https://ryan-weil.github.io/Security research & software development 2026-01-24T03:28:16+00:00 Ryan Weil https://ryan-weil.github.io/ Jekyll © 2026 Ryan Weil /assets/img/favicons/favicon.ico /assets/img/favicons/favicon-96x96.png 2024-12-14T12:00:00+00:00 2024-12-20T16:46:25+00:00 https://ryan-weil.github.io/posts/LUMMA-STEALER/ Ryan Weil

Introduction Lumma Stealer is an infostealer that has been around for several years now, and consistently tops statistics on sites like MalwareBazaar as one of the most commonly distributed malware families. When it first released, Lumma Stealer had little to no obfuscation at all. Eventually, it incorporated things like control flow flattening, opaque predicates and more recently around the b...

2024-03-01T14:46:24+00:00 2024-05-16T16:06:46+00:00 https://ryan-weil.github.io/posts/AGENT-TESLA-2/ Ryan Weil

Introduction In the previous post we successfully unpacked Agent Tesla. We left off on a bit of a cliffhanger though, because after opening it in dnSpy it was apparent that it had control flow flattening applied. At first glance it doesn’t look too unreadable: Figure 1 But if we continue looking around other functions, we can see it gets ridiculous. Take a look at this one zg5QIGkJ for exam...

2024-02-27T14:46:24+00:00 2024-05-16T16:06:46+00:00 https://ryan-weil.github.io/posts/AGENT-TESLA-1/ Ryan Weil

Introduction Agent Tesla is a popular info stealer coded in C# that consistently makes lists as one of the most prevalent malware strains. In this post we will be looking at a sample of Agent Tesla that has been packed by a very popular crypter. I am currently not aware of the name of the particular crypter responsible, but the amount of samples I am seeing daily being packed by it is insane. ...