{"id":5435,"date":"2023-07-20T09:28:50","date_gmt":"2023-07-20T09:28:50","guid":{"rendered":"\/cybersecurity-blog\/?p=5435"},"modified":"2024-07-24T07:50:44","modified_gmt":"2024-07-24T07:50:44","slug":"analyzing-laplasclipper-malware","status":"publish","type":"post","link":"https:\/\/any.run\/cybersecurity-blog\/analyzing-laplasclipper-malware\/","title":{"rendered":"Analyzing a New .NET variant of LaplasClipper: retrieving the config\u00a0"},"content":{"rendered":"\n<p>Recently, we&#8217;ve discovered an interesting LaplasClipper sample here at <a href=\"https:\/\/any.run\/\" target=\"_blank\" rel=\"noreferrer noopener\">ANY.RUN<\/a>, and we&#8217;re going to analyze it in this article. Our LaplasClipper sample is written in .NET and obfuscated with Bable.&nbsp;<\/p>\n\n\n\n<p>We will dig into the sample&#8217;s configuration, study, and ultimately break through the primary obfuscation techniques the attackers employed to make the analysis process more difficult.&nbsp;<\/p>\n\n\n\n<h2 class=\"wp-block-heading\">What is LaplasClipper malware?<\/h2>\n\n\n\n<p>LaplasClipper, as its name implies, is a clipper variant. Its primary malicious function is to monitor the user&#8217;s clipboard (T1115). Attackers typically use it to swap out cryptocurrency addresses with ones they control. When users paste the address into a wallet to transfer funds, it&#8217;s the attacker&#8217;s address that receives them. &nbsp;&nbsp;<\/p>\n\n\n\n<p><\/p>\n\n\n\n<h2 class=\"wp-block-heading\">Taking the First Step of our LaplasClipper Analysis: Reconnaissance&nbsp;<\/h2>\n\n\n\n<p>For today\u2019s analysis, we\u2019re going to dissect <a href=\"https:\/\/app.any.run\/tasks\/033b87b8-0717-4dbe-8524-2be4b9a57a71\/\" target=\"_blank\" rel=\"noreferrer noopener\">this Laplas sample<\/a>. To understand what we&#8217;re dealing with, we\u2019re immediately going to feed it into two tools: <strong>DIE<\/strong> and <strong>ExeinfoPE<\/strong>.&nbsp;<\/p>\n\n\n\n<p><\/p>\n\n\n\n<figure class=\"wp-block-image size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"469\" src=\"\/cybersecurity-blog\/wp-content\/uploads\/2023\/07\/\u0421\u043d\u0438\u043c\u043e\u043a-\u044d\u043a\u0440\u0430\u043d\u0430-2023-07-20-\u0432-09.48.45-min-1024x469.png\" alt=\"Our LaplasClipper sample in Detect It Easy\" class=\"wp-image-5437\" srcset=\"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2023\/07\/\u0421\u043d\u0438\u043c\u043e\u043a-\u044d\u043a\u0440\u0430\u043d\u0430-2023-07-20-\u0432-09.48.45-min-1024x469.png 1024w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2023\/07\/\u0421\u043d\u0438\u043c\u043e\u043a-\u044d\u043a\u0440\u0430\u043d\u0430-2023-07-20-\u0432-09.48.45-min-300x137.png 300w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2023\/07\/\u0421\u043d\u0438\u043c\u043e\u043a-\u044d\u043a\u0440\u0430\u043d\u0430-2023-07-20-\u0432-09.48.45-min-768x352.png 768w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2023\/07\/\u0421\u043d\u0438\u043c\u043e\u043a-\u044d\u043a\u0440\u0430\u043d\u0430-2023-07-20-\u0432-09.48.45-min-370x169.png 370w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2023\/07\/\u0421\u043d\u0438\u043c\u043e\u043a-\u044d\u043a\u0440\u0430\u043d\u0430-2023-07-20-\u0432-09.48.45-min-270x124.png 270w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2023\/07\/\u0421\u043d\u0438\u043c\u043e\u043a-\u044d\u043a\u0440\u0430\u043d\u0430-2023-07-20-\u0432-09.48.45-min-740x339.png 740w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2023\/07\/\u0421\u043d\u0438\u043c\u043e\u043a-\u044d\u043a\u0440\u0430\u043d\u0430-2023-07-20-\u0432-09.48.45-min.png 1376w\" sizes=\"(max-width: 1024px) 100vw, 1024px\" \/><figcaption class=\"wp-element-caption\">Our LaplasClipper sample in Detect It Easy<\/figcaption><\/figure>\n\n\n\n<p><\/p>\n\n\n\n<figure class=\"wp-block-image size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"474\" src=\"\/cybersecurity-blog\/wp-content\/uploads\/2023\/07\/\u0421\u043d\u0438\u043c\u043e\u043a-\u044d\u043a\u0440\u0430\u043d\u0430-2023-07-20-\u0432-09.50.56-min-1024x474.png\" alt=\"LaplasClipper in ExeinfoPE\" class=\"wp-image-5438\" srcset=\"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2023\/07\/\u0421\u043d\u0438\u043c\u043e\u043a-\u044d\u043a\u0440\u0430\u043d\u0430-2023-07-20-\u0432-09.50.56-min-1024x474.png 1024w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2023\/07\/\u0421\u043d\u0438\u043c\u043e\u043a-\u044d\u043a\u0440\u0430\u043d\u0430-2023-07-20-\u0432-09.50.56-min-300x139.png 300w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2023\/07\/\u0421\u043d\u0438\u043c\u043e\u043a-\u044d\u043a\u0440\u0430\u043d\u0430-2023-07-20-\u0432-09.50.56-min-768x355.png 768w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2023\/07\/\u0421\u043d\u0438\u043c\u043e\u043a-\u044d\u043a\u0440\u0430\u043d\u0430-2023-07-20-\u0432-09.50.56-min-370x171.png 370w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2023\/07\/\u0421\u043d\u0438\u043c\u043e\u043a-\u044d\u043a\u0440\u0430\u043d\u0430-2023-07-20-\u0432-09.50.56-min-270x125.png 270w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2023\/07\/\u0421\u043d\u0438\u043c\u043e\u043a-\u044d\u043a\u0440\u0430\u043d\u0430-2023-07-20-\u0432-09.50.56-min-740x342.png 740w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2023\/07\/\u0421\u043d\u0438\u043c\u043e\u043a-\u044d\u043a\u0440\u0430\u043d\u0430-2023-07-20-\u0432-09.50.56-min.png 1388w\" sizes=\"(max-width: 1024px) 100vw, 1024px\" \/><figcaption class=\"wp-element-caption\">And in ExeinfoPE&nbsp;<\/figcaption><\/figure>\n\n\n\n<p>Right away, we see that it&#8217;s .NET obfuscated by Babel (T1027.002). And we also get a link to an unpacker in the form of de4dot. We&#8217;ll use this clue later.&nbsp;<\/p>\n\n\n\n<p>The <strong>Babel Obfuscator <\/strong>is one of the most popular proprietary obfuscators for .NET. It has the following set of features:&nbsp;<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Renaming symbols&nbsp;<\/li>\n\n\n\n<li>Encryption of strings and constants&nbsp;<\/li>\n\n\n\n<li>Packing and encrypting resources&nbsp;<\/li>\n\n\n\n<li>Virtualization and obfuscation of the code&nbsp;<\/li>\n<\/ul>\n\n\n\n<p>Let\u2019s upload our sample into <strong>dnSpy<\/strong> to study it further. Here\u2019s what we see:&nbsp;<\/p>\n\n\n\n<figure class=\"wp-block-image size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"550\" src=\"\/cybersecurity-blog\/wp-content\/uploads\/2023\/07\/\u0421\u043d\u0438\u043c\u043e\u043a-\u044d\u043a\u0440\u0430\u043d\u0430-2023-07-20-\u0432-10.21.59-min-1-1024x550.png\" alt=\"LaplasClipper code block\" class=\"wp-image-5440\" srcset=\"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2023\/07\/\u0421\u043d\u0438\u043c\u043e\u043a-\u044d\u043a\u0440\u0430\u043d\u0430-2023-07-20-\u0432-10.21.59-min-1-1024x550.png 1024w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2023\/07\/\u0421\u043d\u0438\u043c\u043e\u043a-\u044d\u043a\u0440\u0430\u043d\u0430-2023-07-20-\u0432-10.21.59-min-1-300x161.png 300w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2023\/07\/\u0421\u043d\u0438\u043c\u043e\u043a-\u044d\u043a\u0440\u0430\u043d\u0430-2023-07-20-\u0432-10.21.59-min-1-768x413.png 768w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2023\/07\/\u0421\u043d\u0438\u043c\u043e\u043a-\u044d\u043a\u0440\u0430\u043d\u0430-2023-07-20-\u0432-10.21.59-min-1-1536x825.png 1536w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2023\/07\/\u0421\u043d\u0438\u043c\u043e\u043a-\u044d\u043a\u0440\u0430\u043d\u0430-2023-07-20-\u0432-10.21.59-min-1-370x199.png 370w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2023\/07\/\u0421\u043d\u0438\u043c\u043e\u043a-\u044d\u043a\u0440\u0430\u043d\u0430-2023-07-20-\u0432-10.21.59-min-1-270x145.png 270w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2023\/07\/\u0421\u043d\u0438\u043c\u043e\u043a-\u044d\u043a\u0440\u0430\u043d\u0430-2023-07-20-\u0432-10.21.59-min-1-740x398.png 740w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2023\/07\/\u0421\u043d\u0438\u043c\u043e\u043a-\u044d\u043a\u0440\u0430\u043d\u0430-2023-07-20-\u0432-10.21.59-min-1.png 1820w\" sizes=\"(max-width: 1024px) 100vw, 1024px\" \/><figcaption class=\"wp-element-caption\">We see that the code is obfuscated<\/figcaption><\/figure>\n\n\n\n<p>Immediately noticeable are the distorted objects\u2019 names, and in the code, we can see the obfuscation of control flow using the switch conditional statement. To improve code readability and simplify our further analysis, let&#8217;s pass our sample through <strong>de4dot <\/strong>and <a href=\"https:\/\/github.com\/ElectroHeavenVN\/BabelDeobfuscator\" target=\"_blank\" rel=\"noreferrer noopener\"><strong>BabelDeobfuscator<\/strong><\/a><strong>.<\/strong>&nbsp;<\/p>\n\n\n\n<figure class=\"wp-block-image size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"286\" src=\"\/cybersecurity-blog\/wp-content\/uploads\/2023\/07\/\u0421\u043d\u0438\u043c\u043e\u043a-\u044d\u043a\u0440\u0430\u043d\u0430-2023-07-20-\u0432-10.23.39-min-1024x286.png\" alt=\"LaplasClipper code block\" class=\"wp-image-5441\" srcset=\"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2023\/07\/\u0421\u043d\u0438\u043c\u043e\u043a-\u044d\u043a\u0440\u0430\u043d\u0430-2023-07-20-\u0432-10.23.39-min-1024x286.png 1024w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2023\/07\/\u0421\u043d\u0438\u043c\u043e\u043a-\u044d\u043a\u0440\u0430\u043d\u0430-2023-07-20-\u0432-10.23.39-min-300x84.png 300w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2023\/07\/\u0421\u043d\u0438\u043c\u043e\u043a-\u044d\u043a\u0440\u0430\u043d\u0430-2023-07-20-\u0432-10.23.39-min-768x215.png 768w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2023\/07\/\u0421\u043d\u0438\u043c\u043e\u043a-\u044d\u043a\u0440\u0430\u043d\u0430-2023-07-20-\u0432-10.23.39-min-1536x429.png 1536w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2023\/07\/\u0421\u043d\u0438\u043c\u043e\u043a-\u044d\u043a\u0440\u0430\u043d\u0430-2023-07-20-\u0432-10.23.39-min-2048x572.png 2048w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2023\/07\/\u0421\u043d\u0438\u043c\u043e\u043a-\u044d\u043a\u0440\u0430\u043d\u0430-2023-07-20-\u0432-10.23.39-min-370x103.png 370w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2023\/07\/\u0421\u043d\u0438\u043c\u043e\u043a-\u044d\u043a\u0440\u0430\u043d\u0430-2023-07-20-\u0432-10.23.39-min-270x75.png 270w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2023\/07\/\u0421\u043d\u0438\u043c\u043e\u043a-\u044d\u043a\u0440\u0430\u043d\u0430-2023-07-20-\u0432-10.23.39-min-740x207.png 740w\" sizes=\"(max-width: 1024px) 100vw, 1024px\" \/><figcaption class=\"wp-element-caption\">The result of passing our sample through de4dot<strong> <\/strong>and BabelDeobfuscator<\/figcaption><\/figure>\n\n\n\n<p>Now the situation has improved a bit, but the cleaned version is only suitable for static analysis. However, if we try to debug the original sample, it will fail and throw an error of the following type (debugging is recommended to be performed only in an isolated environment):&nbsp;<\/p>\n\n\n\n<figure class=\"wp-block-image size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"414\" src=\"\/cybersecurity-blog\/wp-content\/uploads\/2023\/07\/\u0421\u043d\u0438\u043c\u043e\u043a-\u044d\u043a\u0440\u0430\u043d\u0430-2023-07-20-\u0432-10.26.04-min-1024x414.png\" alt=\"LaplasClipper error message\" class=\"wp-image-5442\" srcset=\"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2023\/07\/\u0421\u043d\u0438\u043c\u043e\u043a-\u044d\u043a\u0440\u0430\u043d\u0430-2023-07-20-\u0432-10.26.04-min-1024x414.png 1024w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2023\/07\/\u0421\u043d\u0438\u043c\u043e\u043a-\u044d\u043a\u0440\u0430\u043d\u0430-2023-07-20-\u0432-10.26.04-min-300x121.png 300w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2023\/07\/\u0421\u043d\u0438\u043c\u043e\u043a-\u044d\u043a\u0440\u0430\u043d\u0430-2023-07-20-\u0432-10.26.04-min-768x311.png 768w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2023\/07\/\u0421\u043d\u0438\u043c\u043e\u043a-\u044d\u043a\u0440\u0430\u043d\u0430-2023-07-20-\u0432-10.26.04-min-1536x621.png 1536w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2023\/07\/\u0421\u043d\u0438\u043c\u043e\u043a-\u044d\u043a\u0440\u0430\u043d\u0430-2023-07-20-\u0432-10.26.04-min-370x150.png 370w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2023\/07\/\u0421\u043d\u0438\u043c\u043e\u043a-\u044d\u043a\u0440\u0430\u043d\u0430-2023-07-20-\u0432-10.26.04-min-270x109.png 270w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2023\/07\/\u0421\u043d\u0438\u043c\u043e\u043a-\u044d\u043a\u0440\u0430\u043d\u0430-2023-07-20-\u0432-10.26.04-min-740x299.png 740w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2023\/07\/\u0421\u043d\u0438\u043c\u043e\u043a-\u044d\u043a\u0440\u0430\u043d\u0430-2023-07-20-\u0432-10.26.04-min.png 1578w\" sizes=\"(max-width: 1024px) 100vw, 1024px\" \/><figcaption class=\"wp-element-caption\">Trying to debug the original sample throws this error<\/figcaption><\/figure>\n\n\n\n<p>If we look at the top of the call stack, we&#8217;ll see that the program crashes in some kind of environment variables check statement:&nbsp;<\/p>\n\n\n\n<figure class=\"wp-block-image size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"462\" src=\"\/cybersecurity-blog\/wp-content\/uploads\/2023\/07\/\u0421\u043d\u0438\u043c\u043e\u043a-\u044d\u043a\u0440\u0430\u043d\u0430-2023-07-20-\u0432-10.27.02-min-1024x462.png\" alt=\"LaplasClipper malware code block\" class=\"wp-image-5443\" srcset=\"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2023\/07\/\u0421\u043d\u0438\u043c\u043e\u043a-\u044d\u043a\u0440\u0430\u043d\u0430-2023-07-20-\u0432-10.27.02-min-1024x462.png 1024w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2023\/07\/\u0421\u043d\u0438\u043c\u043e\u043a-\u044d\u043a\u0440\u0430\u043d\u0430-2023-07-20-\u0432-10.27.02-min-300x135.png 300w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2023\/07\/\u0421\u043d\u0438\u043c\u043e\u043a-\u044d\u043a\u0440\u0430\u043d\u0430-2023-07-20-\u0432-10.27.02-min-768x346.png 768w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2023\/07\/\u0421\u043d\u0438\u043c\u043e\u043a-\u044d\u043a\u0440\u0430\u043d\u0430-2023-07-20-\u0432-10.27.02-min-1536x693.png 1536w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2023\/07\/\u0421\u043d\u0438\u043c\u043e\u043a-\u044d\u043a\u0440\u0430\u043d\u0430-2023-07-20-\u0432-10.27.02-min-2048x924.png 2048w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2023\/07\/\u0421\u043d\u0438\u043c\u043e\u043a-\u044d\u043a\u0440\u0430\u043d\u0430-2023-07-20-\u0432-10.27.02-min-370x167.png 370w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2023\/07\/\u0421\u043d\u0438\u043c\u043e\u043a-\u044d\u043a\u0440\u0430\u043d\u0430-2023-07-20-\u0432-10.27.02-min-270x122.png 270w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2023\/07\/\u0421\u043d\u0438\u043c\u043e\u043a-\u044d\u043a\u0440\u0430\u043d\u0430-2023-07-20-\u0432-10.27.02-min-740x334.png 740w\" sizes=\"(max-width: 1024px) 100vw, 1024px\" \/><figcaption class=\"wp-element-caption\">The program crashes in some kind of environment variables check<\/figcaption><\/figure>\n\n\n\n<p>Let&#8217;s find this method by references to the use of GetEnvironmentVariable (T1082)&nbsp;in our cleaned sample.<\/p>\n\n\n\n<figure class=\"wp-block-image size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"406\" src=\"\/cybersecurity-blog\/wp-content\/uploads\/2023\/07\/\u0421\u043d\u0438\u043c\u043e\u043a-\u044d\u043a\u0440\u0430\u043d\u0430-2023-07-20-\u0432-10.27.58-min-1024x406.png\" alt=\"LaplasClipper malware code block\" class=\"wp-image-5444\" srcset=\"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2023\/07\/\u0421\u043d\u0438\u043c\u043e\u043a-\u044d\u043a\u0440\u0430\u043d\u0430-2023-07-20-\u0432-10.27.58-min-1024x406.png 1024w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2023\/07\/\u0421\u043d\u0438\u043c\u043e\u043a-\u044d\u043a\u0440\u0430\u043d\u0430-2023-07-20-\u0432-10.27.58-min-300x119.png 300w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2023\/07\/\u0421\u043d\u0438\u043c\u043e\u043a-\u044d\u043a\u0440\u0430\u043d\u0430-2023-07-20-\u0432-10.27.58-min-768x304.png 768w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2023\/07\/\u0421\u043d\u0438\u043c\u043e\u043a-\u044d\u043a\u0440\u0430\u043d\u0430-2023-07-20-\u0432-10.27.58-min-1536x609.png 1536w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2023\/07\/\u0421\u043d\u0438\u043c\u043e\u043a-\u044d\u043a\u0440\u0430\u043d\u0430-2023-07-20-\u0432-10.27.58-min-2048x812.png 2048w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2023\/07\/\u0421\u043d\u0438\u043c\u043e\u043a-\u044d\u043a\u0440\u0430\u043d\u0430-2023-07-20-\u0432-10.27.58-min-370x147.png 370w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2023\/07\/\u0421\u043d\u0438\u043c\u043e\u043a-\u044d\u043a\u0440\u0430\u043d\u0430-2023-07-20-\u0432-10.27.58-min-270x107.png 270w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2023\/07\/\u0421\u043d\u0438\u043c\u043e\u043a-\u044d\u043a\u0440\u0430\u043d\u0430-2023-07-20-\u0432-10.27.58-min-740x293.png 740w\" sizes=\"(max-width: 1024px) 100vw, 1024px\" \/><figcaption class=\"wp-element-caption\">We&#8217;ll look for this method by references to the use of GetEnvironmentVariable<\/figcaption><\/figure>\n\n\n\n<p>The strings are decrypted dynamically, using a trivial XOR. The key is specified as the second parameter on the method.&nbsp;<\/p>\n\n\n\n<figure class=\"wp-block-image size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"745\" src=\"\/cybersecurity-blog\/wp-content\/uploads\/2023\/07\/\u0421\u043d\u0438\u043c\u043e\u043a-\u044d\u043a\u0440\u0430\u043d\u0430-2023-07-20-\u0432-10.29.35-min-1024x745.png\" alt=\"LaplasClipper malware code block\" class=\"wp-image-5445\" srcset=\"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2023\/07\/\u0421\u043d\u0438\u043c\u043e\u043a-\u044d\u043a\u0440\u0430\u043d\u0430-2023-07-20-\u0432-10.29.35-min-1024x745.png 1024w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2023\/07\/\u0421\u043d\u0438\u043c\u043e\u043a-\u044d\u043a\u0440\u0430\u043d\u0430-2023-07-20-\u0432-10.29.35-min-300x218.png 300w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2023\/07\/\u0421\u043d\u0438\u043c\u043e\u043a-\u044d\u043a\u0440\u0430\u043d\u0430-2023-07-20-\u0432-10.29.35-min-768x559.png 768w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2023\/07\/\u0421\u043d\u0438\u043c\u043e\u043a-\u044d\u043a\u0440\u0430\u043d\u0430-2023-07-20-\u0432-10.29.35-min-370x269.png 370w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2023\/07\/\u0421\u043d\u0438\u043c\u043e\u043a-\u044d\u043a\u0440\u0430\u043d\u0430-2023-07-20-\u0432-10.29.35-min-270x196.png 270w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2023\/07\/\u0421\u043d\u0438\u043c\u043e\u043a-\u044d\u043a\u0440\u0430\u043d\u0430-2023-07-20-\u0432-10.29.35-min-740x538.png 740w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2023\/07\/\u0421\u043d\u0438\u043c\u043e\u043a-\u044d\u043a\u0440\u0430\u043d\u0430-2023-07-20-\u0432-10.29.35-min.png 1454w\" sizes=\"(max-width: 1024px) 100vw, 1024px\" \/><figcaption class=\"wp-element-caption\">The strings are decrypted using XOR<\/figcaption><\/figure>\n\n\n\n<p>Let&#8217;s use a Python interpreter (you could also use CyberChef or simply set a break point) to see which environment variables are being checked.&nbsp;<\/p>\n\n\n\n<figure class=\"wp-block-image size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"256\" src=\"\/cybersecurity-blog\/wp-content\/uploads\/2023\/07\/\u0421\u043d\u0438\u043c\u043e\u043a-\u044d\u043a\u0440\u0430\u043d\u0430-2023-07-20-\u0432-10.30.51-1024x256.png\" alt=\"LaplasClipper Python interpreter\" class=\"wp-image-5446\" srcset=\"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2023\/07\/\u0421\u043d\u0438\u043c\u043e\u043a-\u044d\u043a\u0440\u0430\u043d\u0430-2023-07-20-\u0432-10.30.51-1024x256.png 1024w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2023\/07\/\u0421\u043d\u0438\u043c\u043e\u043a-\u044d\u043a\u0440\u0430\u043d\u0430-2023-07-20-\u0432-10.30.51-300x75.png 300w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2023\/07\/\u0421\u043d\u0438\u043c\u043e\u043a-\u044d\u043a\u0440\u0430\u043d\u0430-2023-07-20-\u0432-10.30.51-768x192.png 768w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2023\/07\/\u0421\u043d\u0438\u043c\u043e\u043a-\u044d\u043a\u0440\u0430\u043d\u0430-2023-07-20-\u0432-10.30.51-1536x384.png 1536w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2023\/07\/\u0421\u043d\u0438\u043c\u043e\u043a-\u044d\u043a\u0440\u0430\u043d\u0430-2023-07-20-\u0432-10.30.51-370x92.png 370w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2023\/07\/\u0421\u043d\u0438\u043c\u043e\u043a-\u044d\u043a\u0440\u0430\u043d\u0430-2023-07-20-\u0432-10.30.51-270x67.png 270w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2023\/07\/\u0421\u043d\u0438\u043c\u043e\u043a-\u044d\u043a\u0440\u0430\u043d\u0430-2023-07-20-\u0432-10.30.51-740x185.png 740w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2023\/07\/\u0421\u043d\u0438\u043c\u043e\u043a-\u044d\u043a\u0440\u0430\u043d\u0430-2023-07-20-\u0432-10.30.51.png 1634w\" sizes=\"(max-width: 1024px) 100vw, 1024px\" \/><figcaption class=\"wp-element-caption\">We&#8217;ll use a Python interpreter to see which environment variables are checked<\/figcaption><\/figure>\n\n\n\n<p>After a brief search using keywords in combination with environment variables, we found the <a href=\"http:\/\/\/\/github.com\/babelfornet\/BabelPlugins\/blob\/master\/AntiDebug\/Code\/AntiDebug.cs\" target=\"_blank\" rel=\"noreferrer noopener\">code for this anti-debug method<\/a> (T1622), and it turns out it was written by the obfuscator developers themselves.&nbsp;<\/p>\n\n\n\n<figure class=\"wp-block-image size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"828\" height=\"1024\" src=\"\/cybersecurity-blog\/wp-content\/uploads\/2023\/07\/\u0421\u043d\u0438\u043c\u043e\u043a-\u044d\u043a\u0440\u0430\u043d\u0430-2023-07-20-\u0432-10.32.30-828x1024.png\" alt=\"LaplasClipper malware code block\" class=\"wp-image-5447\" srcset=\"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2023\/07\/\u0421\u043d\u0438\u043c\u043e\u043a-\u044d\u043a\u0440\u0430\u043d\u0430-2023-07-20-\u0432-10.32.30-828x1024.png 828w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2023\/07\/\u0421\u043d\u0438\u043c\u043e\u043a-\u044d\u043a\u0440\u0430\u043d\u0430-2023-07-20-\u0432-10.32.30-243x300.png 243w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2023\/07\/\u0421\u043d\u0438\u043c\u043e\u043a-\u044d\u043a\u0440\u0430\u043d\u0430-2023-07-20-\u0432-10.32.30-768x950.png 768w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2023\/07\/\u0421\u043d\u0438\u043c\u043e\u043a-\u044d\u043a\u0440\u0430\u043d\u0430-2023-07-20-\u0432-10.32.30-1242x1536.png 1242w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2023\/07\/\u0421\u043d\u0438\u043c\u043e\u043a-\u044d\u043a\u0440\u0430\u043d\u0430-2023-07-20-\u0432-10.32.30-370x458.png 370w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2023\/07\/\u0421\u043d\u0438\u043c\u043e\u043a-\u044d\u043a\u0440\u0430\u043d\u0430-2023-07-20-\u0432-10.32.30-270x334.png 270w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2023\/07\/\u0421\u043d\u0438\u043c\u043e\u043a-\u044d\u043a\u0440\u0430\u043d\u0430-2023-07-20-\u0432-10.32.30-740x915.png 740w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2023\/07\/\u0421\u043d\u0438\u043c\u043e\u043a-\u044d\u043a\u0440\u0430\u043d\u0430-2023-07-20-\u0432-10.32.30.png 1334w\" sizes=\"(max-width: 828px) 100vw, 828px\" \/><figcaption class=\"wp-element-caption\">The code of the anti-debug method<\/figcaption><\/figure>\n\n\n\n<p>The method turned out to be rather ordinary. To bypass his anti-debug trick, we can simply halt the second thread during the debugging process, without the need to modify the sample. We just need to&nbsp;set a breakpoint at the beginning of the routine.&nbsp;<\/p>\n\n\n\n<p>So far, we&#8217;ve conducted basic reconnaissance and determined methods for partially disarming the target. However, if we try to decrypt the remaining strings in the same way as before, we won&#8217;t find any hint of C2 or other evidence of illicit activity, apart from the Babel debug strings and function names intended for dynamic invocation.&nbsp;<\/p>\n\n\n\n<h2 class=\"wp-block-heading\">Digging deeper into our LaplasClipper sample&nbsp;<\/h2>\n\n\n\n<p>If we take a closer look at the sample, we&#8217;ll notice a resource named &#8220;JbeO\u200e&#8221; \u2014 note its rather substantial size.&nbsp;<\/p>\n\n\n\n<figure class=\"wp-block-image size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"190\" src=\"\/cybersecurity-blog\/wp-content\/uploads\/2023\/07\/\u0421\u043d\u0438\u043c\u043e\u043a-\u044d\u043a\u0440\u0430\u043d\u0430-2023-07-20-\u0432-10.33.41-1024x190.png\" alt=\"LaplasClipper resources\" class=\"wp-image-5448\" srcset=\"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2023\/07\/\u0421\u043d\u0438\u043c\u043e\u043a-\u044d\u043a\u0440\u0430\u043d\u0430-2023-07-20-\u0432-10.33.41-1024x190.png 1024w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2023\/07\/\u0421\u043d\u0438\u043c\u043e\u043a-\u044d\u043a\u0440\u0430\u043d\u0430-2023-07-20-\u0432-10.33.41-300x56.png 300w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2023\/07\/\u0421\u043d\u0438\u043c\u043e\u043a-\u044d\u043a\u0440\u0430\u043d\u0430-2023-07-20-\u0432-10.33.41-768x142.png 768w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2023\/07\/\u0421\u043d\u0438\u043c\u043e\u043a-\u044d\u043a\u0440\u0430\u043d\u0430-2023-07-20-\u0432-10.33.41-1536x285.png 1536w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2023\/07\/\u0421\u043d\u0438\u043c\u043e\u043a-\u044d\u043a\u0440\u0430\u043d\u0430-2023-07-20-\u0432-10.33.41-2048x379.png 2048w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2023\/07\/\u0421\u043d\u0438\u043c\u043e\u043a-\u044d\u043a\u0440\u0430\u043d\u0430-2023-07-20-\u0432-10.33.41-370x69.png 370w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2023\/07\/\u0421\u043d\u0438\u043c\u043e\u043a-\u044d\u043a\u0440\u0430\u043d\u0430-2023-07-20-\u0432-10.33.41-270x50.png 270w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2023\/07\/\u0421\u043d\u0438\u043c\u043e\u043a-\u044d\u043a\u0440\u0430\u043d\u0430-2023-07-20-\u0432-10.33.41-740x137.png 740w\" sizes=\"(max-width: 1024px) 100vw, 1024px\" \/><figcaption class=\"wp-element-caption\">Note the size of the JbeO\u200e resource&nbsp;<\/figcaption><\/figure>\n\n\n\n<p>Let\u2019s make an assumption. If this resource is present, it&#8217;s likely that it&#8217;s used for something.&nbsp;<\/p>\n\n\n\n<p>The GetManifestResourceStream method is used to access embedded resources at runtime, so to test our hypothesis, let&#8217;s set a breakpoint on it and run the sample under debugging.&nbsp;<\/p>\n\n\n\n<figure class=\"wp-block-image size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"461\" src=\"\/cybersecurity-blog\/wp-content\/uploads\/2023\/07\/\u0421\u043d\u0438\u043c\u043e\u043a-\u044d\u043a\u0440\u0430\u043d\u0430-2023-07-20-\u0432-10.34.37-1024x461.png\" alt=\"LaplasClipper malware code block\" class=\"wp-image-5449\" srcset=\"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2023\/07\/\u0421\u043d\u0438\u043c\u043e\u043a-\u044d\u043a\u0440\u0430\u043d\u0430-2023-07-20-\u0432-10.34.37-1024x461.png 1024w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2023\/07\/\u0421\u043d\u0438\u043c\u043e\u043a-\u044d\u043a\u0440\u0430\u043d\u0430-2023-07-20-\u0432-10.34.37-300x135.png 300w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2023\/07\/\u0421\u043d\u0438\u043c\u043e\u043a-\u044d\u043a\u0440\u0430\u043d\u0430-2023-07-20-\u0432-10.34.37-768x346.png 768w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2023\/07\/\u0421\u043d\u0438\u043c\u043e\u043a-\u044d\u043a\u0440\u0430\u043d\u0430-2023-07-20-\u0432-10.34.37-1536x692.png 1536w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2023\/07\/\u0421\u043d\u0438\u043c\u043e\u043a-\u044d\u043a\u0440\u0430\u043d\u0430-2023-07-20-\u0432-10.34.37-2048x923.png 2048w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2023\/07\/\u0421\u043d\u0438\u043c\u043e\u043a-\u044d\u043a\u0440\u0430\u043d\u0430-2023-07-20-\u0432-10.34.37-370x167.png 370w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2023\/07\/\u0421\u043d\u0438\u043c\u043e\u043a-\u044d\u043a\u0440\u0430\u043d\u0430-2023-07-20-\u0432-10.34.37-270x122.png 270w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2023\/07\/\u0421\u043d\u0438\u043c\u043e\u043a-\u044d\u043a\u0440\u0430\u043d\u0430-2023-07-20-\u0432-10.34.37-740x333.png 740w\" sizes=\"(max-width: 1024px) 100vw, 1024px\" \/><figcaption class=\"wp-element-caption\">We&#8217;ll set a breakpoint and run the sample under debugging<\/figcaption><\/figure>\n\n\n\n<p>As we expected, the breakpoint triggered. Now, following the call chain a little further, we can see how the read resource is passed into a method with token 0x0600018C for decryption. Let&#8217;s examine this method more closely in the cleaned version.&nbsp;<\/p>\n\n\n\n<figure class=\"wp-block-image size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"1024\" src=\"\/cybersecurity-blog\/wp-content\/uploads\/2023\/07\/\u0421\u043d\u0438\u043c\u043e\u043a-\u044d\u043a\u0440\u0430\u043d\u0430-2023-07-20-\u0432-10.36.46-1024x1024.png\" alt=\"LaplasClipper malware code block\" class=\"wp-image-5450\" srcset=\"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2023\/07\/\u0421\u043d\u0438\u043c\u043e\u043a-\u044d\u043a\u0440\u0430\u043d\u0430-2023-07-20-\u0432-10.36.46-1024x1024.png 1024w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2023\/07\/\u0421\u043d\u0438\u043c\u043e\u043a-\u044d\u043a\u0440\u0430\u043d\u0430-2023-07-20-\u0432-10.36.46-300x300.png 300w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2023\/07\/\u0421\u043d\u0438\u043c\u043e\u043a-\u044d\u043a\u0440\u0430\u043d\u0430-2023-07-20-\u0432-10.36.46-150x150.png 150w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2023\/07\/\u0421\u043d\u0438\u043c\u043e\u043a-\u044d\u043a\u0440\u0430\u043d\u0430-2023-07-20-\u0432-10.36.46-768x767.png 768w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2023\/07\/\u0421\u043d\u0438\u043c\u043e\u043a-\u044d\u043a\u0440\u0430\u043d\u0430-2023-07-20-\u0432-10.36.46-70x70.png 70w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2023\/07\/\u0421\u043d\u0438\u043c\u043e\u043a-\u044d\u043a\u0440\u0430\u043d\u0430-2023-07-20-\u0432-10.36.46-370x370.png 370w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2023\/07\/\u0421\u043d\u0438\u043c\u043e\u043a-\u044d\u043a\u0440\u0430\u043d\u0430-2023-07-20-\u0432-10.36.46-270x270.png 270w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2023\/07\/\u0421\u043d\u0438\u043c\u043e\u043a-\u044d\u043a\u0440\u0430\u043d\u0430-2023-07-20-\u0432-10.36.46-740x739.png 740w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2023\/07\/\u0421\u043d\u0438\u043c\u043e\u043a-\u044d\u043a\u0440\u0430\u043d\u0430-2023-07-20-\u0432-10.36.46.png 1492w\" sizes=\"(max-width: 1024px) 100vw, 1024px\" \/><figcaption class=\"wp-element-caption\">The read resource is passed into a method with token 0x0600018C<\/figcaption><\/figure>\n\n\n\n<p>Initially, two arrays are read in the following format: size and data. Subsequently, the first array is decrypted using an XOR operation, with the second array functioning as a key. After this, the first array acts as a header from which parameters for ensuing actions are read.&nbsp;<\/p>\n\n\n\n<p>Now, let&#8217;s examine this structure with a HEX editor.&nbsp;<\/p>\n\n\n\n<figure class=\"wp-block-image size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"1022\" height=\"1024\" src=\"\/cybersecurity-blog\/wp-content\/uploads\/2023\/07\/\u0421\u043d\u0438\u043c\u043e\u043a-\u044d\u043a\u0440\u0430\u043d\u0430-2023-07-20-\u0432-10.38.06-min-1022x1024.png\" alt=\"LaplasClipper HEX\" class=\"wp-image-5451\" srcset=\"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2023\/07\/\u0421\u043d\u0438\u043c\u043e\u043a-\u044d\u043a\u0440\u0430\u043d\u0430-2023-07-20-\u0432-10.38.06-min-1022x1024.png 1022w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2023\/07\/\u0421\u043d\u0438\u043c\u043e\u043a-\u044d\u043a\u0440\u0430\u043d\u0430-2023-07-20-\u0432-10.38.06-min-300x300.png 300w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2023\/07\/\u0421\u043d\u0438\u043c\u043e\u043a-\u044d\u043a\u0440\u0430\u043d\u0430-2023-07-20-\u0432-10.38.06-min-150x150.png 150w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2023\/07\/\u0421\u043d\u0438\u043c\u043e\u043a-\u044d\u043a\u0440\u0430\u043d\u0430-2023-07-20-\u0432-10.38.06-min-768x769.png 768w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2023\/07\/\u0421\u043d\u0438\u043c\u043e\u043a-\u044d\u043a\u0440\u0430\u043d\u0430-2023-07-20-\u0432-10.38.06-min-70x70.png 70w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2023\/07\/\u0421\u043d\u0438\u043c\u043e\u043a-\u044d\u043a\u0440\u0430\u043d\u0430-2023-07-20-\u0432-10.38.06-min-370x371.png 370w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2023\/07\/\u0421\u043d\u0438\u043c\u043e\u043a-\u044d\u043a\u0440\u0430\u043d\u0430-2023-07-20-\u0432-10.38.06-min-270x270.png 270w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2023\/07\/\u0421\u043d\u0438\u043c\u043e\u043a-\u044d\u043a\u0440\u0430\u043d\u0430-2023-07-20-\u0432-10.38.06-min-740x741.png 740w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2023\/07\/\u0421\u043d\u0438\u043c\u043e\u043a-\u044d\u043a\u0440\u0430\u043d\u0430-2023-07-20-\u0432-10.38.06-min.png 1220w\" sizes=\"(max-width: 1022px) 100vw, 1022px\" \/><figcaption class=\"wp-element-caption\">Examining the same resource with a HEX editor<\/figcaption><\/figure>\n\n\n\n<p>We can use <strong>CyberChef <\/strong>to extract the header for further analysis.&nbsp;<\/p>\n\n\n\n<figure class=\"wp-block-image size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"395\" src=\"\/cybersecurity-blog\/wp-content\/uploads\/2023\/07\/\u0421\u043d\u0438\u043c\u043e\u043a-\u044d\u043a\u0440\u0430\u043d\u0430-2023-07-20-\u0432-10.39.48-min-1024x395.png\" alt=\"LaplasClipper in CyberChef\" class=\"wp-image-5452\" srcset=\"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2023\/07\/\u0421\u043d\u0438\u043c\u043e\u043a-\u044d\u043a\u0440\u0430\u043d\u0430-2023-07-20-\u0432-10.39.48-min-1024x395.png 1024w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2023\/07\/\u0421\u043d\u0438\u043c\u043e\u043a-\u044d\u043a\u0440\u0430\u043d\u0430-2023-07-20-\u0432-10.39.48-min-300x116.png 300w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2023\/07\/\u0421\u043d\u0438\u043c\u043e\u043a-\u044d\u043a\u0440\u0430\u043d\u0430-2023-07-20-\u0432-10.39.48-min-768x296.png 768w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2023\/07\/\u0421\u043d\u0438\u043c\u043e\u043a-\u044d\u043a\u0440\u0430\u043d\u0430-2023-07-20-\u0432-10.39.48-min-1536x593.png 1536w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2023\/07\/\u0421\u043d\u0438\u043c\u043e\u043a-\u044d\u043a\u0440\u0430\u043d\u0430-2023-07-20-\u0432-10.39.48-min-2048x790.png 2048w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2023\/07\/\u0421\u043d\u0438\u043c\u043e\u043a-\u044d\u043a\u0440\u0430\u043d\u0430-2023-07-20-\u0432-10.39.48-min-370x143.png 370w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2023\/07\/\u0421\u043d\u0438\u043c\u043e\u043a-\u044d\u043a\u0440\u0430\u043d\u0430-2023-07-20-\u0432-10.39.48-min-270x104.png 270w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2023\/07\/\u0421\u043d\u0438\u043c\u043e\u043a-\u044d\u043a\u0440\u0430\u043d\u0430-2023-07-20-\u0432-10.39.48-min-740x285.png 740w\" sizes=\"(max-width: 1024px) 100vw, 1024px\" \/><figcaption class=\"wp-element-caption\">We&#8217;ll analyze the headers in CyberChef<\/figcaption><\/figure>\n\n\n\n<p>Now that we have access to the header, we can examine the variable values in the decryption method logic in more detail.&nbsp;<\/p>\n\n\n\n<p>Variable <strong>b<\/strong><em>,<\/em> at first glance, appears to be a bit field that can include the following values:&nbsp;<\/p>\n\n\n\n<p>1 &#8211; Indicates whether the resource is compressed (spoiler)&nbsp;<\/p>\n\n\n\n<p>2 &#8211; Indicates whether the resource is encrypted&nbsp;<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Variable <strong>b2 <\/strong>defines the algorithm for decrypting the resource.&nbsp;<\/li>\n\n\n\n<li>Variable <strong>b3<\/strong> is a dummy.&nbsp;<\/li>\n\n\n\n<li>Variable <strong>array3<\/strong>&nbsp;is the key for decryption with the chosen algorithm.&nbsp;<\/li>\n<\/ul>\n\n\n\n<figure class=\"wp-block-image size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"505\" src=\"\/cybersecurity-blog\/wp-content\/uploads\/2023\/07\/\u0421\u043d\u0438\u043c\u043e\u043a-\u044d\u043a\u0440\u0430\u043d\u0430-2023-07-20-\u0432-10.40.55-1024x505.png\" alt=\"LaplasClipper malware code block\" class=\"wp-image-5453\" srcset=\"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2023\/07\/\u0421\u043d\u0438\u043c\u043e\u043a-\u044d\u043a\u0440\u0430\u043d\u0430-2023-07-20-\u0432-10.40.55-1024x505.png 1024w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2023\/07\/\u0421\u043d\u0438\u043c\u043e\u043a-\u044d\u043a\u0440\u0430\u043d\u0430-2023-07-20-\u0432-10.40.55-300x148.png 300w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2023\/07\/\u0421\u043d\u0438\u043c\u043e\u043a-\u044d\u043a\u0440\u0430\u043d\u0430-2023-07-20-\u0432-10.40.55-768x379.png 768w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2023\/07\/\u0421\u043d\u0438\u043c\u043e\u043a-\u044d\u043a\u0440\u0430\u043d\u0430-2023-07-20-\u0432-10.40.55-1536x758.png 1536w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2023\/07\/\u0421\u043d\u0438\u043c\u043e\u043a-\u044d\u043a\u0440\u0430\u043d\u0430-2023-07-20-\u0432-10.40.55-2048x1010.png 2048w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2023\/07\/\u0421\u043d\u0438\u043c\u043e\u043a-\u044d\u043a\u0440\u0430\u043d\u0430-2023-07-20-\u0432-10.40.55-370x183.png 370w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2023\/07\/\u0421\u043d\u0438\u043c\u043e\u043a-\u044d\u043a\u0440\u0430\u043d\u0430-2023-07-20-\u0432-10.40.55-270x133.png 270w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2023\/07\/\u0421\u043d\u0438\u043c\u043e\u043a-\u044d\u043a\u0440\u0430\u043d\u0430-2023-07-20-\u0432-10.40.55-740x365.png 740w\" sizes=\"(max-width: 1024px) 100vw, 1024px\" \/><figcaption class=\"wp-element-caption\">The resource is only encrypted, and the decryption algorithm is AES.&nbsp;<\/figcaption><\/figure>\n\n\n\n<p>As we can see, in our case the resource is only encrypted, and the decryption algorithm is AES.&nbsp;<\/p>\n\n\n\n<p>It&#8217;s also important to note here that variable <strong>array2 <\/strong>is used, not only as an XOR key for the header, but also as an initialization vector for the decryption algorithm.&nbsp;<\/p>\n\n\n\n<p>Now we have enough information to decrypt the resource ourselves.&nbsp;<\/p>\n\n\n\n<figure class=\"wp-block-image size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"567\" src=\"\/cybersecurity-blog\/wp-content\/uploads\/2023\/07\/\u0421\u043d\u0438\u043c\u043e\u043a-\u044d\u043a\u0440\u0430\u043d\u0430-2023-07-20-\u0432-10.42.08-1024x567.png\" alt=\"LaplasClipper malware in CyberChef\" class=\"wp-image-5454\" srcset=\"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2023\/07\/\u0421\u043d\u0438\u043c\u043e\u043a-\u044d\u043a\u0440\u0430\u043d\u0430-2023-07-20-\u0432-10.42.08-1024x567.png 1024w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2023\/07\/\u0421\u043d\u0438\u043c\u043e\u043a-\u044d\u043a\u0440\u0430\u043d\u0430-2023-07-20-\u0432-10.42.08-300x166.png 300w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2023\/07\/\u0421\u043d\u0438\u043c\u043e\u043a-\u044d\u043a\u0440\u0430\u043d\u0430-2023-07-20-\u0432-10.42.08-768x425.png 768w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2023\/07\/\u0421\u043d\u0438\u043c\u043e\u043a-\u044d\u043a\u0440\u0430\u043d\u0430-2023-07-20-\u0432-10.42.08-1536x850.png 1536w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2023\/07\/\u0421\u043d\u0438\u043c\u043e\u043a-\u044d\u043a\u0440\u0430\u043d\u0430-2023-07-20-\u0432-10.42.08-2048x1133.png 2048w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2023\/07\/\u0421\u043d\u0438\u043c\u043e\u043a-\u044d\u043a\u0440\u0430\u043d\u0430-2023-07-20-\u0432-10.42.08-370x205.png 370w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2023\/07\/\u0421\u043d\u0438\u043c\u043e\u043a-\u044d\u043a\u0440\u0430\u043d\u0430-2023-07-20-\u0432-10.42.08-270x149.png 270w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2023\/07\/\u0421\u043d\u0438\u043c\u043e\u043a-\u044d\u043a\u0440\u0430\u043d\u0430-2023-07-20-\u0432-10.42.08-740x409.png 740w\" sizes=\"(max-width: 1024px) 100vw, 1024px\" \/><figcaption class=\"wp-element-caption\">At this point in the analysis, we have enough data to try and decrypt the resource ourselves<\/figcaption><\/figure>\n\n\n\n<p>After decryption, we&#8217;re met with &#8220;This program cannot be run in DOS mode&#8221;. Let&#8217;s feed the resulting executable file into DIE to confirm it&#8217;s a .NET assembly. So, we load it into <strong>dnSpy<\/strong>.&nbsp;<\/p>\n\n\n\n<figure class=\"wp-block-image size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"185\" src=\"\/cybersecurity-blog\/wp-content\/uploads\/2023\/07\/\u0421\u043d\u0438\u043c\u043e\u043a-\u044d\u043a\u0440\u0430\u043d\u0430-2023-07-20-\u0432-10.43.21-1024x185.png\" alt=\"LaplasClipper malware resources\" class=\"wp-image-5455\" srcset=\"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2023\/07\/\u0421\u043d\u0438\u043c\u043e\u043a-\u044d\u043a\u0440\u0430\u043d\u0430-2023-07-20-\u0432-10.43.21-1024x185.png 1024w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2023\/07\/\u0421\u043d\u0438\u043c\u043e\u043a-\u044d\u043a\u0440\u0430\u043d\u0430-2023-07-20-\u0432-10.43.21-300x54.png 300w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2023\/07\/\u0421\u043d\u0438\u043c\u043e\u043a-\u044d\u043a\u0440\u0430\u043d\u0430-2023-07-20-\u0432-10.43.21-768x139.png 768w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2023\/07\/\u0421\u043d\u0438\u043c\u043e\u043a-\u044d\u043a\u0440\u0430\u043d\u0430-2023-07-20-\u0432-10.43.21-1536x278.png 1536w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2023\/07\/\u0421\u043d\u0438\u043c\u043e\u043a-\u044d\u043a\u0440\u0430\u043d\u0430-2023-07-20-\u0432-10.43.21-2048x370.png 2048w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2023\/07\/\u0421\u043d\u0438\u043c\u043e\u043a-\u044d\u043a\u0440\u0430\u043d\u0430-2023-07-20-\u0432-10.43.21-370x67.png 370w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2023\/07\/\u0421\u043d\u0438\u043c\u043e\u043a-\u044d\u043a\u0440\u0430\u043d\u0430-2023-07-20-\u0432-10.43.21-270x49.png 270w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2023\/07\/\u0421\u043d\u0438\u043c\u043e\u043a-\u044d\u043a\u0440\u0430\u043d\u0430-2023-07-20-\u0432-10.43.21-740x134.png 740w\" sizes=\"(max-width: 1024px) 100vw, 1024px\" \/><figcaption class=\"wp-element-caption\">We find three more resources but no new code<\/figcaption><\/figure>\n\n\n\n<p>Inside, we find three additional resources, but no further code. The file we&#8217;ve obtained is merely a vessel for other resources. However, we remain undeterred and press on with our analysis. We\u2019ll focus on unpacking the most sizable resource named &#8220;wCfO&#8221; (since the other two resources only vary slightly, we&#8217;ll omit them from this analysis).&nbsp;<\/p>\n\n\n\n<h2 class=\"wp-block-heading\">Approaching the Finish Line of LaplasClipper analysis<\/h2>\n\n\n\n<p>When we replicate the previous steps with the &#8220;wCfO&#8221; resource, we find that the variable b equals one. From the resource decryption method code, we deduce that if b equals one, control shifts to the Class67.smethod_0 method. When our manual examination of this routine failed to provide results, we decided to enlist the help of a cyber-assistant in the form of GPT-4. We fed it an approximately 500-line snippet, and the output was unexpected.&nbsp;<\/p>\n\n\n\n<figure class=\"wp-block-image size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"616\" src=\"\/cybersecurity-blog\/wp-content\/uploads\/2023\/07\/\u0421\u043d\u0438\u043c\u043e\u043a-\u044d\u043a\u0440\u0430\u043d\u0430-2023-07-20-\u0432-10.45.04-min-1024x616.png\" alt=\"LaplasClipper malware analysed by ChatGPT\" class=\"wp-image-5457\" srcset=\"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2023\/07\/\u0421\u043d\u0438\u043c\u043e\u043a-\u044d\u043a\u0440\u0430\u043d\u0430-2023-07-20-\u0432-10.45.04-min-1024x616.png 1024w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2023\/07\/\u0421\u043d\u0438\u043c\u043e\u043a-\u044d\u043a\u0440\u0430\u043d\u0430-2023-07-20-\u0432-10.45.04-min-300x181.png 300w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2023\/07\/\u0421\u043d\u0438\u043c\u043e\u043a-\u044d\u043a\u0440\u0430\u043d\u0430-2023-07-20-\u0432-10.45.04-min-768x462.png 768w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2023\/07\/\u0421\u043d\u0438\u043c\u043e\u043a-\u044d\u043a\u0440\u0430\u043d\u0430-2023-07-20-\u0432-10.45.04-min-1536x924.png 1536w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2023\/07\/\u0421\u043d\u0438\u043c\u043e\u043a-\u044d\u043a\u0440\u0430\u043d\u0430-2023-07-20-\u0432-10.45.04-min-2048x1232.png 2048w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2023\/07\/\u0421\u043d\u0438\u043c\u043e\u043a-\u044d\u043a\u0440\u0430\u043d\u0430-2023-07-20-\u0432-10.45.04-min-370x223.png 370w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2023\/07\/\u0421\u043d\u0438\u043c\u043e\u043a-\u044d\u043a\u0440\u0430\u043d\u0430-2023-07-20-\u0432-10.45.04-min-270x162.png 270w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2023\/07\/\u0421\u043d\u0438\u043c\u043e\u043a-\u044d\u043a\u0440\u0430\u043d\u0430-2023-07-20-\u0432-10.45.04-min-740x445.png 740w\" sizes=\"(max-width: 1024px) 100vw, 1024px\" \/><figcaption class=\"wp-element-caption\">ChatGPT was quite helpful<\/figcaption><\/figure>\n\n\n\n<p>To our relief, GPT managed to extract the compression algorithm from the clutter. What remains is a relatively minor task: employing <strong>CyberChef <\/strong>one more time (remembering to remove the header from the resource before decompression).&nbsp;<\/p>\n\n\n\n<figure class=\"wp-block-image size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"434\" src=\"\/cybersecurity-blog\/wp-content\/uploads\/2023\/07\/\u0421\u043d\u0438\u043c\u043e\u043a-\u044d\u043a\u0440\u0430\u043d\u0430-2023-07-20-\u0432-10.45.48-min-1024x434.png\" alt=\"LaplasClipper malware in CyberChef\" class=\"wp-image-5458\" srcset=\"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2023\/07\/\u0421\u043d\u0438\u043c\u043e\u043a-\u044d\u043a\u0440\u0430\u043d\u0430-2023-07-20-\u0432-10.45.48-min-1024x434.png 1024w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2023\/07\/\u0421\u043d\u0438\u043c\u043e\u043a-\u044d\u043a\u0440\u0430\u043d\u0430-2023-07-20-\u0432-10.45.48-min-300x127.png 300w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2023\/07\/\u0421\u043d\u0438\u043c\u043e\u043a-\u044d\u043a\u0440\u0430\u043d\u0430-2023-07-20-\u0432-10.45.48-min-768x325.png 768w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2023\/07\/\u0421\u043d\u0438\u043c\u043e\u043a-\u044d\u043a\u0440\u0430\u043d\u0430-2023-07-20-\u0432-10.45.48-min-1536x651.png 1536w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2023\/07\/\u0421\u043d\u0438\u043c\u043e\u043a-\u044d\u043a\u0440\u0430\u043d\u0430-2023-07-20-\u0432-10.45.48-min-2048x868.png 2048w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2023\/07\/\u0421\u043d\u0438\u043c\u043e\u043a-\u044d\u043a\u0440\u0430\u043d\u0430-2023-07-20-\u0432-10.45.48-min-370x157.png 370w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2023\/07\/\u0421\u043d\u0438\u043c\u043e\u043a-\u044d\u043a\u0440\u0430\u043d\u0430-2023-07-20-\u0432-10.45.48-min-270x114.png 270w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2023\/07\/\u0421\u043d\u0438\u043c\u043e\u043a-\u044d\u043a\u0440\u0430\u043d\u0430-2023-07-20-\u0432-10.45.48-min-740x313.png 740w\" sizes=\"(max-width: 1024px) 100vw, 1024px\" \/><\/figure>\n\n\n\n<p>However, we encountered a hurdle here too. The error could be due to meta-information at the start of the resource or a modified compression algorithm. Nevertheless, we determined an offset empirically, which allows us to unlock the internal information of our resource.&nbsp;<\/p>\n\n\n\n<figure class=\"wp-block-image size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"608\" src=\"\/cybersecurity-blog\/wp-content\/uploads\/2023\/07\/\u0421\u043d\u0438\u043c\u043e\u043a-\u044d\u043a\u0440\u0430\u043d\u0430-2023-07-20-\u0432-10.46.35-min-1024x608.png\" alt=\"LaplasClipper malware decrypted\" class=\"wp-image-5459\" srcset=\"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2023\/07\/\u0421\u043d\u0438\u043c\u043e\u043a-\u044d\u043a\u0440\u0430\u043d\u0430-2023-07-20-\u0432-10.46.35-min-1024x608.png 1024w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2023\/07\/\u0421\u043d\u0438\u043c\u043e\u043a-\u044d\u043a\u0440\u0430\u043d\u0430-2023-07-20-\u0432-10.46.35-min-300x178.png 300w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2023\/07\/\u0421\u043d\u0438\u043c\u043e\u043a-\u044d\u043a\u0440\u0430\u043d\u0430-2023-07-20-\u0432-10.46.35-min-768x456.png 768w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2023\/07\/\u0421\u043d\u0438\u043c\u043e\u043a-\u044d\u043a\u0440\u0430\u043d\u0430-2023-07-20-\u0432-10.46.35-min-1536x911.png 1536w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2023\/07\/\u0421\u043d\u0438\u043c\u043e\u043a-\u044d\u043a\u0440\u0430\u043d\u0430-2023-07-20-\u0432-10.46.35-min-2048x1215.png 2048w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2023\/07\/\u0421\u043d\u0438\u043c\u043e\u043a-\u044d\u043a\u0440\u0430\u043d\u0430-2023-07-20-\u0432-10.46.35-min-370x220.png 370w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2023\/07\/\u0421\u043d\u0438\u043c\u043e\u043a-\u044d\u043a\u0440\u0430\u043d\u0430-2023-07-20-\u0432-10.46.35-min-270x160.png 270w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2023\/07\/\u0421\u043d\u0438\u043c\u043e\u043a-\u044d\u043a\u0440\u0430\u043d\u0430-2023-07-20-\u0432-10.46.35-min-740x439.png 740w\" sizes=\"(max-width: 1024px) 100vw, 1024px\" \/><\/figure>\n\n\n\n<p>Congratulations! We&#8217;ve successfully reached the heart of our test subject. The C2 server address and the key are now clearly in view. &nbsp;<\/p>\n\n\n\n<p><\/p>\n\n\n\n<p>By the way, if you want to analyze the process dump yourself, you can easily download it from this <a href=\"https:\/\/app.any.run\/tasks\/033b87b8-0717-4dbe-8524-2be4b9a57a71\/?utm_source=anyrunblog&amp;utm_medium=article&amp;utm_campaign=laplas&amp;utm_content=service\" target=\"_blank\" rel=\"noreferrer noopener\">task in ANY.RUN<\/a>.&nbsp;<\/p>\n\n\n\n<figure class=\"wp-block-image size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"567\" src=\"\/cybersecurity-blog\/wp-content\/uploads\/2023\/07\/\u0421\u043d\u0438\u043c\u043e\u043a-\u044d\u043a\u0440\u0430\u043d\u0430-2023-07-20-\u0432-10.47.40-min-1024x567.png\" alt=\"LaplasClipper malware configuration in ANY.RUN cloud malware sandbox\" class=\"wp-image-5460\" srcset=\"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2023\/07\/\u0421\u043d\u0438\u043c\u043e\u043a-\u044d\u043a\u0440\u0430\u043d\u0430-2023-07-20-\u0432-10.47.40-min-1024x567.png 1024w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2023\/07\/\u0421\u043d\u0438\u043c\u043e\u043a-\u044d\u043a\u0440\u0430\u043d\u0430-2023-07-20-\u0432-10.47.40-min-300x166.png 300w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2023\/07\/\u0421\u043d\u0438\u043c\u043e\u043a-\u044d\u043a\u0440\u0430\u043d\u0430-2023-07-20-\u0432-10.47.40-min-768x425.png 768w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2023\/07\/\u0421\u043d\u0438\u043c\u043e\u043a-\u044d\u043a\u0440\u0430\u043d\u0430-2023-07-20-\u0432-10.47.40-min-1536x851.png 1536w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2023\/07\/\u0421\u043d\u0438\u043c\u043e\u043a-\u044d\u043a\u0440\u0430\u043d\u0430-2023-07-20-\u0432-10.47.40-min-370x205.png 370w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2023\/07\/\u0421\u043d\u0438\u043c\u043e\u043a-\u044d\u043a\u0440\u0430\u043d\u0430-2023-07-20-\u0432-10.47.40-min-270x150.png 270w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2023\/07\/\u0421\u043d\u0438\u043c\u043e\u043a-\u044d\u043a\u0440\u0430\u043d\u0430-2023-07-20-\u0432-10.47.40-min-740x410.png 740w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2023\/07\/\u0421\u043d\u0438\u043c\u043e\u043a-\u044d\u043a\u0440\u0430\u043d\u0430-2023-07-20-\u0432-10.47.40-min.png 1704w\" sizes=\"(max-width: 1024px) 100vw, 1024px\" \/><\/figure>\n\n\n\n<p>For further functioning, the sample uses a C2 address and a key to communicate with API endpoints over HTTP\/S protocol (T1071.001):&nbsp;<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>\/bot\/get &#8211; Query C2 for a visually similar wallet address for further substitution &nbsp;<\/li>\n\n\n\n<li>\/bot\/regex &#8211; Obtain regex expression from C2 to replace only matching wallet addresses &nbsp;<\/li>\n\n\n\n<li>\/bot\/online &#8211; Inform C2 that the victim is active<\/li>\n<\/ul>\n\n\n\n<h2 class=\"wp-block-heading\">Wrapping up<\/h2>\n\n\n\n<p>In this article, we&#8217;ve dissected a fresh malware sample from the LaplasClipper family, developed on the .NET platform and obfuscated using Babel.&nbsp;<\/p>\n\n\n\n<p>In the process of our research, we&#8217;ve uncovered the sample&#8217;s internal settings, examined some techniques leveraged by the obfuscator to complicate the sample analysis, and outlined strategies to counter them.&nbsp;<\/p>\n\n\n\n<p>Our findings provide a solid understanding of the fundamental principles of protective mechanisms on the .NET platform. It&#8217;s critical to recognize that even the most complex protective methods rest on basic concepts, which are essential to understand and identify.&nbsp;<\/p>\n\n\n\n<p>Want more malware analysis content? Learn more about common obfuscation methods and how to defeat them in our recent <a href=\"https:\/\/any.run\/cybersecurity-blog\/deobfuscating-guloader\/\" target=\"_blank\" rel=\"noreferrer noopener\">GuLoader analysis<\/a>. Or read about the <a href=\"https:\/\/any.run\/cybersecurity-blog\/privateloader-analyzing-the-encryption-and-decryption-of-a-modern-loader\/\" target=\"_blank\" rel=\"noreferrer noopener\">encryption and decryption algorithms of PrivateLoader<\/a>.&nbsp;<\/p>\n\n\n\n<p>Lastly, a few words about us before we wrap up. ANY.RUN is a cloud malware sandbox that handles the heavy lifting of malware analysis for SOC and DFIR teams. Every day, 300,000 professionals use our platform to investigate incidents and streamline threat analysis. &nbsp;<\/p>\n\n\n\n<p>Request a demo today and enjoy 14 days of free access to our enterprise plan.&nbsp; &nbsp;<\/p>\n\n\n\n<p><a href=\"https:\/\/any.run\/demo\/?utm_source=anyrunblog&amp;utm_medium=article&amp;utm_campaign=laplas&amp;utm_content=trial\" target=\"_blank\" rel=\"noreferrer noopener\">Request demo \u2192<\/a>&nbsp;<\/p>\n\n\n\n<p><\/p>\n\n\n\n<h2 class=\"wp-block-heading\">Collected IOCs <\/h2>\n\n\n\n<p>Analyzed file:&nbsp;<\/p>\n\n\n\n<div class=\"wpdt-c row wpDataTableContainerSimpleTable wpDataTables wpDataTablesWrapper\n\"\n    >\n        <table id=\"wpdtSimpleTable-8\"\n           style=\"border-collapse:collapse;\n                   border-spacing:0px;\"\n           class=\"wpdtSimpleTable wpDataTable\"\n           data-column=\"2\"\n           data-rows=\"3\"\n           data-wpID=\"8\"\n           data-responsive=\"0\"\n           data-has-header=\"1\">\n\n                    <thead>        <tr class=\"wpdt-cell-row \" >\n                                <th class=\"wpdt-cell wpdt-wrap-text wpdt-align-left\"\n                                            data-cell-id=\"A1\"\n                    data-col-index=\"0\"\n                    data-row-index=\"0\"\n                    style=\" width:14.903129657228%;                    padding:10px;\n                    \"\n                    >\n                                        MD5                    <\/th>\n                                                <th class=\"wpdt-cell wpdt-wrap-text wpdt-align-left\"\n                                            data-cell-id=\"B1\"\n                    data-col-index=\"1\"\n                    data-row-index=\"0\"\n                    style=\" width:85.096870342772%;                    padding:10px;\n                    \"\n                    >\n                                        1955e7fe3c25216101d012eb0b33f527                    <\/th>\n                                        <\/tr>\n                    <tbody>        <tr class=\"wpdt-cell-row \" >\n                                <td class=\"wpdt-cell wpdt-wrap-text wpdt-align-left\"\n                                            data-cell-id=\"A2\"\n                    data-col-index=\"0\"\n                    data-row-index=\"1\"\n                    style=\"                    padding:10px;\n                    \"\n                    >\n                                        SHA1                    <\/td>\n                                                <td class=\"wpdt-cell wpdt-wrap-text wpdt-align-left\"\n                                            data-cell-id=\"B2\"\n                    data-col-index=\"1\"\n                    data-row-index=\"1\"\n                    style=\"                    padding:10px;\n                    \"\n                    >\n                                        f8a184b3b5a5cfa0f3c7d46e519fee24fd91d5c7                    <\/td>\n                                        <\/tr>\n                            <tr class=\"wpdt-cell-row \" >\n                                <td class=\"wpdt-cell wpdt-wrap-text wpdt-align-left\"\n                                            data-cell-id=\"A3\"\n                    data-col-index=\"0\"\n                    data-row-index=\"2\"\n                    style=\"                    padding:10px;\n                    \"\n                    >\n                                        SHA256                    <\/td>\n                                                <td class=\"wpdt-cell wpdt-wrap-text wpdt-align-left\"\n                                            data-cell-id=\"B3\"\n                    data-col-index=\"1\"\n                    data-row-index=\"2\"\n                    style=\"                    padding:10px;\n                    \"\n                    >\n                                        55194a6530652599dfc4af96f87f39575ddd9f7f30c912cd59240dd26373940b                    <\/td>\n                                        <\/tr>\n                    <\/table>\n<\/div><style id='wpdt-custom-style-8'>\ntable#wpdtSimpleTable-8{ table-layout: fixed !important; }\ntable#wpdtSimpleTable-8 td, table.wpdtSimpleTable8 th { white-space: normal !important; }\n<\/style>\n\n\n\n\n<p>Connections:<\/p>\n\n\n\n<div class=\"wpdt-c row wpDataTableContainerSimpleTable wpDataTables wpDataTablesWrapper\n\"\n    >\n        <table id=\"wpdtSimpleTable-9\"\n           style=\"border-collapse:collapse;\n                   border-spacing:0px;\"\n           class=\"wpdtSimpleTable wpDataTable\"\n           data-column=\"1\"\n           data-rows=\"2\"\n           data-wpID=\"9\"\n           data-responsive=\"0\"\n           data-has-header=\"1\">\n\n                    <thead>        <tr class=\"wpdt-cell-row \" >\n                                <th class=\"wpdt-cell wpdt-align-left\"\n                                            data-cell-id=\"A1\"\n                    data-col-index=\"0\"\n                    data-row-index=\"0\"\n                    style=\" width:100%;                    padding:10px;\n                    \"\n                    >\n                                        Connections (IP)                    <\/th>\n                                        <\/tr>\n                    <tbody>        <tr class=\"wpdt-cell-row \" >\n                                <td class=\"wpdt-cell wpdt-wrap-text wpdt-align-left\"\n                                            data-cell-id=\"A2\"\n                    data-col-index=\"0\"\n                    data-row-index=\"1\"\n                    style=\"                    padding:10px;\n                    \"\n                    >\n                                        45[.]159.189.105                    <\/td>\n                                        <\/tr>\n                    <\/table>\n<\/div><style id='wpdt-custom-style-9'>\ntable#wpdtSimpleTable-9{ table-layout: fixed !important; }\ntable#wpdtSimpleTable-9 td, table.wpdtSimpleTable9 th { white-space: normal !important; }\n<\/style>\n\n\n\n\n<p>URIs:&nbsp;<\/p>\n\n\n\n<div class=\"wpdt-c row wpDataTableContainerSimpleTable wpDataTables wpDataTablesWrapper\n\"\n    >\n        <table id=\"wpdtSimpleTable-10\"\n           style=\"border-collapse:collapse;\n                   border-spacing:0px;\"\n           class=\"wpdtSimpleTable wpDataTable\"\n           data-column=\"1\"\n           data-rows=\"4\"\n           data-wpID=\"10\"\n           data-responsive=\"0\"\n           data-has-header=\"1\">\n\n                    <thead>        <tr class=\"wpdt-cell-row \" >\n                                <th class=\"wpdt-cell wpdt-align-left\"\n                                            data-cell-id=\"A1\"\n                    data-col-index=\"0\"\n                    data-row-index=\"0\"\n                    style=\" width:100%;                    padding:10px;\n                    \"\n                    >\n                                        URIs                    <\/th>\n                                        <\/tr>\n                    <tbody>        <tr class=\"wpdt-cell-row \" >\n                                <td class=\"wpdt-cell wpdt-wrap-text wpdt-align-left\"\n                                            data-cell-id=\"A2\"\n                    data-col-index=\"0\"\n                    data-row-index=\"1\"\n                    style=\"                    padding:10px;\n                    \"\n                    >\n                                        <a href=\"http:\/\/45[.]159.189.105\/bot\/get?address=<Victim crypto wallet address> &key=afc950a4a18fd71c9d7be4c460e4cb77d0bcf29a49d097e4e739c17c332c3a34\" target=\"_blank\">http:\/\/45[.]159.189.105\/bot\/get?address=<Victim crypto wallet address> &key=afc950a4a18fd71c9d7be4c460e4cb77d0bcf29a49d097e4e739c17c332c3a34<\/a>                    <\/td>\n                                        <\/tr>\n                            <tr class=\"wpdt-cell-row \" >\n                                <td class=\"wpdt-cell wpdt-align-left\"\n                                            data-cell-id=\"A3\"\n                    data-col-index=\"0\"\n                    data-row-index=\"2\"\n                    style=\"                    padding:10px;\n                    \"\n                    >\n                                        <a href=\"http:\/\/45[.]159.189.105\/bot\/regex?key=afc950a4a18fd71c9d7be4c460e4cb77d0bcf29a49d097e4e739c17c332c3a34\" target=\"_blank\">http:\/\/45[.]159.189.105\/bot\/regex?key=afc950a4a18fd71c9d7be4c460e4cb77d0bcf29a49d097e4e739c17c332c3a34<\/a>                    <\/td>\n                                        <\/tr>\n                            <tr class=\"wpdt-cell-row \" >\n                                <td class=\"wpdt-cell wpdt-align-left\"\n                                            data-cell-id=\"A4\"\n                    data-col-index=\"0\"\n                    data-row-index=\"3\"\n                    style=\"                    padding:10px;\n                    \"\n                    >\n                                        <a href=\"http:\/\/45[.]159.189.105\/bot\/online?guid=<DESKTOP-NAME> &key=afc950a4a18fd71c9d7be4c460e4cb77d0bcf29a49d097e4e739c17c332c3a34 \" target=\"_blank\">http:\/\/45[.]159.189.105\/bot\/online?guid=<DESKTOP-NAME> &key=afc950a4a18fd71c9d7be4c460e4cb77d0bcf29a49d097e4e739c17c332c3a34 <\/a>                    <\/td>\n                                        <\/tr>\n                    <\/table>\n<\/div><style id='wpdt-custom-style-10'>\ntable#wpdtSimpleTable-10{ table-layout: fixed !important; }\ntable#wpdtSimpleTable-10 td, table.wpdtSimpleTable10 th { white-space: normal !important; }\n<\/style>\n\n\n\n\n<h2 class=\"wp-block-heading\"><strong>MITRE ATT&amp;CK Matrix<\/strong><\/h2>\n\n\n\n<div class=\"wpdt-c row wpDataTableContainerSimpleTable wpDataTables wpDataTablesWrapper\n\"\n    >\n        <table id=\"wpdtSimpleTable-11\"\n           style=\"border-collapse:collapse;\n                   border-spacing:0px;\"\n           class=\"wpdtSimpleTable wpDataTable\"\n           data-column=\"3\"\n           data-rows=\"6\"\n           data-wpID=\"11\"\n           data-responsive=\"0\"\n           data-has-header=\"1\">\n\n                    <thead>        <tr class=\"wpdt-cell-row \" >\n                                <th class=\"wpdt-cell wpdt-wrap-text wpdt-align-center\"\n                                            data-cell-id=\"A1\"\n                    data-col-index=\"0\"\n                    data-row-index=\"0\"\n                    style=\" width:30.555555555556%;                    padding:10px;\n                    \"\n                    >\n                                        Tactics\u00a0\u00a0                    <\/th>\n                                                <th class=\"wpdt-cell wpdt-wrap-text wpdt-align-center\"\n                                            data-cell-id=\"B1\"\n                    data-col-index=\"1\"\n                    data-row-index=\"0\"\n                    style=\" width:31.746031746032%;                    padding:10px;\n                    \"\n                    >\n                                        Techniques\u00a0\u00a0                    <\/th>\n                                                <th class=\"wpdt-cell wpdt-wrap-text wpdt-align-center\"\n                                            data-cell-id=\"C1\"\n                    data-col-index=\"2\"\n                    data-row-index=\"0\"\n                    style=\" width:37.698412698413%;                    padding:10px;\n                    \"\n                    >\n                                        Description\u00a0                    <\/th>\n                                        <\/tr>\n                    <tbody>        <tr class=\"wpdt-cell-row \" >\n                                <td class=\"wpdt-cell wpdt-wrap-text wpdt-align-left\"\n                                            data-cell-id=\"A2\"\n                    data-col-index=\"0\"\n                    data-row-index=\"1\"\n                    style=\"                    padding:10px;\n                    \"\n                    >\n                                        TA0005: Defense Evasion                    <\/td>\n                                                <td class=\"wpdt-cell wpdt-wrap-text wpdt-align-left\"\n                                            data-cell-id=\"B2\"\n                    data-col-index=\"1\"\n                    data-row-index=\"1\"\n                    style=\"                    padding:10px;\n                    \"\n                    >\n                                        T1027.002 \u2013 Obfuscated Files or Information: Software Packing                    <\/td>\n                                                <td class=\"wpdt-cell wpdt-wrap-text wpdt-align-left\"\n                                            data-cell-id=\"C2\"\n                    data-col-index=\"2\"\n                    data-row-index=\"1\"\n                    style=\"                    padding:10px;\n                    \"\n                    >\n                                        Attempts were made to make an executable difficult to analyze by encrypting and embedding the main logical part into resources section                    <\/td>\n                                        <\/tr>\n                            <tr class=\"wpdt-cell-row \" >\n                                <td class=\"wpdt-cell wpdt-wrap-text wpdt-align-left wpdt-empty-cell \"\n                                            data-cell-id=\"A3\"\n                    data-col-index=\"0\"\n                    data-row-index=\"2\"\n                    style=\"                    padding:10px;\n                    \"\n                    >\n                                                            <\/td>\n                                                <td class=\"wpdt-cell wpdt-wrap-text wpdt-align-left\"\n                                            data-cell-id=\"B3\"\n                    data-col-index=\"1\"\n                    data-row-index=\"2\"\n                    style=\"                    padding:10px;\n                    \"\n                    >\n                                        T1622 - Debugger Evasion                    <\/td>\n                                                <td class=\"wpdt-cell wpdt-wrap-text wpdt-align-left\"\n                                            data-cell-id=\"C3\"\n                    data-col-index=\"2\"\n                    data-row-index=\"2\"\n                    style=\"                    padding:10px;\n                    \"\n                    >\n                                        Anti-debugging techniques are used                    <\/td>\n                                        <\/tr>\n                            <tr class=\"wpdt-cell-row \" >\n                                <td class=\"wpdt-cell wpdt-wrap-text wpdt-align-left\"\n                                            data-cell-id=\"A4\"\n                    data-col-index=\"0\"\n                    data-row-index=\"3\"\n                    style=\"                    padding:10px;\n                    \"\n                    >\n                                        TA0011: Command and Control                    <\/td>\n                                                <td class=\"wpdt-cell wpdt-wrap-text wpdt-align-left\"\n                                            data-cell-id=\"B4\"\n                    data-col-index=\"1\"\n                    data-row-index=\"3\"\n                    style=\"                    padding:10px;\n                    \"\n                    >\n                                        T1071.001 - Application Layer Protocol: Web Protocols                    <\/td>\n                                                <td class=\"wpdt-cell wpdt-wrap-text wpdt-align-left\"\n                                            data-cell-id=\"C4\"\n                    data-col-index=\"2\"\n                    data-row-index=\"3\"\n                    style=\"                    padding:10px;\n                    \"\n                    >\n                                        Target utilizes HTTP\/S protocol to communicate with C2                    <\/td>\n                                        <\/tr>\n                            <tr class=\"wpdt-cell-row \" >\n                                <td class=\"wpdt-cell wpdt-wrap-text wpdt-align-left\"\n                                            data-cell-id=\"A5\"\n                    data-col-index=\"0\"\n                    data-row-index=\"4\"\n                    style=\"                    padding:10px;\n                    \"\n                    >\n                                        TA0009: Collection                    <\/td>\n                                                <td class=\"wpdt-cell wpdt-wrap-text wpdt-align-left\"\n                                            data-cell-id=\"B5\"\n                    data-col-index=\"1\"\n                    data-row-index=\"4\"\n                    style=\"                    padding:10px;\n                    \"\n                    >\n                                        T1115 - Clipboard Data                    <\/td>\n                                                <td class=\"wpdt-cell wpdt-wrap-text wpdt-align-left\"\n                                            data-cell-id=\"C5\"\n                    data-col-index=\"2\"\n                    data-row-index=\"4\"\n                    style=\"                    padding:10px;\n                    \"\n                    >\n                                        Target accesses and modifies clipboard buffer                    <\/td>\n                                        <\/tr>\n                            <tr class=\"wpdt-cell-row \" >\n                                <td class=\"wpdt-cell wpdt-wrap-text wpdt-align-left\"\n                                            data-cell-id=\"A6\"\n                    data-col-index=\"0\"\n                    data-row-index=\"5\"\n                    style=\"                    padding:10px;\n                    \"\n                    >\n                                        TA0007: Discovery                    <\/td>\n                                                <td class=\"wpdt-cell wpdt-wrap-text wpdt-align-left\"\n                                            data-cell-id=\"B6\"\n                    data-col-index=\"1\"\n                    data-row-index=\"5\"\n                    style=\"                    padding:10px;\n                    \"\n                    >\n                                        T1082 - System Information Discovery                    <\/td>\n                                                <td class=\"wpdt-cell wpdt-wrap-text wpdt-align-left\"\n                                            data-cell-id=\"C6\"\n                    data-col-index=\"2\"\n                    data-row-index=\"5\"\n                    style=\"                    padding:10px;\n                    \"\n                    >\n                                        Target accesses system specific information                    <\/td>\n                                        <\/tr>\n                    <\/table>\n<\/div><style id='wpdt-custom-style-11'>\ntable#wpdtSimpleTable-11{ table-layout: fixed !important; }\ntable#wpdtSimpleTable-11 td, table.wpdtSimpleTable11 th { white-space: normal !important; }\n<\/style>\n\n","protected":false},"excerpt":{"rendered":"<p>Recently, we&#8217;ve discovered an interesting LaplasClipper sample here at ANY.RUN, and we&#8217;re going to analyze it in this article. Our LaplasClipper sample is written in .NET and obfuscated with Bable.&nbsp; We will dig into the sample&#8217;s configuration, study, and ultimately break through the primary obfuscation techniques the attackers employed to make the analysis process more [&hellip;]<\/p>\n","protected":false},"author":2,"featured_media":5461,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[8],"tags":[34],"class_list":["post-5435","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-malware-analysis","tag-malware-analysis"],"acf":[],"yoast_head":"<!-- This site is optimized with the Yoast SEO plugin v20.10 - https:\/\/yoast.com\/wordpress\/plugins\/seo\/ -->\n<title>Analyzing a .NET variant of LaplasClipper Malware<\/title>\n<meta name=\"description\" content=\"In this article, we&#039;re analysing a fresh variant of LaplasClipper malware and retrieving the configuration of this .NET variant.\" \/>\n<meta name=\"robots\" content=\"index, follow, max-snippet:-1, max-image-preview:large, max-video-preview:-1\" \/>\n<link rel=\"canonical\" href=\"https:\/\/any.run\/cybersecurity-blog\/analyzing-laplasclipper-malware\/\" \/>\n<meta name=\"twitter:label1\" content=\"Written by\" \/>\n\t<meta name=\"twitter:data1\" content=\"ANY.RUN\" \/>\n\t<meta name=\"twitter:label2\" content=\"Est. reading time\" \/>\n\t<meta name=\"twitter:data2\" content=\"12 minutes\" \/>\n<script type=\"application\/ld+json\" class=\"yoast-schema-graph\">{\"@context\":\"https:\/\/schema.org\",\"@graph\":[{\"@type\":\"Article\",\"@id\":\"https:\/\/any.run\/cybersecurity-blog\/analyzing-laplasclipper-malware\/#article\",\"isPartOf\":{\"@id\":\"https:\/\/any.run\/cybersecurity-blog\/analyzing-laplasclipper-malware\/\"},\"author\":{\"name\":\"ANY.RUN\",\"@id\":\"https:\/\/any.run\/\"},\"headline\":\"Analyzing a New .NET variant of LaplasClipper: retrieving the config\u00a0\",\"datePublished\":\"2023-07-20T09:28:50+00:00\",\"dateModified\":\"2024-07-24T07:50:44+00:00\",\"mainEntityOfPage\":{\"@id\":\"https:\/\/any.run\/cybersecurity-blog\/analyzing-laplasclipper-malware\/\"},\"wordCount\":1691,\"commentCount\":0,\"publisher\":{\"@id\":\"https:\/\/any.run\/\"},\"keywords\":[\"malware analysis\"],\"articleSection\":[\"Malware Analysis\"],\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"CommentAction\",\"name\":\"Comment\",\"target\":[\"https:\/\/any.run\/cybersecurity-blog\/analyzing-laplasclipper-malware\/#respond\"]}]},{\"@type\":\"WebPage\",\"@id\":\"https:\/\/any.run\/cybersecurity-blog\/analyzing-laplasclipper-malware\/\",\"url\":\"https:\/\/any.run\/cybersecurity-blog\/analyzing-laplasclipper-malware\/\",\"name\":\"Analyzing a .NET variant of LaplasClipper Malware\",\"isPartOf\":{\"@id\":\"https:\/\/any.run\/\"},\"datePublished\":\"2023-07-20T09:28:50+00:00\",\"dateModified\":\"2024-07-24T07:50:44+00:00\",\"description\":\"In this article, we're analysing a fresh variant of LaplasClipper malware and retrieving the configuration of this .NET variant.\",\"breadcrumb\":{\"@id\":\"https:\/\/any.run\/cybersecurity-blog\/analyzing-laplasclipper-malware\/#breadcrumb\"},\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"ReadAction\",\"target\":[\"https:\/\/any.run\/cybersecurity-blog\/analyzing-laplasclipper-malware\/\"]}]},{\"@type\":\"BreadcrumbList\",\"@id\":\"https:\/\/any.run\/cybersecurity-blog\/analyzing-laplasclipper-malware\/#breadcrumb\",\"itemListElement\":[{\"@type\":\"ListItem\",\"position\":1,\"name\":\"Home\",\"item\":\"https:\/\/any.run\/cybersecurity-blog\/\"},{\"@type\":\"ListItem\",\"position\":2,\"name\":\"Malware Analysis\",\"item\":\"https:\/\/any.run\/cybersecurity-blog\/category\/malware-analysis\/\"},{\"@type\":\"ListItem\",\"position\":3,\"name\":\"Analyzing a New .NET variant of LaplasClipper: retrieving the config\u00a0\"}]},{\"@type\":\"WebSite\",\"@id\":\"https:\/\/any.run\/\",\"url\":\"https:\/\/any.run\/\",\"name\":\"ANY.RUN&#039;s Cybersecurity Blog\",\"description\":\"Cybersecurity Blog covers topics for experienced professionals as well as for those new to it.\",\"publisher\":{\"@id\":\"https:\/\/any.run\/\"},\"potentialAction\":[{\"@type\":\"SearchAction\",\"target\":{\"@type\":\"EntryPoint\",\"urlTemplate\":\"https:\/\/any.run\/?s={search_term_string}\"},\"query-input\":\"required name=search_term_string\"}],\"inLanguage\":\"en-US\"},{\"@type\":\"Organization\",\"@id\":\"https:\/\/any.run\/\",\"name\":\"ANY.RUN\",\"url\":\"https:\/\/any.run\/\",\"logo\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\/\/any.run\/\",\"url\":\"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2020\/08\/ANYRUN-Icon.svg\",\"contentUrl\":\"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2020\/08\/ANYRUN-Icon.svg\",\"width\":1,\"height\":1,\"caption\":\"ANY.RUN\"},\"image\":{\"@id\":\"https:\/\/any.run\/\"},\"sameAs\":[\"https:\/\/www.facebook.com\/www.any.run\/\",\"https:\/\/twitter.com\/anyrun_app\",\"https:\/\/www.linkedin.com\/company\/30692044\",\"https:\/\/www.youtube.com\/channel\/UCOgCPho7lzmH7m6fPNlukrQ\"]},{\"@type\":\"Person\",\"@id\":\"https:\/\/any.run\/\",\"name\":\"ANY.RUN\",\"image\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\/\/any.run\/\",\"url\":\"https:\/\/secure.gravatar.com\/avatar\/c4ce3a6c672056b4a8cd6b0110782215?s=96&d=mm&r=g\",\"contentUrl\":\"https:\/\/secure.gravatar.com\/avatar\/c4ce3a6c672056b4a8cd6b0110782215?s=96&d=mm&r=g\",\"caption\":\"ANY.RUN\"},\"url\":\"https:\/\/any.run\/cybersecurity-blog\/author\/a-bespalova\/\"}]}<\/script>\n<!-- \/ Yoast SEO plugin. -->","yoast_head_json":{"title":"Analyzing a .NET variant of LaplasClipper Malware","description":"In this article, we're analysing a fresh variant of LaplasClipper malware and retrieving the configuration of this .NET variant.","robots":{"index":"index","follow":"follow","max-snippet":"max-snippet:-1","max-image-preview":"max-image-preview:large","max-video-preview":"max-video-preview:-1"},"canonical":"https:\/\/any.run\/cybersecurity-blog\/analyzing-laplasclipper-malware\/","twitter_misc":{"Written by":"ANY.RUN","Est. reading time":"12 minutes"},"schema":{"@context":"https:\/\/schema.org","@graph":[{"@type":"Article","@id":"https:\/\/any.run\/cybersecurity-blog\/analyzing-laplasclipper-malware\/#article","isPartOf":{"@id":"https:\/\/any.run\/cybersecurity-blog\/analyzing-laplasclipper-malware\/"},"author":{"name":"ANY.RUN","@id":"https:\/\/any.run\/"},"headline":"Analyzing a New .NET variant of LaplasClipper: retrieving the config\u00a0","datePublished":"2023-07-20T09:28:50+00:00","dateModified":"2024-07-24T07:50:44+00:00","mainEntityOfPage":{"@id":"https:\/\/any.run\/cybersecurity-blog\/analyzing-laplasclipper-malware\/"},"wordCount":1691,"commentCount":0,"publisher":{"@id":"https:\/\/any.run\/"},"keywords":["malware analysis"],"articleSection":["Malware Analysis"],"inLanguage":"en-US","potentialAction":[{"@type":"CommentAction","name":"Comment","target":["https:\/\/any.run\/cybersecurity-blog\/analyzing-laplasclipper-malware\/#respond"]}]},{"@type":"WebPage","@id":"https:\/\/any.run\/cybersecurity-blog\/analyzing-laplasclipper-malware\/","url":"https:\/\/any.run\/cybersecurity-blog\/analyzing-laplasclipper-malware\/","name":"Analyzing a .NET variant of LaplasClipper Malware","isPartOf":{"@id":"https:\/\/any.run\/"},"datePublished":"2023-07-20T09:28:50+00:00","dateModified":"2024-07-24T07:50:44+00:00","description":"In this article, we're analysing a fresh variant of LaplasClipper malware and retrieving the configuration of this .NET variant.","breadcrumb":{"@id":"https:\/\/any.run\/cybersecurity-blog\/analyzing-laplasclipper-malware\/#breadcrumb"},"inLanguage":"en-US","potentialAction":[{"@type":"ReadAction","target":["https:\/\/any.run\/cybersecurity-blog\/analyzing-laplasclipper-malware\/"]}]},{"@type":"BreadcrumbList","@id":"https:\/\/any.run\/cybersecurity-blog\/analyzing-laplasclipper-malware\/#breadcrumb","itemListElement":[{"@type":"ListItem","position":1,"name":"Home","item":"https:\/\/any.run\/cybersecurity-blog\/"},{"@type":"ListItem","position":2,"name":"Malware Analysis","item":"https:\/\/any.run\/cybersecurity-blog\/category\/malware-analysis\/"},{"@type":"ListItem","position":3,"name":"Analyzing a New .NET variant of LaplasClipper: retrieving the config\u00a0"}]},{"@type":"WebSite","@id":"https:\/\/any.run\/","url":"https:\/\/any.run\/","name":"ANY.RUN&#039;s Cybersecurity Blog","description":"Cybersecurity Blog covers topics for experienced professionals as well as for those new to it.","publisher":{"@id":"https:\/\/any.run\/"},"potentialAction":[{"@type":"SearchAction","target":{"@type":"EntryPoint","urlTemplate":"https:\/\/any.run\/?s={search_term_string}"},"query-input":"required name=search_term_string"}],"inLanguage":"en-US"},{"@type":"Organization","@id":"https:\/\/any.run\/","name":"ANY.RUN","url":"https:\/\/any.run\/","logo":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/any.run\/","url":"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2020\/08\/ANYRUN-Icon.svg","contentUrl":"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2020\/08\/ANYRUN-Icon.svg","width":1,"height":1,"caption":"ANY.RUN"},"image":{"@id":"https:\/\/any.run\/"},"sameAs":["https:\/\/www.facebook.com\/www.any.run\/","https:\/\/twitter.com\/anyrun_app","https:\/\/www.linkedin.com\/company\/30692044","https:\/\/www.youtube.com\/channel\/UCOgCPho7lzmH7m6fPNlukrQ"]},{"@type":"Person","@id":"https:\/\/any.run\/","name":"ANY.RUN","image":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/any.run\/","url":"https:\/\/secure.gravatar.com\/avatar\/c4ce3a6c672056b4a8cd6b0110782215?s=96&d=mm&r=g","contentUrl":"https:\/\/secure.gravatar.com\/avatar\/c4ce3a6c672056b4a8cd6b0110782215?s=96&d=mm&r=g","caption":"ANY.RUN"},"url":"https:\/\/any.run\/cybersecurity-blog\/author\/a-bespalova\/"}]}},"_links":{"self":[{"href":"https:\/\/any.run\/cybersecurity-blog\/wp-json\/wp\/v2\/posts\/5435"}],"collection":[{"href":"https:\/\/any.run\/cybersecurity-blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/any.run\/cybersecurity-blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/any.run\/cybersecurity-blog\/wp-json\/wp\/v2\/users\/2"}],"replies":[{"embeddable":true,"href":"https:\/\/any.run\/cybersecurity-blog\/wp-json\/wp\/v2\/comments?post=5435"}],"version-history":[{"count":7,"href":"https:\/\/any.run\/cybersecurity-blog\/wp-json\/wp\/v2\/posts\/5435\/revisions"}],"predecessor-version":[{"id":5473,"href":"https:\/\/any.run\/cybersecurity-blog\/wp-json\/wp\/v2\/posts\/5435\/revisions\/5473"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/any.run\/cybersecurity-blog\/wp-json\/wp\/v2\/media\/5461"}],"wp:attachment":[{"href":"https:\/\/any.run\/cybersecurity-blog\/wp-json\/wp\/v2\/media?parent=5435"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/any.run\/cybersecurity-blog\/wp-json\/wp\/v2\/categories?post=5435"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/any.run\/cybersecurity-blog\/wp-json\/wp\/v2\/tags?post=5435"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}