{
	"id": "ed3e2aee-d391-4499-b9fa-0e3c667934c6",
	"created_at": "2026-04-06T00:18:27.53375Z",
	"updated_at": "2026-04-10T03:21:56.136274Z",
	"deleted_at": null,
	"sha1_hash": "6fdbfa98d9d6f85d22a66d0c56a0059778b6b5d2",
	"title": "From OSINT to Disk: Wave Stealer Analysis",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 2796543,
	"plain_text": "From OSINT to Disk: Wave Stealer Analysis\r\nBy montysecurity\r\nPublished: 2024-05-08 · Archived: 2026-04-05 18:10:42 UTC\r\nIntroduction\r\nIn this post, I will be walking through finding the Wave Stealer advertisement page, getting a sample, then\r\nanalyzing it and determining its execution and persistence methods. We will also briefly explore how the\r\npersistence is broken in this particular sample.\r\nQuick shoutout to crep1x on Twitter/X for posting about this sample, it was instrumental in this analysis —\r\nhttps://twitter.com/crep1x\r\nOSINT\r\nUsing my InfraHunter tool, I found the following website advertising a new infostealer. I used one of the built-in\r\nsearches in the tool, “generic-infostealer-1” which runs the following query on Shodan: http.title:stealer\r\nhttp.html:login\r\nPress enter or click to view image in full size\r\nhttps://montysecurity.medium.com/from-osint-to-disk-wave-stealer-analysis-2010d2e340f0\r\nPage 1 of 10\n\nhttps://urlscan.io/result/013cd1f2-d55b-469a-9f2d-3556311fc3b4/\r\nTurning to Twitter/X I saw this analysis from crep1x and retrieved the sample.\r\nhttps://twitter.com/crep1x/status/1782887599788486787\r\nhttps://montysecurity.medium.com/from-osint-to-disk-wave-stealer-analysis-2010d2e340f0\r\nPage 2 of 10\n\nSHA256: eadcf660e731fd3de0a5a8bee2f2337e7d78438f4e9293d2c90d5e63a2d9368e\r\nOne thing to note here is the VT comments for this sample are also calling it PrivateLoader.\r\nMalware Analysis\r\nAfter getting the sample, I loaded it into a FLARE VM. The main tools I used in this analysis were as follows:\r\nWireshark, ProcMon, ProcessExplorer, FakeNet-NG, AutoRuns, HashMyFiles, pestudio, and DetectItEasy\r\nThe first thing I noticed in ProcMon is that it created a folder at\r\nC:\\Users\\User\\AppData\\Local\\Temp\\nsmB92D.tmp\\7z-out\\\r\nAt this point it runs Installer.exe which is seen collecting data from Discord and web browser directories.\r\nPress enter or click to view image in full size\r\nhttps://montysecurity.medium.com/from-osint-to-disk-wave-stealer-analysis-2010d2e340f0\r\nPage 3 of 10\n\nIt also attempts to maintain persistence in the Startup folder as Updater.exe\r\nPress enter or click to view image in full size\r\nVerified the hashes are the same. Also seen in another AppData\\Local\\Temp directory.\r\nPress enter or click to view image in full size\r\nReviewing the FakeNet-NG logs shows this suspicious domain.\r\nPress enter or click to view image in full size\r\nCuriously, when the VM was rebooted, this error message popped up, showing Updater.exe failed to launch\r\nfrom Startup.\r\nhttps://montysecurity.medium.com/from-osint-to-disk-wave-stealer-analysis-2010d2e340f0\r\nPage 4 of 10\n\nManually launching Updater.exe and examining under ProcMon suggests it has a DLL injection vulnerability\r\n(DLL Search Order Hijacking) regarding ffmpeg.dll . This is indicated by the numerous successive CreateFile\r\nattempts where the result is Name Not Found and the Path ends in ffmpeg.dll ; Updater.exe is “searching” for\r\nthe missing DLL. The very first place searched is the Startup folder (there Updater.exe resides), this is because\r\nthe search routine starts with the directory where the program is located. So if an attacker places the malicious\r\nDLL in the same folder as the vulnerable program, the search routine will find it and load it.\r\nPress enter or click to view image in full size\r\nFor a more in-depth look at Search Order Hijacking checkout https://book.hacktricks.xyz/windows-hardening/windows-local-privilege-escalation/dll-hijacking#dll-search-order\r\nGet montysecurity’s stories in your inbox\r\nJoin Medium for free to get updates from this writer.\r\nRemember me for faster sign in\r\nLooking at the ffmpeg.dll that is dropped by the first stage shows it was created in January 2024.\r\nPress enter or click to view image in full size\r\nhttps://montysecurity.medium.com/from-osint-to-disk-wave-stealer-analysis-2010d2e340f0\r\nPage 5 of 10\n\nLooking at the strings present in ffmpeg.dll shows it has some capabilities that does not appear necessary for\r\nsomething claiming to be related to FFmpeg.\r\nPress enter or click to view image in full size\r\nAlso searched through the FFmpeg source code on GitHub for various strings seen above, none were found,\r\nsuggesting this is not a genuine ffmpeg.dll .\r\nPress enter or click to view image in full size\r\nhttps://montysecurity.medium.com/from-osint-to-disk-wave-stealer-analysis-2010d2e340f0\r\nPage 6 of 10\n\nAt this point, I put ffmpeg.dll in the startup folder and ran Updater.exe and it triggered the domain callback.\r\nWhen I removed ffmpeg.dll and restarted the program, the callback does not happen and we see the same error\r\nas before where Updater.exe just crashes. So we have a high degree of confidence that DLL Hijacking is the\r\nexecution method.\r\nGrabbing the hash for ffmpeg.dll : 5795634e5f03fa1375b8a7e9655966beadbbe8681afd3c6996aa0f47959d053b\r\nPress enter or click to view image in full size\r\nLooking at Updater.exe shows it has “Unity LLC” listed as its Company.\r\nPress enter or click to view image in full size\r\nThe hash for Updater.exe is 69f086ecb0e9b764462e3d62268194b2b9abc8e4492b6c5b38472e1b7897436d and\r\nlooking at it in VT shows it was also compiled in January 2024 and has a copyright of “Unity @ 2024”\r\nhttps://montysecurity.medium.com/from-osint-to-disk-wave-stealer-analysis-2010d2e340f0\r\nPage 7 of 10\n\nI re-added ffmpeg.dll into the startup folder and launched Updater.exe again, created a process dump, and\r\nfound some strings related to gaming. (i.e. I added the DLL back in so the EXE does not crash)\r\nPress enter or click to view image in full size\r\nhttps://montysecurity.medium.com/from-osint-to-disk-wave-stealer-analysis-2010d2e340f0\r\nPage 8 of 10\n\nThe “Unity @ 2024” copyright, “Unity LLC” company, and the strings above lead me to believe this is the Unity\r\nprogram for gaming. However, the compilation time being the same month as ffmpeg.dll is also curious. It\r\nappears one can buy/download the Unity source code (https://unity.com/products/source-code). It is unclear if the\r\nthreat actor compiled a custom version Unity or not, but either way, the malicious activity relies on the\r\nffmpeg.dll (which is not related to the actual FFmpeg project).\r\nNot-So-Persistent\r\nSo if you remember, about halfway through this I mentioned when I rebooted the VM I got this error message.\r\nThis message hints at the existence of the DLL injection vulnerbility discussed in detail above. It also suggests the\r\npersistence mechanism for this sample was broken.\r\nWhen the first stage is executed, it dropped Updater.exe into the Startup folder. However, Updater.exe\r\ncrashes if it is unable to load ffmpeg.dll and the first stage never copied ffmpeg.dll into the startup folder,\r\nhence why Updater.exe crashed on startup.\r\nhttps://montysecurity.medium.com/from-osint-to-disk-wave-stealer-analysis-2010d2e340f0\r\nPage 9 of 10\n\nPress enter or click to view image in full size\r\nConclusion\r\nWave Stealer is an infostealer that takes advantage of a DLL Injection vulnerability for ffmpeg.dll in what\r\nappears to be a Unity-related product, possibly a custom-compiled version of Unity. The program attempts to\r\nmaintain persistence in the Startup folder. In this particular sample, the persistence was broken, causing the\r\nprogram to crash on startup.\r\nIOCs\r\neadcf660e731fd3de0a5a8bee2f2337e7d78438f4e9293d2c90d5e63a2d9368e (stage 1; sample.exe)\r\n69f086ecb0e9b764462e3d62268194b2b9abc8e4492b6c5b38472e1b7897436d (stage 2; Installer.exe, Updater.exe)\r\n5795634e5f03fa1375b8a7e9655966beadbbe8681afd3c6996aa0f47959d053b (malicious ffmpeg.dll)\r\nwavebysudryez[.]fr\r\nSource: https://montysecurity.medium.com/from-osint-to-disk-wave-stealer-analysis-2010d2e340f0\r\nhttps://montysecurity.medium.com/from-osint-to-disk-wave-stealer-analysis-2010d2e340f0\r\nPage 10 of 10",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"references": [
		"https://montysecurity.medium.com/from-osint-to-disk-wave-stealer-analysis-2010d2e340f0"
	],
	"report_names": [
		"from-osint-to-disk-wave-stealer-analysis-2010d2e340f0"
	],
	"threat_actors": [],
	"ts_created_at": 1775434707,
	"ts_updated_at": 1775791316,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/6fdbfa98d9d6f85d22a66d0c56a0059778b6b5d2.pdf",
		"text": "https://archive.orkl.eu/6fdbfa98d9d6f85d22a66d0c56a0059778b6b5d2.txt",
		"img": "https://archive.orkl.eu/6fdbfa98d9d6f85d22a66d0c56a0059778b6b5d2.jpg"
	}
}