4B9F
SHA256:E12D17C65A31989079774E3E465178CDD9FB5D07E101D4654BDF8EA618F6B1F5
6428swift-bootstrapper.exeC:\Users\admin\Desktop\bin\injector.exeexecutable
MD5:A5CCAEC11B613A44116B6EFF8230664A
SHA256:07409D4ADC7D4F9DB6AD642C1D7F989C69516F0B356214A8C1C1E6BB58F43EF4
6428swift-bootstrapper.exeC:\Users\admin\Desktop\bin\Dll3.dllexecutable
MD5:B8A1BB877C01B587F360410A1D162746
SHA256:48BF588F05A29A37203CADF6757434886ECDE204D2E41676FEEBEA05493EB062
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
11
TCP/UDP connections
22
DNS requests
10
Threats
2

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
5208
svchost.exe
GET
200
2.16.164.49:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
4712
MoUsoCoreWorker.exe
GET
200
2.16.164.49:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
5980
RUXIMICS.exe
GET
200
2.16.164.49:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
4712
MoUsoCoreWorker.exe
GET
200
95.101.149.131:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
5208
svchost.exe
GET
200
95.101.149.131:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
5980
RUXIMICS.exe
GET
200
95.101.149.131:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
POST
200
188.114.96.3:443
https://bunni.lol/api/status
unknown
binary
69 b
GET
200
172.64.149.246:443
https://fkajsebjpvqftdgzyitk.supabase.co/storage/v1/object/public/swift-storage/ui/Swift.exe
unknown
executable
12.9 Mb
malicious
GET
200
104.18.38.10:443
https://fkajsebjpvqftdgzyitk.supabase.co/storage/v1/object/public/swift-storage/injector/injector.exe
unknown
executable
3.69 Mb
malicious
GET
200
172.64.149.246:443
https://fkajsebjpvqftdgzyitk.supabase.co/storage/v1/object/public/swift-storage/dlls/Dll3.dll
unknown
executable
4.21 Mb
malicious
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
192.168.100.255:138
whitelisted
2.23.209.189:443
www.bing.com
Akamai International B.V.
GB
whitelisted
4712
MoUsoCoreWorker.exe
40.127.240.158:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
5208
svchost.exe
40.127.240.158:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
5980
RUXIMICS.exe
40.127.240.158:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
6428
swift-bootstrapper.exe
128.116.123.3:443
clientsettings.roblox.com
ROBLOX-PRODUCTION
US
whitelisted
5208
svchost.exe
2.16.164.49:80
crl.microsoft.com
Akamai International B.V.
NL
whitelisted
4712
MoUsoCoreWorker.exe
2.16.164.49:80
crl.microsoft.com
Akamai International B.V.
NL
whitelisted
5980
RUXIMICS.exe
2.16.164.49:80
crl.microsoft.com
Akamai International B.V.
NL
whitelisted
4712
MoUsoCoreWorker.exe
95.101.149.131:80
www.microsoft.com
Akamai International B.V.
NL
whitelisted

DNS requests

Domain
IP
Reputation
www.bing.com
  • 2.23.209.189
  • 2.23.209.182
  • 2.23.209.193
  • 2.23.209.130
  • 2.23.209.185
  • 2.23.209.187
  • 2.23.209.177
  • 2.23.209.179
  • 2.23.209.133
whitelisted
settings-win.data.microsoft.com
  • 40.127.240.158
  • 51.124.78.146
whitelisted
google.com
  • 216.58.206.46
whitelisted
clientsettings.roblox.com
  • 128.116.123.3
whitelisted
crl.microsoft.com
  • 2.16.164.49
  • 2.16.164.120
whitelisted
www.microsoft.com
  • 95.101.149.131
whitelisted
bunni.lol
  • 188.114.96.3
  • 188.114.97.3
unknown
fkajsebjpvqftdgzyitk.supabase.co
  • 172.64.149.246
  • 104.18.38.10
unknown
self.events.data.microsoft.com
  • 52.182.143.210
whitelisted

Threats

PID
Process
Class
Message
2192
svchost.exe
Misc activity
ET INFO Supabase Development Platform Related Domain in DNS Lookup
6428
swift-bootstrapper.exe
Misc activity
ET INFO Observed Online Application Hosting Domain (supabase .co in TLS SNI)
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
swift-bootstrapper.exe