SYMBOLCOMMON_NAMEaka. SYNONYMS
win.bhunt (Back to overview)

BHunt


BHunt collects the crypto wallets of its victims. The malware consists of several functions/modules, e.g. a reporting module that reports the presence of crypto wallets on the target computers to the C2 server. It searches for many different cryptocurrencies (e.g. Atomic, Bitcoin, Electrum, Ethereum, Exodus, Jaxx and Litecoin). The Blackjack module is used to steal wallets, Sweet_Bonanza steals victims' browser passwords. There are also modules like the Golden7 or the Chaos_crew module.

References
2022-02-10BlackberryThe BlackBerry Research & Intelligence Team
@online{team:20220210:threat:3b6c884, author = {The BlackBerry Research & Intelligence Team}, title = {{Threat Thursday: BHunt Scavenger Harvests Victims’ Crypto Wallets}}, date = {2022-02-10}, organization = {Blackberry}, url = {https://blogs.blackberry.com/en/2022/02/threat-thursday-bhunt-scavenger}, language = {English}, urldate = {2022-02-14} } Threat Thursday: BHunt Scavenger Harvests Victims’ Crypto Wallets
BHunt
2022-01-19BleepingComputerBill Toulas
@online{toulas:20220119:new:278c493, author = {Bill Toulas}, title = {{New BHUNT malware targets your crypto wallets and passwords}}, date = {2022-01-19}, organization = {BleepingComputer}, url = {https://www.bleepingcomputer.com/news/security/new-bhunt-malware-targets-your-crypto-wallets-and-passwords/}, language = {English}, urldate = {2022-02-19} } New BHUNT malware targets your crypto wallets and passwords
BHunt
2022-01-18BitdefenderJanos Gergo Szeles
@techreport{szeles:20220118:poking:a2bd8a5, author = {Janos Gergo Szeles}, title = {{Poking Holes in Crypto-Wallets: a Short Analysis of BHUNT Stealer}}, date = {2022-01-18}, institution = {Bitdefender}, url = {https://www.bitdefender.com/files/News/CaseStudies/study/411/Bitdefender-PR-Whitepaper-CyberWallet-creat5874-en-EN.pdf}, language = {English}, urldate = {2022-02-26} } Poking Holes in Crypto-Wallets: a Short Analysis of BHUNT Stealer
BHunt
Yara Rules
[TLP:WHITE] win_bhunt_auto (20220516 | Detects win.bhunt.)
rule win_bhunt_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2022-05-16"
        version = "1"
        description = "Detects win.bhunt."
        info = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.6.0"
        signator_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.bhunt"
        malpedia_rule_date = "20220513"
        malpedia_hash = "7f4b2229e6ae614d86d74917f6d5b41890e62a26"
        malpedia_version = "20220516"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using YARA-Signator.
     * The code and documentation is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { fd ed 3c1e 7fdd 19ff 06 bb6cc46e3d }
            // n = 7, score = 100
            //   fd                   | std                 
            //   ed                   | in                  eax, dx
            //   3c1e                 | cmp                 al, 0x1e
            //   7fdd                 | jg                  0xffffffdf
            //   19ff                 | sbb                 edi, edi
            //   06                   | push                es
            //   bb6cc46e3d           | mov                 ebx, 0x3d6ec46c

        $sequence_1 = { 8d45cc 50 ffb6b8060000 6a00 50 e8???????? 8b45d8 }
            // n = 7, score = 100
            //   8d45cc               | lea                 eax, [ebp - 0x34]
            //   50                   | push                eax
            //   ffb6b8060000         | push                dword ptr [esi + 0x6b8]
            //   6a00                 | push                0
            //   50                   | push                eax
            //   e8????????           |                     
            //   8b45d8               | mov                 eax, dword ptr [ebp - 0x28]

        $sequence_2 = { f681????????46 0f8565020000 33c0 40 e9???????? c70681000000 33c0 }
            // n = 7, score = 100
            //   f681????????46       |                     
            //   0f8565020000         | jne                 0x26b
            //   33c0                 | xor                 eax, eax
            //   40                   | inc                 eax
            //   e9????????           |                     
            //   c70681000000         | mov                 dword ptr [esi], 0x81
            //   33c0                 | xor                 eax, eax

        $sequence_3 = { 8dbffcffffff d3c8 8b07 33c3 6681f94541 66a9071c }
            // n = 6, score = 100
            //   8dbffcffffff         | lea                 edi, [edi - 4]
            //   d3c8                 | ror                 eax, cl
            //   8b07                 | mov                 eax, dword ptr [edi]
            //   33c3                 | xor                 eax, ebx
            //   6681f94541           | cmp                 cx, 0x4145
            //   66a9071c             | test                ax, 0x1c07

        $sequence_4 = { 80f1f7 661bc6 99 660dc125 32d9 23c6 660fb6d7 }
            // n = 7, score = 100
            //   80f1f7               | xor                 cl, 0xf7
            //   661bc6               | sbb                 ax, si
            //   99                   | cdq                 
            //   660dc125             | or                  ax, 0x25c1
            //   32d9                 | xor                 bl, cl
            //   23c6                 | and                 eax, esi
            //   660fb6d7             | movzx               dx, bh

        $sequence_5 = { 83c40c 8d442438 e8???????? 8b750c 83cbff 53 8d8610040000 }
            // n = 7, score = 100
            //   83c40c               | add                 esp, 0xc
            //   8d442438             | lea                 eax, [esp + 0x38]
            //   e8????????           |                     
            //   8b750c               | mov                 esi, dword ptr [ebp + 0xc]
            //   83cbff               | or                  ebx, 0xffffffff
            //   53                   | push                ebx
            //   8d8610040000         | lea                 eax, [esi + 0x410]

        $sequence_6 = { ff7508 51 e8???????? ff7514 ff7510 ff7508 e8???????? }
            // n = 7, score = 100
            //   ff7508               | push                dword ptr [ebp + 8]
            //   51                   | push                ecx
            //   e8????????           |                     
            //   ff7514               | push                dword ptr [ebp + 0x14]
            //   ff7510               | push                dword ptr [ebp + 0x10]
            //   ff7508               | push                dword ptr [ebp + 8]
            //   e8????????           |                     

        $sequence_7 = { ff750c ff7508 55 e8???????? c9 c3 55 }
            // n = 7, score = 100
            //   ff750c               | push                dword ptr [ebp + 0xc]
            //   ff7508               | push                dword ptr [ebp + 8]
            //   55                   | push                ebp
            //   e8????????           |                     
            //   c9                   | leave               
            //   c3                   | ret                 
            //   55                   | push                ebp

        $sequence_8 = { f9 8f442500 8db6fcffffff 8b06 81feec0a5a22 33c3 f8 }
            // n = 7, score = 100
            //   f9                   | stc                 
            //   8f442500             | pop                 dword ptr [ebp]
            //   8db6fcffffff         | lea                 esi, [esi - 4]
            //   8b06                 | mov                 eax, dword ptr [esi]
            //   81feec0a5a22         | cmp                 esi, 0x225a0aec
            //   33c3                 | xor                 eax, ebx
            //   f8                   | clc                 

        $sequence_9 = { fb 009378416d23 bc2eaa7785 dfc5 4d 21e1 ab }
            // n = 7, score = 100
            //   fb                   | sti                 
            //   009378416d23         | add                 byte ptr [ebx + 0x236d4178], dl
            //   bc2eaa7785           | mov                 esp, 0x8577aa2e
            //   dfc5                 | ffreep              st(5)
            //   4d                   | dec                 ebp
            //   21e1                 | and                 ecx, esp
            //   ab                   | stosd               dword ptr es:[edi], eax

    condition:
        7 of them and filesize < 19161088
}
[TLP:WHITE] win_bhunt_w0   (20220220 | Detects BHunt Malware Infostealer)
import "pe"

rule win_bhunt_w0 {
    meta:
        description = "Detects BHunt Malware Infostealer"
        author = "BlackBerry Research & Intelligence Team"
        date = "Jan 28th 2022"
        license = "This Yara rule is provided under the Apache License 2.0 (https://www.apache.org/licenses/LICENSE-2.0) and open to any user or organization, as long as you use it under this license and ensure originator credit in any derivative to The BlackBerry Research & Intelligence Team"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.bhunt"
        malpedia_version = "20220220"
        malpedia_license = "CC BY-NC-SA 4.0"
        malpedia_sharing = "TLP:WHITE"
        malpedia_rule_date = "20220220"
        malpedia_hash = ""
        
    strings:
        // C2
        $s1 = "http://minecraftsquid.hopto.org/ifo.php" wide
        // Name of assembly in metadata
        $s2 = "BHUNT" wide
        // Outlook misspelled in reg key
        $s3 = "Outllook" wide

    condition:
        // MZ Header
        uint16(0) == 0x5a4d and
        // is a .NET binary
        pe.data_directories[pe.IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR].size != 0 and
        all of ($s*)
}
Download all Yara Rules