{
	"id": "f2c94f96-7c10-4804-84fd-6237d49195f9",
	"created_at": "2026-04-06T00:18:33.543158Z",
	"updated_at": "2026-04-10T03:20:54.676144Z",
	"deleted_at": null,
	"sha1_hash": "506601de0b00aa053df0932ed901415a1bfdbbd4",
	"title": "SnatchLoader Reloaded | NETSCOUT",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 67559,
	"plain_text": "SnatchLoader Reloaded | NETSCOUT\r\nArchived: 2026-04-05 20:04:46 UTC\r\nExecutive Summary\r\nSnatchLoader is a “downloader” malware—a type of malware that specializes in distributing (or loading) other\r\nmalware onto infected computers. We first started seeing it in the wild around January 2017, but after a few\r\nmonths it went dormant. Recently, development of the malware has picked up again and we’ve seen updates as\r\nrecently as last week. It is currently being used to load a banking trojan known as Ramnit. Additionally, it’s using\r\nan interesting feature known as “geo-IP blocking” so that only computers in certain geographical areas become\r\ninfected. We have been able to determine that at a minimum the UK and Italy are being targeted, but the US,\r\nFrance, and Hong Kong are not.\r\nIntroduction\r\nThere was an interesting Twitter thread a couple of months ago about a spam campaign delivering, at the time, an\r\nunknown “downloader” malware—a type of malware that specializes in distributing other malware families.\r\nBased on our analysis we believe that it is an update to the downloader known as “SnatchLoader” which was\r\nbriefly discussed on the KernelMode.info forum in January 2017 . As noted in that post, there seems to be some\r\nsimilarities between SnatchLoader and a third family known as H1N1 Loader—though a detailed code\r\ncomparison was not performed. Its lineage aside, we haven’t seen any further discussions of SnatchLoader, so this\r\npost takes a look at the latest version that we’ve seen.\r\nSamples\r\nThe sample referenced in the original Twitter thread is available on VirusTotal. However, most of our static\r\nanalysis was performed on an updated version of the “core DLL” with a compilation date of 2017-10-04. This\r\nDLL is also on VirusTotal and was first seen there on 2017-10-11.\r\nWindows API Calls\r\nAll calls to the Windows API are done at run time via function name hashing. The hashing algorithm is a\r\ncombination of rotate left (ROL) and XOR operations. An example implementation in Python can be found on\r\nGitHub. Here is a list of some API function names and their corresponding hashes:\r\nRtlZeroMemory -\u003e 0x6b6c652b\r\nCreateMutexW -\u003e 0x43725043\r\nInternetConnectA -\u003e 0x1d0c0b3e\r\nStatic Config\r\nA static config is stored encrypted in a PE section of the DLL--so far, we’ve seen two names for this section: .idata\r\nand .xdata.:\r\nhttps://www.arbornetworks.com/blog/asert/snatchloader-reloaded/\r\nPage 1 of 5\n\nThe first DWORD\r\nThe first DWORD of this section (0x99a8 in the screenshot) is used as a seed to a key generation function.\r\nA Python implementation of this function is available on GitHub. The generated key is used with RC4 to decrypt\r\nthe remaining data. The decrypted config can be separated into two chunks. The first chunk is XML-like and looks\r\nlike this (whitespace has been added for readability):\r\nSRV is the command and control\r\nSRV is the command and control (C2) URL, TIME is the phone home poll interval in minutes, NAME is a\r\ncampaign identifier (02.10 likely means October 2nd), and KEY is used to encrypt phone home communications.\r\nThe second config chunk is an RSA certificate used for signature checking of downloaded data.\r\nCommand and Control\r\nSo far, all the C2 URLs we’ve observed are HTTPS. However, using a debugger, we can modify the\r\ncommunications to use HTTP and see what a phone home looks like in plaintext:\r\nThe POST data is encrypted\r\nThe POST data is encrypted using four layers:\r\n1. RC4 using KEY from the config\r\n2. Base64\r\n3. Character substitutions\r\n4. Split up into 64-byte chunks with “\\r\\n” delimiters\r\nThere are three character substitutions and they are reversible:\r\nhttps://www.arbornetworks.com/blog/asert/snatchloader-reloaded/\r\nPage 2 of 5\n\n+ to –\r\n/ to _\r\n. to =\r\nThe response data is encrypted similarly but without layer 4. Communications are broken up into four request\r\ntypes:\r\n1. Get dynamic config\r\n2. Send system information\r\n3. Command poll\r\n4. Send command results\r\nGet Dynamic Config Request\r\nThe plain text version of the “get dynamic config” request looks like this:\r\nreq=0\u0026guid=FCD08AEE3C0E9409\u0026name=02.10\u0026trash=ulbncmamlxwjakbnbmaklvvhamathrgsfrpbsfrfqeqpatisgsfrqbtf\r\nIts pieces are:\r\nreq – request type\r\nguid – bot ID\r\nname – NAME from static config\r\ntrash – random characters of random length\r\nAn example response looks like this:\r\nSUCCESS|\u003cCFG\u003e\u003cSRV\u003ehttps://lookmans[.]eu/css/order.php|https://vertasikupper[.]eu/css/order.php\u003c/SRV\u003e\u003c\r\nThis response can be separated into two fields: the status field and the data portion. Here the status field is\r\n“SUCCESS” and the data portion is encapsulated in the “\u003cCFG\u003e block”—this config is called the DYNAMIC\r\nconfig in the code.\r\nSend System Information Request\r\nThe second phone home request sends a bunch of system information and it looks like this:\r\nreq=1\u0026guid=FCD08AEE3C0E9409\u0026name=02.10\u0026win=9\u0026x64=1\u0026adm=1\u0026det=0\u0026def=0\u0026nat=1\u0026usrn=SYSTEM\u0026cmpn=JOHN-PC\u0026u\r\nIts pieces are:\r\nreq – request type\r\nguid – bot ID\r\nname – NAME from the config\r\nwin – Windows version\r\nhttps://www.arbornetworks.com/blog/asert/snatchloader-reloaded/\r\nPage 3 of 5\n\nx64 – is 64-bit architecture\r\nadm – is admin\r\ndet – anti-analysis related\r\ndef – anti-analysis process name detected\r\nnat – has an RFC1918 IP address\r\nusrn – username\r\ncmpn – computer name\r\nuagn – user agent\r\nsftl – software listing from the Uninstall key in the registry\r\nprcl – process listing\r\ntrash – random characters of random length\r\nA response looks like this:\r\nSUCCESS|\r\nCommand Poll Request\r\nA command poll request looks like the “get dynamic config” request except the req number is 2. An example\r\nresponse looks like this:\r\nSUCCESS|\u003cTASK\u003e20|1|2||MZ...\\x00\\x00\u003c/TASK\u003e|\r\nThis response has two fields with the first being a status field and the second field being the data portion. The data\r\nhere can be zero or more TASK blocks with the following fields:\r\ntask ID\r\ncommand type\r\ncommand arg1 (e.g. file type)\r\ncommand arg2 (e.g. hash value)\r\ncommand data (e.g. an executable file or URL)\r\nThe main functionality of SnatchLoader is to download and load additional malware families so most of the\r\ncommand types and arguments are in support of doing that in various ways (executed normally, executed via\r\nrundll32, or injected into explorer.exe). In this example, the command is to extract the embedded executable file\r\nand execute it normally. Some of the other supported commands are:\r\nPlugin functionality (so far, we’ve only seen a Monero crypto currency mining plugin)\r\nUpdate config\r\nUpdate self\r\nSend Command Results Request\r\nThe last phone home type is used to send the results of a command:\r\nhttps://www.arbornetworks.com/blog/asert/snatchloader-reloaded/\r\nPage 4 of 5\n\nreq=3\u0026guid=FCD08AEE3C0E9409\u0026name=02.10\u0026results=\u0026trash=pffebxmawlawigdawkifcymbxmawlgebxlawkifcymbxmhe\r\nIt is similar to the “command poll” request except the req number is 3 and an additional parameter (results) has\r\nbeen added. There is no response content from the C2 for this request.\r\nGeo-Blocking and Current Payload\r\nAn interesting characteristic of the C2 servers we’ve looked at so far is that they seem to be performing some sort\r\nof geo-blocking based on source IP addresses. While trying to interact with them via TOR or VPN exit nodes in\r\nthe US, France, or Hong Kong the servers responded with “404 Not found” errors. But, using VPN exit nodes in\r\nthe UK and Italy, the C2 responded affirmatively. In general, geo-blocking isn’t a novel feature, but it isn’t\r\nparticularly common. At the time of writing, the analyzed SnatchLoader botnet was distributing Ramnit—an info\r\nstealing and banking malware. It has a compilation date of 2017-10-13 and is available on VirusTotal.\r\nConclusion\r\nThis post has been an overview of a downloader malware known as SnatchLoader. We can trace its origins as far\r\nback as January 2017 and it has been updated as recently as last week. It is being delivered via spam campaigns\r\nand based on geo-blocking functionality it looks to be targeting specific geographical areas. At the time of writing\r\nSnatchLoader is distributing the Ramnit malware family to at least the UK and Italy. Thanks much to Antelox,\r\nreOnFleek, XOR_Hex, mesa_matt, and kafeine for help with the geo-IP blocking, distributed payload, name\r\norigin, and general discussions on the family.  \r\nSource: https://www.arbornetworks.com/blog/asert/snatchloader-reloaded/\r\nhttps://www.arbornetworks.com/blog/asert/snatchloader-reloaded/\r\nPage 5 of 5",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"references": [
		"https://www.arbornetworks.com/blog/asert/snatchloader-reloaded/"
	],
	"report_names": [
		"snatchloader-reloaded"
	],
	"threat_actors": [],
	"ts_created_at": 1775434713,
	"ts_updated_at": 1775791254,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/506601de0b00aa053df0932ed901415a1bfdbbd4.pdf",
		"text": "https://archive.orkl.eu/506601de0b00aa053df0932ed901415a1bfdbbd4.txt",
		"img": "https://archive.orkl.eu/506601de0b00aa053df0932ed901415a1bfdbbd4.jpg"
	}
}