Malware Analysis - Unpacking Lumma Stealer from Emmenhtal and Pure Crypter

Last time we extracted a download URL, in this video we unpack the rest of the Emmenhtal to Pure Crypter to Lumma Stealer infection chain. Udemy course: https://www.udemy.com/course/windows-malware-analysis-for-hedgehogs-beginner-training/?couponCode=60EBAE52098A12D428B3 Coupon: 60EBAE52098A12D428B3 Tools: binary refinery, Sysinternals strings.exe, notepad++, dnSpyEx, NetReactorSlayer, DiE, Python 3, dnlib string-decrypt script: https://gist.github.com/struppigel/7f24f8730f3f41605f7a64cc39835cee Posh script: https://bazaar.abuse.ch/sample/0a92ab70d1e5725ecabf5b90be95d2a4522b5080158818154e2d6dc978bc7e65/ Posh loaded: https://bazaar.abuse.ch/sample/9297b5e5f6fb8d582145e476d1a301e36c2353df5909733757ba7b28a9903551/ wvff.pdf (encrypted): https://bazaar.abuse.ch/sample/26b50b8585870303eddb861740732a276eb6a687c22d115fa57e760a30d0306c Lumma payload: https://www.virustotal.com/gui/file/2999b0faa1e90d467cd0b9682ac64eddfc36bfbe034f0d4461bf529bbb3073e7/detection ConfuserEx 2 deobfuscation video: https://youtu.be/Pjy50g6naMU Buy me a coffee: https://ko-fi.com/struppigel Follow me on Twitter: https://twitter.com/struppigel #malware #malwareanalysis #reverseengineering 00:00 Intro 00:33 Unpacking first PowerShell layer 09:17 Unpacking .NET mediafire downloader 10:16 Analyzing .NET downloader 12:07 Decrypting wvff.pdf 13:03 Deobfuscating NET Reactor 6.X 21:54 Unpacking Lumma Stealer