Malware analysis Babax stealer rebrands to Osno, installs rootkit


Staff member
Apr 9, 2020
My last analysis of Osno/Babax stealer

Babax not only changes its name but also adds a Ring 3 rootkit and lateral spreading capabilities. Furthermore it has a ransomware component called OsnoLocker. Is this combination as dangerous as it sounds?
A colleague of mine discovered the first Osno stealer sample[1] on 5th October 2020. The sample[1] is a packed .NET assembly with the module name FallGuysStats. The module name indicates that it is using a statistics generator for the Steam game Fall Guys as a lure. The config shows version Osno 2.1.5 and has placeholders for some of the functions, including FTP and Telegram settings.
By the end of October researcher @backsla3h noted that the stealer is sold on forums. The advertisment comparison of Babax and Osno shows not only an increased price but also four more features or "Benefits" for Osno: r77 and network spreading, Anti-AV and evasion of WindowsDefender via allowlist, AnarchyGrabber and microphone records. Additionally there is a ransomware module which is not advertised (yet). Most of these features are described in the following sections

Screenshot 2020-11-05 151645.png

Osno is not just a stealer anymore. Although that is still the main focus, the added capabilities pose a more serious threat, especially RDP access, lateral movement and file destruction.

However, none of that seems particularly scary.

Firstly, most of the serious sounding features are only possible after the malware sucessfully accessed the system and gained administrator privileges. That includes the rootkit and the anti-AV. The lateral movement portion depends on an external tool that needs to be downloaded first. It is only successful if network adminstrators disregard security measures alltogether, thus, unlikely to cause serious outbreaks.

Secondly, many of the stealer's features have been taken from public respositories and are known to defenders, making detection of the malware easier. Osno seems to have been worked around some of those tools. E.g., it uses the r77 rootkit binaries as is, although they are unfinished and only work with drawbacks. Osno renames its files to make them work for the rootkit binaries instead of implementing a rootkit that works for the Osno files.

The ransomware, which may have been self-implemented, seems not finished yet, which is confirmed by existence of non-implemented XXTEA code and the fact that this feature is not advertised. Later versions will likely use encryption instead of destroying files.

Due to the mishmash of open-source code and tools from other malware Osno is best described as a patchwork Frankenstein's monster .


  • osno_ransom.png
    25.1 KB · Views: 117


Level 11
Aug 21, 2018

Mother of all viruses, still not properly reverse-engineered. It can display many, many other things. Its a piece of an art in coding!

pop ax ; POP 0xE9CF into AX register
xor ax,020C ; decrypt 0xEBC3 in AX (0xc3 RET)
mov [trap],al ; try to overwrite INT 3 with RET
add ax,020C ; fill the prefetch queue

IN AL,21
OR AL,02

Instruction 0040601A E807000000 call 00406026h 0040601F 34F4 xor al,F4 00406021 F0A4 lock movsb 00406023 288C085EB934AC sub [eax+ecx-53CB46A2],cl 0040602A 0200. add al,[eax]

" [eax+ecx-53CB46A2],cl" wow!
  • Like
Reactions: Correlate