Snip3 is a sophisticated crypter-as-a-service that has been used since at least 2021 to obfuscate and load numerous strains of malware including AsyncRAT, Revenge RAT, Agent Tesla, and NETWIRE.[1][2]

ID: S1086
Platforms: Windows
Contributors: Aaron Jornet
Version: 1.0
Created: 13 September 2023
Last Modified: 10 October 2023

Techniques Used

Domain ID Name Use
Enterprise T1547 .001 Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder

Snip3 can create a VBS file in startup to persist after system restarts.[2]

Enterprise T1059 .001 Command and Scripting Interpreter: PowerShell

Snip3 can use a PowerShell script for second-stage execution.[1][2]

.005 Command and Scripting Interpreter: Visual Basic

Snip3 can use visual basic scripts for first-stage execution.[1][2]

Enterprise T1140 Deobfuscate/Decode Files or Information

Snip3 can decode its second-stage PowerShell script prior to execution.[1]

Enterprise T1189 Drive-by Compromise

Snip3 has been delivered to targets via downloads from malicious domains.[2]

Enterprise T1564 .003 Hide Artifacts: Hidden Window

Snip3 can execute PowerShell scripts in a hidden window.[1]

Enterprise T1105 Ingress Tool Transfer

Snip3 can download additional payloads to compromised systems.[1][2]

Enterprise T1104 Multi-Stage Channels

Snip3 can download and execute additional payloads and modules over separate communication channels.[1][2]

Enterprise T1027 Obfuscated Files or Information

Snip3 has the ability to obfuscate strings using XOR encryption.[1]

.001 Binary Padding

Snip3 can obfuscate strings using junk Chinese characters.[1]

Enterprise T1566 .001 Phishing: Spearphishing Attachment

Snip3 has been delivered to victims through malicious e-mail attachments.[2]

.002 Phishing: Spearphishing Link

Snip3 has been delivered to victims through e-mail links to malicious files.[2]

Enterprise T1055 .012 Process Injection: Process Hollowing

Snip3 can use RunPE to execute malicious payloads within a hollowed Windows process.[1][2]

Enterprise T1082 System Information Discovery

Snip3 has the ability to query Win32_ComputerSystem for system information. [1]

Enterprise T1204 .001 User Execution: Malicious Link

Snip3 has been executed through luring victims into clicking malicious links.[2]

.002 User Execution: Malicious File

Snip3 can gain execution through the download of visual basic files.[1][2]

Enterprise T1497 .001 Virtualization/Sandbox Evasion: System Checks

Snip3 has the ability to detect Windows Sandbox, VMWare, or VirtualBox by querying Win32_ComputerSystem to extract the Manufacturer string.[1]

.003 Virtualization/Sandbox Evasion: Time Based Evasion

Snip3 can execute WScript.Sleep to delay execution of its second stage.[1]

Enterprise T1102 Web Service

Snip3 can download additional payloads from web services including Pastebin and top4top.[1]

Enterprise T1047 Windows Management Instrumentation

Snip3 can query the WMI class Win32_ComputerSystem to gather information.[1]

Groups That Use This Software

ID Name References
G1018 TA2541