{
	"id": "36f80f5c-7b9d-4e9e-a579-b97f3f8bafb4",
	"created_at": "2026-04-10T03:21:33.904147Z",
	"updated_at": "2026-04-10T13:12:31.237431Z",
	"deleted_at": null,
	"sha1_hash": "ad9746bfc73b5fdc7b65e05fb319926e78a19460",
	"title": "Babax stealer rebrands to Osno, installs rootkit",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 287911,
	"plain_text": "Babax stealer rebrands to Osno, installs rootkit\r\nBy Karsten Hahn\r\nPublished: 2021-04-22 · Archived: 2026-04-10 02:48:14 UTC\r\n11/05/2020\r\nReading time: 5 min (1379 words)\r\nBabax not only changes its name but also adds a Ring 3 rootkit and lateral spreading capabilities. Furthermore it has a\r\nransomware component called OsnoLocker. Is this combination as dangerous as it sounds?\r\nEmergence of Babax and Osno\r\nBabax stealer is at least around since June 2019. At that time a user named ForlayPy gave away the source code for\r\nfree after being dissatisfied with a customer they sold the source to.\r\nA colleague of mine discovered the first Osno stealer sample[1] on 5th October 2020. The sample[1]is a packed .NET\r\nassembly with the module name FallGuysStats. The module name indicates that it is using a statistics generator for\r\nthe Steam game Fall Guys as a lure. The config shows version Osno 2.1.5 and has placeholders for some of the\r\nfunctions, including FTP and Telegram settings.\r\nBy the end of October researcher @backsla3h noted that the stealer is sold on forums. The advertisment comparison of\r\nBabax and Osno shows not only an increased price but also four more features or \"Benefits\" for Osno: r77 and network\r\nspreading, Anti-AV and evasion of WindowsDefender via allowlist, AnarchyGrabber and microphone records.\r\nAdditionally there is a ransomware module which is not advertised (yet). Most of these features are described in the\r\nfollowing sections.\r\nRootkit r77\r\nAlthough the advertisment calls this an exploit, it is actually an open source rootkit by bytecode77. The Github repo\r\nprovides DLL's for this rootkit as well as an installer. Osno does the installation itself. Just like the rootkit installer,\r\nOsno registers the rootkit DLL to AppInit_DLLs and enables LoadAppInit_DLLs so it is loaded with every process.\r\nBecause the rookit DLLs are not signed, it sets RequireSignedAppInit_DLLs to 0.\r\nhttps://www.gdatasoftware.com/blog/2020/11/36459-babax-stealer-rebrands-to-osno-installs-rootkit\r\nPage 1 of 7\n\nThe rootkit uses MinHook to redirect WinAPI calls, so that it hides processes and file names, e.g., from explorer and\r\ntaskmanager. The proof-of-concept binaries for the rootkit hide files and processes that start with \"$77\". Since Osno\r\nuses the proof-of-concept binaries, it needs to add the prefix \"$77\" to its own files to make it work.\r\nFile hiding demonstration by r77 rootkit. Image from https://github.com/bytecode77/r77-rootkit\r\nThe Github README.md for r77 states that the rootkit is still work in progress. Because of that hiding files for x86 is\r\ncurrently unstable and disabled in the proof-of-concept files.\r\nLateral movement via SharpExec\r\nOsno collects all accessible IP adresses in the local network, then downloads SharpExec binaries from Github.\r\nSharpExec is a tool with various commands for lateral movement. Osno executes the following command for every\r\ncollected IP and domain:\r\n\u003csharpexec\u003e -m=psexec -i=\u003ccollected-ip\u003e -d=\u003ccollected-domain\u003e -f=\u003cpath-in:%TEMP%/gpustats.bx\u003e -e=%TEMP%/\u003crandomname\r\nThe file gpustats.bx contains the path to the Osno executable. This command attempts to upload Osno to the given IP\r\ninto the %TEMP% folder and executes it. That way Osno is able to spread to all accessible computers within the\r\nnetwork.\r\nAnti-AV\r\nhttps://www.gdatasoftware.com/blog/2020/11/36459-babax-stealer-rebrands-to-osno-installs-rootkit\r\nPage 2 of 7\n\nThe following Anti-AV features are those of the unpacked Osnoe sample[2]\r\n. The packer stub itself has also Anti-AV\r\nwhich is beyond the scope of this article.\r\nWindows Defender\r\nOsno adds its own path and the root of drive C: as exclusion folder for Windows Defender using the following\r\nPowerShell commands:\r\nAdd-MpPreference -ExclusionPath C:\\\r\nAdd-MpPreference -ExclusionPath \u003cpath-to-malware\u003e\r\nThis can only be successful if the malware has already gotten foothold on the system and obtained administrator\r\nprivileges.\r\nOther AVs\r\nOsno searches for Window titles and process names to kill the processes of Antivirus software. It does this for the\r\nfollowing window titles and process names:\r\nWindow title \"Malwarebytes Anti-Malware\" and process name either mbamgui or mbam\r\nProcess names: avgidsagent, avgfws, avgtray, avgemcx, avgwdsvc, avgnsx, avgcsrvx, avgrsx, Toolbar Updater\r\nThat means only Malwarebytes Anti-Malware and AVG are affected.\r\nOsno ransomware is a wiper\r\nOsno ransomware, or OsnoLocker as it is called in the code, has an implementation for XXTEA. However, it is not\r\nused in the current sample. Instead it overwrites the original content of the files with a marker. The marker is the string\r\n\"OsnoRansom\" appended by a randomly created string of length 50-200 characters consisting of uppercase letters A-Z\r\nand digits 0-9. Described as a regex this would be ^OsnoRansom([A-Z0-9]){50,200}$. The randomly created string\r\nwill be different for every affected file.\r\nOsnoLocker adds the .osnoed extension to these files.\r\nOsnoLocker puts a ransom message into a file called RecInstruct.osnoned (sic!). It proceeds to write an executable to\r\ndisk named Osno Decryptor.exe[3] whose purpose is to lock the screen, display the ransom message that was placed in\r\nRecInstruct.osnoned and ask for a decryption code. This Osno Decryptor.exe has the module name\r\nFakeRansomware.\r\nOsno is a wiper in its current form and payment will not help to get any files back. Recovery of files via shadow\r\nvolumes copies can work, though. Future versions of Osno might use the already implemented XXTEA to encrypt\r\nfiles.\r\nhttps://www.gdatasoftware.com/blog/2020/11/36459-babax-stealer-rebrands-to-osno-installs-rootkit\r\nPage 3 of 7\n\nAnarchyGrabber and other copied tools\r\nOsno stealer implements the code of AnarchyGrabber 3. An article by Bleepingcomputer describes the additional\r\nfeatures of the latest AnarchyGrabber version. Just like that version, Osno will force Discord to load JScript files\r\ninject.js and discordmod.js. To do that it puts the JScript files into the folder %AppData%\\Discord\\\r\n\u003cversion\u003e\\modules\\discord_desktop_core\\osno. Discord will then act as a stealer.\r\nAnother tool that this Osno sample uses is Da pure C++ Clipper[4]. A native binary for clipbanking.\r\nFurthermore, @backsla3h pointed out that the RunPE method and VM/Debugger/Sandbox detection code are taken\r\nfrom CSharp-RunPE and Anti-Analysis by NYAN-x-CAT.\r\nSo we have already identified six different copied sources and tools that are deployed by Osno: SharpExec,\r\nAnarchyGrabber, Da Pure C++ Clipper, CSharp-RunPE, Anti-Analysis, r77 rootkit. It is likely that there are more\r\ncopied sources in those functions I didn't look at as they are beyond the scope of this article.\r\nhttps://www.gdatasoftware.com/blog/2020/11/36459-babax-stealer-rebrands-to-osno-installs-rootkit\r\nPage 4 of 7\n\nConclusion\r\nOsno is not just a stealer anymore. Although that is still the main focus, the added capabilities pose a more serious\r\nthreat, especially RDP access, lateral movement and file destruction.\r\nHowever, none of that seems particularly scary.\r\nFirstly, most of the serious sounding features are only possible after the malware sucessfully accessed the system and\r\ngained administrator privileges. That includes the rootkit and the anti-AV. The lateral movement portion depends on an\r\nexternal tool that needs to be downloaded first. It is only successful if network adminstrators disregard security\r\nmeasures alltogether, thus, unlikely to cause serious outbreaks.\r\nSecondly, many of the stealer's features have been taken from public respositories and are known to defenders, making\r\ndetection of the malware easier. Osno seems to have been worked around some of those tools. E.g., it uses the r77\r\nrootkit binaries as is, although they are unfinished and only work with drawbacks. Osno renames its files to make them\r\nwork for the rootkit binaries instead of implementing a rootkit that works for the Osno files.\r\nThe ransomware, which may have been self-implemented, seems not finished yet, which is confirmed by existence of\r\nnon-implemented XXTEA code and the fact that this feature is not advertised. Later versions will likely use encryption\r\ninstead of destroying files.\r\nDue to the mishmash of open-source code and tools from other malware Osno is best described as a patchwork\r\nFrankenstein's monster .\r\nIndicators of compromise\r\nSample SHA256\r\n[1] Osno/Babax stealer 3bb9f55514122071824320091030f517a2809c140d86791275037569b26f53f1\r\n[2] Unpacked Osno 4fd221c89030a1fe1c2396a957990693ec8e6330ed79c63bde24abdbc0b8b166\r\n[3] Screenlocker \"Osno\r\nDecryptor.exe\"\r\n40e4fffa431378e9f09310bba5ff4b8bcec1e11e2b9a606d15f123b696bdb697\r\n[3] Da pure C++ Clipper 1412516d5f9e43e9c797bbeb3872ef2ff0f68cf51d66288cfd257bb0b56a0e54\r\nDescription Indicator of compromise\r\nRegex for names of\r\ndownloaded and\r\nexecuted files by Osno\r\nlocated in\r\n%APPDATA% folder\r\n(\\$77-|)[a-z]{7}\\.exe\r\nExample:\r\n$77-evlnnrz.exe\r\nevlnnrz.exe\r\nUsed as marker for\r\ndownload and execute,\r\n%APPDATA%\\system.infox\r\nhttps://www.gdatasoftware.com/blog/2020/11/36459-babax-stealer-rebrands-to-osno-installs-rootkit\r\nPage 5 of 7\n\nDescription Indicator of compromise\r\ncontains \"0x15\" after\r\nsuccessful execution.\r\nData file that indicates\r\nif autorun was set,\r\ncontains either \"False\"\r\nor \"01010\"\r\nC:\\ProgramData\\ar.xdg\r\nContains the path of the\r\nOsno executable base64\r\nencoded or after lateral\r\nmovement the string\r\n\"0x14\"\r\n%TEMP%/gpustats.bx\r\nDiscord JScript files\r\nplaced by\r\nAnarchyGrabber\r\n%AppData%\\Discord\\\u003cversion\u003e\\modules\\discord_desktop_core\\osno\\inject.js\r\n%AppData%\\Discord\\\u003cversion\u003e\\modules\\discord_desktop_core\\osno\\discordmod.js\r\nAdditional user for\r\nRDP access, password\r\n\"5Z6aW8qRhLWEwS\"\r\nDefaultuzer\r\nRansom message to be\r\ndisplayed by\r\nscreenlocker\r\nRecInstruct.osnoned\r\nRegex for content of\r\noverwritten files with\r\n.osnoed extension\r\n^OsnoRansom([A-Z0-9]){50,200}$\r\nExample:\r\nOsnoRansom6ES4BAQ7F2Z4CPMZ3TMDRCP5BLHQQU7NPOS7DKEN1F31VGITX8\r\nStolen data, placed in\r\n%TEMP%\\\r\n\u003cmd5(username)\u003eOsno\\\r\n\u003cmd5(machinename)\u003e-\r\nLogs\r\nChromium Logins.txt\r\nCookies.txt\r\nGecko Logins.txt\r\nDirect Login Cookies.txt\r\nCreditCards.txt\r\nOthers.txt\r\nHardware \u0026 Soft.txt\r\nRelated articles:\r\nhttps://www.gdatasoftware.com/blog/2020/11/36459-babax-stealer-rebrands-to-osno-installs-rootkit\r\nPage 6 of 7\n\nKarsten Hahn\r\nPrincipal Malware Researcher\r\n Content\r\nEmergence of Babax and Osno\r\nRootkit r77\r\nLateral movement via SharpExec\r\nAnti-AV\r\nOsno ransomware is a wiper\r\nAnarchyGrabber and other copied tools\r\nConclusion\r\nIndicators of compromise\r\nRelated articles\r\nSource: https://www.gdatasoftware.com/blog/2020/11/36459-babax-stealer-rebrands-to-osno-installs-rootkit\r\nhttps://www.gdatasoftware.com/blog/2020/11/36459-babax-stealer-rebrands-to-osno-installs-rootkit\r\nPage 7 of 7",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"origins": [
		"web"
	],
	"references": [
		"https://www.gdatasoftware.com/blog/2020/11/36459-babax-stealer-rebrands-to-osno-installs-rootkit"
	],
	"report_names": [
		"36459-babax-stealer-rebrands-to-osno-installs-rootkit"
	],
	"threat_actors": [],
	"ts_created_at": 1775791293,
	"ts_updated_at": 1775826751,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/ad9746bfc73b5fdc7b65e05fb319926e78a19460.pdf",
		"text": "https://archive.orkl.eu/ad9746bfc73b5fdc7b65e05fb319926e78a19460.txt",
		"img": "https://archive.orkl.eu/ad9746bfc73b5fdc7b65e05fb319926e78a19460.jpg"
	}
}