{
	"id": "b762b578-cc84-4cdd-b479-9d91c32a387f",
	"created_at": "2026-04-06T00:10:13.312376Z",
	"updated_at": "2026-04-10T03:22:04.111306Z",
	"deleted_at": null,
	"sha1_hash": "f5f5f18b4096f3666764f701d23e921271cbec38",
	"title": "Malware – Snatch Loader: Reloaded",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 333783,
	"plain_text": "Malware – Snatch Loader: Reloaded\r\nPublished: 2017-12-11 · Archived: 2026-04-05 14:26:15 UTC\r\nSummary:\r\nSo I know what your thinking – “where are my EK posts”. Well truth is I’m still looking at EK’s but a lot of my\r\nsources have dried up and I don’t have the tech and tools to be able to search wide and far for them. I took a break\r\nand now I’ve decided to just post things that interest me and hopefully they will interest you as well. I’m not a\r\nreverse engineer so the tech details here are light.\r\nNow onto the main event. I tweeted about a malware called Snatch Loader: Reloaded mid November. This is a not\r\na new malware but Arbor Networks recently revealed multiple changes within it. I actually received a phishing\r\nemail in my inbox which I deleted as you do but I kept the URL and decided to Tweet on it after some help from\r\n@James_inthe_box.\r\nI’ve been tracking it since and now I’ve decided to quickly blog on it. I found some interesting files on the C2\r\ndomain and saw some notable changes in the processes.\r\nBackground Information:\r\nArticle by Arbor about Snatch Loader: Reloaded\r\nhttps://www.arbornetworks.com/blog/asert/snatchloader-reloaded/\r\nDownloads\r\nSnatch Loader: Reloaded – Snatchloader-10-Dec-2017\r\nVirus Total – d38945a93a926169cbe878afa6b292a5b52c570b61dc096725a0ddb8fdd5209e\r\nNotable Details:\r\n185.211.246.50 – tryntruiyuk[.]eu:443/css/order.php – Snatch Loader C2\r\nAnalysis:\r\nSnatch Loader would have arrived via a phishing email. I do not have one to show you at hand but they all contain\r\n(so far) a fake “Trusted sender” message like below. The emails themselves are rather convincing and contain\r\naddresses, etc.\r\nhttps://zerophagemalware.com/2017/12/11/malware-snatch-loader-reloaded/\r\nPage 1 of 5\n\nThis email would contain a link that downloads a ZIP file that contains an LNK (shortcut) that actually runs a\r\nscript in CMD. When ran this leads to a series of events such as in the image below but bear in mind that is from a\r\nsample in early November.\r\nI have found a sample on Virus Total which was last submitted on the 09-Dec-2017. So I ran it. Below you can see\r\nthat it differs somewhat to the sample above. I did not have any iexplore or control.exe running.\r\nhttps://zerophagemalware.com/2017/12/11/malware-snatch-loader-reloaded/\r\nPage 2 of 5\n\nI noticed that iexplore.exe was making the C2 calls\r\nThe calls were over HTTPS and I do not currently have a setup that can let me debug it to use HTTP or some way\r\nto man in the middle it. You can see the domain though in the DNS requests.\r\nNow I waited some time but it did not seem to load any other malware at least not to my knowledge. It has been\r\nknown to drop Ramnit though and contain a crypto mining (XMR) module.\r\nInstead I decided to peek around and found some interesting stuff on the C2 domain.\r\nFirst I found some encrypted data at the C2 which I guessed the rest of the URL based on past C2’s for Snatch\r\nLoader.\r\nI did not seek to decrypt this but it looks like it has multiple layers to it.\r\nAfter some digging around I found an “admin” panel.\r\nhttps://zerophagemalware.com/2017/12/11/malware-snatch-loader-reloaded/\r\nPage 3 of 5\n\nFinally and most interestingly I found what appears to be data files. Note the date on some of them.\r\nhttps://zerophagemalware.com/2017/12/11/malware-snatch-loader-reloaded/\r\nPage 4 of 5\n\nClicking on one shows they can probably be streamed and turned into an executable.\r\nI don’t know what these are but they likely files that can be loaded by Snatch Loader. I’m not sure what conditions\r\nare required for this. Though I presume if connected to the Snatch Loader botnet, the operators can then manually\r\nload files.\r\nThat’s all for now. It’s clear the malware is still being updated and configured. As it is sent via phishing emails\r\nthat contain a URL, it is likely to bypass systems that can’t sandbox URL’s. Watch out for emails that contain a\r\nfake “Trusted Sender” message.\r\nSource: https://zerophagemalware.com/2017/12/11/malware-snatch-loader-reloaded/\r\nhttps://zerophagemalware.com/2017/12/11/malware-snatch-loader-reloaded/\r\nPage 5 of 5\n\n  https://zerophagemalware.com/2017/12/11/malware-snatch-loader-reloaded/    \nFinally and most interestingly I found what appears to be data files. Note the date on some of them.\n   Page 4 of 5",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"references": [
		"https://zerophagemalware.com/2017/12/11/malware-snatch-loader-reloaded/"
	],
	"report_names": [
		"malware-snatch-loader-reloaded"
	],
	"threat_actors": [],
	"ts_created_at": 1775434213,
	"ts_updated_at": 1775791324,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/f5f5f18b4096f3666764f701d23e921271cbec38.pdf",
		"text": "https://archive.orkl.eu/f5f5f18b4096f3666764f701d23e921271cbec38.txt",
		"img": "https://archive.orkl.eu/f5f5f18b4096f3666764f701d23e921271cbec38.jpg"
	}
}