1. Home
  2. Software
  3. Snip3

Snip3

Snip3 is a sophisticated crypter-as-a-service that has been used since at least 2021 to obfuscate and load numerous strains of malware including AsyncRAT, Revenge RAT, Agent Tesla, and NETWIRE.[1][2]

ID: S1086
Type: MALWARE
Platforms: Windows
Contributors: Aaron Jornet
Version: 1.0
Created: 13 September 2023
Last Modified: 10 October 2023
Version Permalink
Enterprise Layer
download view

Techniques Used

Domain ID Name Use
Enterprise T1547 .001 Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder

Snip3 can create a VBS file in startup to persist after system restarts.[2]
Enterprise T1059 .001 Command and Scripting Interpreter: PowerShell

Snip3 can use a PowerShell script for second-stage execution.[1][2]
.005 Command and Scripting Interpreter: Visual Basic

Snip3 can use visual basic scripts for first-stage execution.[1][2]
Enterprise T1140 Deobfuscate/Decode Files or Information

Snip3 can decode its second-stage PowerShell script prior to execution.[1]
Enterprise T1189 Drive-by Compromise

Snip3 has been delivered to targets via downloads from malicious domains.[2]
Enterprise T1564 .003 Hide Artifacts: Hidden Window

Snip3 can execute PowerShell scripts in a hidden window.[1]
Enterprise T1105 Ingress Tool Transfer

Snip3 can download additional payloads to compromised systems.[1][2]
Enterprise T1104 Multi-Stage Channels

Snip3 can download and execute additional payloads and modules over separate communication channels.[1][2]
Enterprise T1027 Obfuscated Files or Information

Snip3 has the ability to obfuscate strings using XOR encryption.[1]
.001 Binary Padding

Snip3 can obfuscate strings using junk Chinese characters.[1]
Enterprise T1566 .001 Phishing: Spearphishing Attachment

Snip3 has been delivered to victims through malicious e-mail attachments.[2]
.002 Phishing: Spearphishing Link

Snip3 has been delivered to victims through e-mail links to malicious files.[2]
Enterprise T1055 .012 Process Injection: Process Hollowing

Snip3 can use RunPE to execute malicious payloads within a hollowed Windows process.[1][2]
Enterprise T1082 System Information Discovery

Snip3 has the ability to query Win32_ComputerSystem for system information. [1]

Enterprise T1204 .001 User Execution: Malicious Link

Snip3 has been executed through luring victims into clicking malicious links.[2]
.002 User Execution: Malicious File

Snip3 can gain execution through the download of visual basic files.[1][2]
Enterprise T1497 .001 Virtualization/Sandbox Evasion: System Checks

Snip3 has the ability to detect Windows Sandbox, VMWare, or VirtualBox by querying Win32_ComputerSystem to extract the Manufacturer string.[1]
.003 Virtualization/Sandbox Evasion: Time Based Evasion

Snip3 can execute WScript.Sleep to delay execution of its second stage.[1]
Enterprise T1102 Web Service

Snip3 can download additional payloads from web services including Pastebin and top4top.[1]
Enterprise T1047 Windows Management Instrumentation

Snip3 can query the WMI class Win32_ComputerSystem to gather information.[1]

Groups That Use This Software

ID Name References
G1018 TA2541

[3][1]

References

  1. Lorber, N. (2021, May 7). Revealing the Snip3 Crypter, a Highly Evasive RAT Loader. Retrieved September 13, 2023.
  2. Jornet, A. (2021, December 23). Snip3, an investigation into malware. Retrieved September 19, 2023.
  1. Larson, S. and Wise, J. (2022, February 15). Charting TA2541's Flight. Retrieved September 12, 2023.