{
	"id": "160ed03f-261a-4c06-b392-085295d25e07",
	"created_at": "2026-04-06T00:21:11.418882Z",
	"updated_at": "2026-04-10T13:12:36.444144Z",
	"deleted_at": null,
	"sha1_hash": "cc0c4c1ced492f255bc28c8ce240311b0ca658d4",
	"title": "Analyzing a New .NET variant of LaplasClipper: retrieving the config",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 73419,
	"plain_text": "Analyzing a New .NET variant of LaplasClipper: retrieving the\r\nconfig\r\nBy ANY.RUN\r\nPublished: 2023-07-20 · Archived: 2026-04-05 20:55:15 UTC\r\nRecently, we’ve discovered an interesting LaplasClipper sample here at ANY.RUN, and we’re going to analyze it\r\nin this article. Our LaplasClipper sample is written in .NET and obfuscated with Bable. \r\nWe will dig into the sample’s configuration, study, and ultimately break through the primary obfuscation\r\ntechniques the attackers employed to make the analysis process more difficult. \r\nWhat is LaplasClipper malware?\r\nLaplasClipper, as its name implies, is a clipper variant. Its primary malicious function is to monitor the user’s\r\nclipboard (T1115). Attackers typically use it to swap out cryptocurrency addresses with ones they control. When\r\nusers paste the address into a wallet to transfer funds, it’s the attacker’s address that receives them.   \r\nTaking the First Step of our LaplasClipper Analysis: Reconnaissance \r\nFor today’s analysis, we’re going to dissect this Laplas sample. To understand what we’re dealing with, we’re\r\nimmediately going to feed it into two tools: DIE and ExeinfoPE. \r\nOur LaplasClipper sample in Detect It Easy\r\nOur LaplasClipper sample in Detect It Easy\r\nLaplasClipper in ExeinfoPE\r\nAnd in ExeinfoPE \r\nRight away, we see that it’s .NET obfuscated by Babel (T1027.002). And we also get a link to an unpacker in the\r\nform of de4dot. We’ll use this clue later. \r\nThe Babel Obfuscator is one of the most popular proprietary obfuscators for .NET. It has the following set of\r\nfeatures: \r\nRenaming symbols \r\nEncryption of strings and constants \r\nPacking and encrypting resources \r\nVirtualization and obfuscation of the code \r\nLet’s upload our sample into dnSpy to study it further. Here’s what we see: \r\nLaplasClipper code block\r\nhttps://any.run/cybersecurity-blog/analyzing-laplasclipper-malware/\r\nPage 1 of 7\n\nWe see that the code is obfuscated\r\nImmediately noticeable are the distorted objects’ names, and in the code, we can see the obfuscation of control\r\nflow using the switch conditional statement. To improve code readability and simplify our further analysis, let’s\r\npass our sample through de4dot and BabelDeobfuscator. \r\nLaplasClipper code block\r\nThe result of passing our sample through de4dot and BabelDeobfuscator\r\nNow the situation has improved a bit, but the cleaned version is only suitable for static analysis. However, if we\r\ntry to debug the original sample, it will fail and throw an error of the following type (debugging is recommended\r\nto be performed only in an isolated environment): \r\nLaplasClipper error message\r\nTrying to debug the original sample throws this error\r\nIf we look at the top of the call stack, we’ll see that the program crashes in some kind of environment variables\r\ncheck statement: \r\nLaplasClipper malware code block\r\nThe program crashes in some kind of environment variables check\r\nLet’s find this method by references to the use of GetEnvironmentVariable (T1082) in our cleaned sample.\r\nLaplasClipper malware code block\r\nWe’ll look for this method by references to the use of GetEnvironmentVariable\r\nThe strings are decrypted dynamically, using a trivial XOR. The key is specified as the second parameter on the\r\nmethod. \r\nLaplasClipper malware code block\r\nThe strings are decrypted using XOR\r\nLet’s use a Python interpreter (you could also use CyberChef or simply set a break point) to see which\r\nenvironment variables are being checked. \r\nLaplasClipper Python interpreter\r\nWe’ll use a Python interpreter to see which environment variables are checked\r\nAfter a brief search using keywords in combination with environment variables, we found the code for this anti-debug method (T1622), and it turns out it was written by the obfuscator developers themselves. \r\nLaplasClipper malware code block\r\nThe code of the anti-debug method\r\nThe method turned out to be rather ordinary. To bypass his anti-debug trick, we can simply halt the second thread\r\nduring the debugging process, without the need to modify the sample. We just need to set a breakpoint at the\r\nbeginning of the routine. \r\nhttps://any.run/cybersecurity-blog/analyzing-laplasclipper-malware/\r\nPage 2 of 7\n\nSo far, we’ve conducted basic reconnaissance and determined methods for partially disarming the target.\r\nHowever, if we try to decrypt the remaining strings in the same way as before, we won’t find any hint of C2 or\r\nother evidence of illicit activity, apart from the Babel debug strings and function names intended for dynamic\r\ninvocation. \r\nDigging deeper into our LaplasClipper sample \r\nIf we take a closer look at the sample, we’ll notice a resource named “JbeO” — note its rather substantial size. \r\nLaplasClipper resources\r\nNote the size of the JbeO resource \r\nLet’s make an assumption. If this resource is present, it’s likely that it’s used for something. \r\nThe GetManifestResourceStream method is used to access embedded resources at runtime, so to test our\r\nhypothesis, let’s set a breakpoint on it and run the sample under debugging. \r\nLaplasClipper malware code block\r\nWe’ll set a breakpoint and run the sample under debugging\r\nAs we expected, the breakpoint triggered. Now, following the call chain a little further, we can see how the read\r\nresource is passed into a method with token 0x0600018C for decryption. Let’s examine this method more closely\r\nin the cleaned version. \r\nLaplasClipper malware code block\r\nThe read resource is passed into a method with token 0x0600018C\r\nInitially, two arrays are read in the following format: size and data. Subsequently, the first array is decrypted using\r\nan XOR operation, with the second array functioning as a key. After this, the first array acts as a header from\r\nwhich parameters for ensuing actions are read. \r\nNow, let’s examine this structure with a HEX editor. \r\nLaplasClipper HEX\r\nExamining the same resource with a HEX editor\r\nWe can use CyberChef to extract the header for further analysis. \r\nLaplasClipper in CyberChef\r\nWe’ll analyze the headers in CyberChef\r\nNow that we have access to the header, we can examine the variable values in the decryption method logic in\r\nmore detail. \r\nVariable b, at first glance, appears to be a bit field that can include the following values: \r\n1 – Indicates whether the resource is compressed (spoiler) \r\nhttps://any.run/cybersecurity-blog/analyzing-laplasclipper-malware/\r\nPage 3 of 7\n\n2 – Indicates whether the resource is encrypted \r\nVariable b2 defines the algorithm for decrypting the resource. \r\nVariable b3 is a dummy. \r\nVariable array3 is the key for decryption with the chosen algorithm. \r\nLaplasClipper malware code block\r\nThe resource is only encrypted, and the decryption algorithm is AES. \r\nAs we can see, in our case the resource is only encrypted, and the decryption algorithm is AES. \r\nIt’s also important to note here that variable array2 is used, not only as an XOR key for the header, but also as an\r\ninitialization vector for the decryption algorithm. \r\nNow we have enough information to decrypt the resource ourselves. \r\nLaplasClipper malware in CyberChef\r\nAt this point in the analysis, we have enough data to try and decrypt the resource ourselves\r\nAfter decryption, we’re met with “This program cannot be run in DOS mode”. Let’s feed the resulting executable\r\nfile into DIE to confirm it’s a .NET assembly. So, we load it into dnSpy. \r\nLaplasClipper malware resources\r\nWe find three more resources but no new code\r\nInside, we find three additional resources, but no further code. The file we’ve obtained is merely a vessel for other\r\nresources. However, we remain undeterred and press on with our analysis. We’ll focus on unpacking the most\r\nsizable resource named “wCfO” (since the other two resources only vary slightly, we’ll omit them from this\r\nanalysis). \r\nApproaching the Finish Line of LaplasClipper analysis\r\nWhen we replicate the previous steps with the “wCfO” resource, we find that the variable b equals one. From the\r\nresource decryption method code, we deduce that if b equals one, control shifts to the Class67.smethod_0 method.\r\nWhen our manual examination of this routine failed to provide results, we decided to enlist the help of a cyber-assistant in the form of GPT-4. We fed it an approximately 500-line snippet, and the output was unexpected. \r\nLaplasClipper malware analysed by ChatGPT\r\nChatGPT was quite helpful\r\nTo our relief, GPT managed to extract the compression algorithm from the clutter. What remains is a relatively\r\nminor task: employing CyberChef one more time (remembering to remove the header from the resource before\r\ndecompression). \r\nLaplasClipper malware in CyberChef\r\nhttps://any.run/cybersecurity-blog/analyzing-laplasclipper-malware/\r\nPage 4 of 7\n\nHowever, we encountered a hurdle here too. The error could be due to meta-information at the start of the resource\r\nor a modified compression algorithm. Nevertheless, we determined an offset empirically, which allows us to\r\nunlock the internal information of our resource. \r\nLaplasClipper malware decrypted\r\nCongratulations! We’ve successfully reached the heart of our test subject. The C2 server address and the key are\r\nnow clearly in view.  \r\nBy the way, if you want to analyze the process dump yourself, you can easily download it from this task in\r\nANY.RUN. \r\nLaplasClipper malware configuration in ANY.RUN cloud malware sandbox\r\nFor further functioning, the sample uses a C2 address and a key to communicate with API endpoints over HTTP/S\r\nprotocol (T1071.001): \r\n/bot/get – Query C2 for a visually similar wallet address for further substitution  \r\n/bot/regex – Obtain regex expression from C2 to replace only matching wallet addresses  \r\n/bot/online – Inform C2 that the victim is active\r\nWrapping up\r\nIn this article, we’ve dissected a fresh malware sample from the LaplasClipper family, developed on the .NET\r\nplatform and obfuscated using Babel. \r\nIn the process of our research, we’ve uncovered the sample’s internal settings, examined some techniques\r\nleveraged by the obfuscator to complicate the sample analysis, and outlined strategies to counter them. \r\nOur findings provide a solid understanding of the fundamental principles of protective mechanisms on the .NET\r\nplatform. It’s critical to recognize that even the most complex protective methods rest on basic concepts, which\r\nare essential to understand and identify. \r\nWant more malware analysis content? Learn more about common obfuscation methods and how to defeat them in\r\nour recent GuLoader analysis. Or read about the encryption and decryption algorithms of PrivateLoader. \r\nLastly, a few words about us before we wrap up. ANY.RUN is a cloud malware sandbox that handles the heavy\r\nlifting of malware analysis for SOC and DFIR teams. Every day, 300,000 professionals use our platform to\r\ninvestigate incidents and streamline threat analysis.  \r\nRequest a demo today and enjoy 14 days of free access to our enterprise plan.   \r\nRequest demo → \r\nCollected IOCs\r\nAnalyzed file: \r\nhttps://any.run/cybersecurity-blog/analyzing-laplasclipper-malware/\r\nPage 5 of 7\n\nMD5 1955e7fe3c25216101d012eb0b33f527\r\nSHA1 f8a184b3b5a5cfa0f3c7d46e519fee24fd91d5c7\r\nSHA256 55194a6530652599dfc4af96f87f39575ddd9f7f30c912cd59240dd26373940b\r\nConnections:\r\nConnections (IP)\r\n45[.]159.189.105\r\nURIs: \r\nURIs\r\nhttp://45[.]159.189.105/bot/get?address=\r\n\u0026key=afc950a4a18fd71c9d7be4c460e4cb77d0bcf29a49d097e4e739c17c332c3a34\r\nhttp://45[.]159.189.105/bot/regex?\r\nkey=afc950a4a18fd71c9d7be4c460e4cb77d0bcf29a49d097e4e739c17c332c3a34\r\nhttp://45[.]159.189.105/bot/online?guid=\r\n\u0026key=afc950a4a18fd71c9d7be4c460e4cb77d0bcf29a49d097e4e739c17c332c3a34\r\nMITRE ATT\u0026CK Matrix\r\nTactics   Techniques   Description \r\nTA0005: Defense\r\nEvasion\r\nT1027.002 – Obfuscated Files\r\nor Information: Software\r\nPacking\r\nAttempts were made to make an executable difficult to\r\nanalyze by encrypting and embedding the main logical\r\npart into resources section\r\nT1622 - Debugger Evasion Anti-debugging techniques are used\r\nTA0011:\r\nCommand and\r\nControl\r\nT1071.001 - Application\r\nLayer Protocol: Web\r\nProtocols\r\nTarget utilizes HTTP/S protocol to communicate with\r\nC2\r\nTA0009:\r\nCollection\r\nT1115 - Clipboard Data Target accesses and modifies clipboard buffer\r\nTA0007:\r\nDiscovery\r\nT1082 - System Information\r\nDiscovery\r\nTarget accesses system specific information\r\nhttps://any.run/cybersecurity-blog/analyzing-laplasclipper-malware/\r\nPage 6 of 7\n\nSource: https://any.run/cybersecurity-blog/analyzing-laplasclipper-malware/\r\nhttps://any.run/cybersecurity-blog/analyzing-laplasclipper-malware/\r\nPage 7 of 7",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"origins": [
		"web"
	],
	"references": [
		"https://any.run/cybersecurity-blog/analyzing-laplasclipper-malware/"
	],
	"report_names": [
		"analyzing-laplasclipper-malware"
	],
	"threat_actors": [],
	"ts_created_at": 1775434871,
	"ts_updated_at": 1775826756,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/cc0c4c1ced492f255bc28c8ce240311b0ca658d4.pdf",
		"text": "https://archive.orkl.eu/cc0c4c1ced492f255bc28c8ce240311b0ca658d4.txt",
		"img": "https://archive.orkl.eu/cc0c4c1ced492f255bc28c8ce240311b0ca658d4.jpg"
	}
}