Basically, if you are decrypting some bytes that are going to be executed and you put a normal breakpoint on those bytes intending to be hit once the instruction pointer is there, it will end up decrypting incorrectly since what a software breakpoint does is it injects an int3 instruction behind the scenes. So you are actually temporarily changing the content of whats there. So when it goes to decrypt, its going to try and decrypt the changed instruction and will decrypt to the wrong value.
About two weeks ago i was looking for the after effects activator and I was startled by the number of videos with the same malware and in the end I didn't find 1 video with the real activator, only malware
Hey Ryan, this analysis is awesome! You did a great job breaking down that malicious RU-vid video. It’s wild to see how many views it got. Your insights really emphasize why we need to stay vigilant about cybersecurity. Keep up the great work!
Chef, I had downloaded exact the same file which is called ''Adobe Activator'' from a stolen RU-vid Channel post while am trying to download Adobe... I did run the .exe and now I'am infected. My steam account has been stolen, my accounts including outlook accounts has been compromised. I did download and run exact the same file that you show on the video. Now, the question is how to can I get rid of that ''Lumma Stealer''. I'am still infected, my computer is still in risky situation. Please help me before too late. Help. SOS.
Hello, I am uploading a video on about the sample you likely downloaded. It should be up soon. In the mean time, format your drives and reinstall WIndows. Next time use 2FA on all your accounts, never store browser passwords in the 'Saved Passwords', etc. And don't download shit off of RU-vid ever.
Very interesting video! Incredible to see people RE like it's nothing! May I ask how you learned these skills? Was it through university/school or self-taught?
Awesome video! You really broke down how the Redline Stealer works in a way that makes sense. It's wild to see how these hacks happen. Can't wait to see what you dive into next!
This was really well done! You made the whole analysis easy to understand, even for someone who’s not super deep into malware stuff. Crazy how these things work. Looking forward to more from this series!
Hey man, I was wondering if you could try to crack this game cheat. It's really popular within that community of course, I'm curious if it contains any malware. I can't post a link unfortunately, make an email address for submissions!
Found some dude using an ai deepfake to promote a cracked photoshop gen ai. saw the rar file with a password, knew immediately and chucked it into triage and got a 10/10 for lummastealer.
@@RyanWeil-r1n you need to have Windows pro version to use it but you can just use massgrave activation scripts to do it for free. Sounds a little sketchy but it's legit lol but always DYOR :)
Alright, I believe I have the problem fixed now for next time I upload. For some reason my VM was set to only 4GB of ram when it should've been higher, and the core count was low. Not sure why the settings seem to have been 'reset' to that.
@@RyanWeil-r1n It's strange, when I use VirtualBox the same kind of issue happens after I create a new VM in it. Where I have to close out and change the ram. I don't know why it doesn't let you edit it upon creation but it doesn't.
The samples I’ve showed so far have a good detection rate on there, but there are definitely cases where it will have a low detection rate on VT and in some cases will be FUD. I’ve noticed the people running the malware campaign will link to a folder in their videos so they regularly update the executable when it gets detected and get to keep the same link.
Really appreciate this deep dive into the Lumma Stealer, Ryan! It's crazy how these hacked RU-vid channels are spreading malware. You do a great job of making this stuff understandable even for those of us who aren’t experts. Keep the awesome content coming!
@@wittingsun7856 Kasseika looks cool because it uses BYOVD. May be worth looking at when I have more time. Otherwise, I am not interested in ransomware at all in terms of its encryption scheme, etc. so I'd probably just analyze the attack chain itself! Also, from what I've heard the ransomware payload is virtualized with Themida, so even if I wanted to do some static analysis on it I'd stand no chance against that haha (and I find dynamic analysis boring).
Great breakdown, Ryan! Your detailed analysis of how Redline Stealer was used in the hacked channel is both informative and eye-opening. I appreciate how you explained the process step by step, making it accessible for those of us who are newer to malware analysis. Looking forward to more content like this keep up the fantastic work!
Really interesting - I couldn't follow 100%, as I'm fairly new to de-obfuscating, but it's really cool to get a glimpse of an actual workflow! Keep uploading videos like these man 💜
Thanks for the kind words. I didn't do too much regarding deobfuscation in this video other than using the de4dot fork I specified in the description to deobfuscate both of the stage one files. If you are interested in learning how to write your own (relatively) basic de4dot deobfuscator, I have an article about that on my GitHub site: ryan-weil.github.io/posts/AGENT-TESLA-2/
I almost feel honoured to have been recommended this video. 8 views and a channel created today. Maybe this is because the type of video is quite similar to those of Eric Parker, who I watch a lot, although your video appears lot more in depth. Very interesting, but due to lack of the technological knowledge, I could not understand a lot. Let's see if the algorithm blesses you with more recommendations. 😊