Swifti
Threat Scorecard
EnigmaSoft Threat Scorecard
EnigmaSoft Threat Scorecards are assessment reports for different malware threats which have been collected and analyzed by our research team. EnigmaSoft Threat Scorecards evaluate and rank threats using several metrics including real-world and potential risk factors, trends, frequency, prevalence, and persistence. EnigmaSoft Threat Scorecards are updated regularly based on our research data and metrics and are useful for a wide range of computer users, from end users seeking solutions to remove malware from their systems to security experts analyzing threats.
EnigmaSoft Threat Scorecards display a variety of useful information, including:
Popularity Rank: The ranking of a particular threat in EnigmaSoft’s Threat Database.
Severity Level: The determined severity level of an object, represented numerically, based on our risk modeling process and research, as explained in our Threat Assessment Criteria.
Infected Computers: The number of confirmed and suspected cases of a particular threat detected on infected computers as reported by SpyHunter.
See also Threat Assessment Criteria.
| Popularity Rank: | 2,510 |
| Threat Level: | 90 % (High) |
| Infected Computers: | 62,264 |
| First Seen: | February 12, 2015 |
| Last Seen: | December 23, 2025 |
| OS(es) Affected: | Windows |
Swifti is a Trojan infection that has been linked to a recently uncovered vulnerability in Adobe Flash Player. The main purpose of Swifti is to distribute adware and to expand a botnet that would include the infected computer. Although Swifti is fairly generic, the Flash Player vulnerability associated with Swifti has garnered quite a bit of attention due to its potential for exploitation.
Table of Contents
The Flash Vulnerability Linked to Swifti
An exploit kit known as Angler Exploit Kit has been using a zero-day flaw in Flash Player to distribute the Swifti Trojan. Angler is the successor of the infamous Black Hole Exploit Kit, which met its demise in 2014. Malware analysts were alarmed when they uncovered an Angler variant that exploits three flaws in Flash Player, of which only two had been patched by Adobe. This has made computers vulnerable to these attacks when exposed to threatening content.
Why Flash has been Targeted in these Types of Attacks
Flash and other third-party platforms (such as Java) are common targets for threat attacks and exploit kits. There are several reasons for this. A crucial one is that Flash runs in all popular Web browsers and is also available in different operating systems. This means that threats that are distributed using Flash vulnerabilities (such as Swifti) may reach a wider swath of victims by exploiting Flash than by exploiting a specific Web browser or operating system. The fact that Swifti is being distributed using a zero-day exploit has made these infections particularly alarming. Swifti is not especially threatening or harmful. In fact, Swifti has been around in some variant or another since 2009, with its last update occurring in 2015. However, the distribution method and exploits used to deliver Swifti via exploit kits have caught the attention of PC security researchers and increased the profile of the Swifti Trojan.
Characteristics of Swifti and Security Issues Associated with this Trojan’s Distribution
The exploit that is being used to distribute Swifti may affect only specific operating systems and Web browsers. The exploit associated with Swifti may be used to install this Trojan on computers using Windows XP combined with Internet Explorer 6 or 8, Windows 7 with Internet Explorer 8, Windows 8 with Internet Explorer 10, and the Windows8-RT-KB3008925-x86 update. In the specific variant of Angler that has been analyzed, Windows 8.1 and Google Chrome are not affected by this exploit. However, it is highly likely that Angler may be upgraded in future releases to target a wider variety of operating systems and Web browsers with this vulnerability. A patch for this vulnerability has not yet been released, making computer users vulnerable to Swifti infections.
Other Threats Associated with Swifti
Swifti is not the only threat infection being distributed using this exploit. Another threat associated with these attacks is known as Bedep. This threat infection is a distribution botnet that may then be used to deliver multiple threat infections to the victim's computer. Bedep is being used to install threats that manipulate advertisement networks to make it seem as if the computer users has clicked or viewed multiple advertisements in order to generate revenue. This type of advertisement fraud is a typical way of generating revenue at the expense of computer users. Malware researchers consider that the exploit associated with Swifti and this other threat infection is a severe threat. This is not due, in fact, to the strength or destructive potential of the attack, but rather to the widespread use of Flash and the lack of a patch.
Analysis Report
General information
| Family Name: | Trojan.Coinminer.GC |
|---|---|
| Signature status: | No Signature |
Known Samples
Known Samples
This section lists other file samples believed to be associated with this family.|
MD5:
8934c976622d58b548f472a9b68d8061
SHA1:
14e2803c72c33e97b7916022b3ee6873a9656006
File Size:
6.42 MB, 6423552 bytes
|
|
MD5:
c94f7a70d34265d1ae66b99fb598f8c3
SHA1:
00f19158246bd1b139c6fab634c32f25a89138f9
File Size:
6.45 MB, 6447616 bytes
|
|
MD5:
288a418f9f84a93c147cf803be4c8aed
SHA1:
89c932603846bdbea42a84a74fa2aa6007cd023f
File Size:
726.53 KB, 726528 bytes
|
|
MD5:
da6f69730b8a44bf5fb72c9b9095be5b
SHA1:
b688632bfa61da1cea0f199d81d4b41653d0136e
SHA256:
0157EA580E1B02A3ECC9C1248C49C33DE627856B1CADDDD69CBEB96F84A6AFD3
File Size:
8.00 MB, 7995904 bytes
|
|
MD5:
43cfb1f5b39bf96d2ac94c37e1a8c1a6
SHA1:
23047ec8c185fe0905cb7c3cb345a03a011f82b8
SHA256:
8918BE81B8122115258AA3E2162DE3455D0C038BAE93AA2C0333B62F6A6A1503
File Size:
6.40 MB, 6397440 bytes
|
Show More
|
MD5:
5bc476954f90a49ac955a0df4ff49055
SHA1:
0ce6bbb4e871442a6e645cfd00e263e8e97b18f9
SHA256:
8338F27DB8F529134F14BE9A04325B2F3F8B240256184AC99509E5A777563959
File Size:
2.45 MB, 2447848 bytes
|
|
MD5:
facbb6c38a04f3fe66e912181817e0a5
SHA1:
965a259307ceab1af4e0b8f51b2a5d95600cb024
SHA256:
686A15DB21B6BB72666C420F1A8CDF76F6AB2F2CEE0D38655F383B43320FA288
File Size:
2.15 MB, 2152960 bytes
|
|
MD5:
a63eb45668a03017e572c15e7c13b7f6
SHA1:
0dbb035171ac5767fa88c88be09d1f81c4b5f4d6
SHA256:
3028A7E7EC34C8A1BBD5568CE16205602EDD350564E771667399B0BA793FEE8B
File Size:
6.34 MB, 6341632 bytes
|
|
MD5:
1e853fda8400d0ff5928545505f728a8
SHA1:
7a987116d89df3adcca26e8e34c3dab808fe8faa
SHA256:
A2A3931556642879FF41FE453E60CCFA7BF456DD8C07AD56A0EFEC3B9C07249B
File Size:
6.44 MB, 6435690 bytes
|
Windows Portable Executable Attributes
- File doesn't have "Rich" header
- File doesn't have debug information
- File doesn't have exports table
- File doesn't have relocations information
- File doesn't have security information
- File has been packed
- File has TLS information
- File is 64-bit executable
- File is console application (IMAGE_SUBSYSTEM_WINDOWS_CUI)
- File is either console or GUI application
Show More
- File is GUI application (IMAGE_SUBSYSTEM_WINDOWS_GUI)
- File is Native application (NOT .NET application)
- File is not packed
- IMAGE_FILE_DLL is not set inside PE header (Executable)
- IMAGE_FILE_EXECUTABLE_IMAGE is set inside PE header (Executable Image)
File Icons
File Icons
This section displays icon resources found within family samples. Malware often replicates icons commonly associated with legitimate software to mislead users into believing the malware is safe.
Windows PE Version Information
Windows PE Version Information
This section displays values and attributes that have been set in the Windows file version information data structure for samples within this family. To mislead users, malware actors often add fake version information mimicking legitimate software.| Name | Value |
|---|---|
| Company Name |
|
| File Description |
|
| File Version |
|
| Internal Name | svchost.exe |
| Legal Copyright |
|
| Original Filename |
|
| Product Name |
|
| Product Version |
|
Digital Signatures
Digital Signatures
This section lists digital signatures that are attached to samples within this family. When analyzing and verifying digital signatures, it is important to confirm that the signature’s root authority is a well-known and trustworthy entity and that the status of the signature is good. Malware is often signed with non-trustworthy “Self Signed” digital signatures (which can be easily created by a malware author with no verification). Malware may also be signed by legitimate signatures that have an invalid status, and by signatures from questionable root authorities with fake or misleading “Signer” names.| Signer | Root | Status |
|---|---|---|
| Microsoft Code Signing PCA | Microsoft Code Signing PCA | Self Signed |
File Traits
- 2+ executable sections
- fptable
- GetConsoleWindow
- HighEntropy
- No Version Info
- packed
- x64
Block Information
Block Information
During analysis, EnigmaSoft breaks file samples into logical blocks for classification and comparison with other samples. Blocks can be used to generate malware detection rules and to group file samples into families based on shared source code, functionality and other distinguishing attributes and characteristics. This section lists a summary of this block data, as well as its classification by EnigmaSoft. A visual representation of the block data is also displayed, where available.| Total Blocks: | 17,177 |
|---|---|
| Potentially Malicious Blocks: | 661 |
| Whitelisted Blocks: | 13,894 |
| Unknown Blocks: | 2,622 |
Visual Map
? - Unknown Block
x - Potentially Malicious Block
Similar Families
Similar Families
This section lists other families that share similarities with this family, based on EnigmaSoft’s analysis. Many malware families are created from the same malware toolkits and use the same packing and encryption techniques but uniquely extend functionality. Similar families may also share source code, attributes, icons, subcomponents, compromised and/or invalid digital signatures, and network characteristics. Researchers leverage these similarities to rapidly and effectively triage file samples and extend malware detection rules.- Agent.BR
- Agent.KFS
- Agent.LKFB
- ClipBanker.AY
- Downloader.Agent.NBF
Show More
- GameHack.GH
- Gamehack.GYF
- KillAV.X
Windows API Usage
Windows API Usage
This section lists Windows API calls that are used by the samples in this family. Windows API usage analysis is a valuable tool that can help identify malicious activity, such as keylogging, security privilege escalation, data encryption, data exfiltration, interference with antivirus software, and network request manipulation.| Category | API |
|---|---|
| Syscall Use |
Show More
|
| User Data Access |
|
| Anti Debug |
|
| Service Control |
|
| Network Winsock2 |
|
| Network Winsock |
|
| Network Info Queried |
|
