BHunt (Malware Family)

BHunt

BHunt collects the crypto wallets of its victims. The malware consists of several functions/modules, e.g. a reporting module that reports the presence of crypto wallets on the target computers to the C2 server. It searches for many different cryptocurrencies (e.g. Atomic, Bitcoin, Electrum, Ethereum, Exodus, Jaxx and Litecoin). The Blackjack module is used to steal wallets, Sweet_Bonanza steals victims' browser passwords. There are also modules like the Golden7 or the Chaos_crew module.

References

2022-02-10 ⋅ Blackberry ⋅ The BlackBerry Research & Intelligence Team
Threat Thursday: BHunt Scavenger Harvests Victims’ Crypto Wallets
BHunt

2022-01-19 ⋅ BleepingComputer ⋅ Bill Toulas
New BHUNT malware targets your crypto wallets and passwords
BHunt

2022-01-18 ⋅ Bitdefender ⋅ Janos Gergo Szeles
Poking Holes in Crypto-Wallets: a Short Analysis of BHUNT Stealer
BHunt

Yara Rules

[TLP:WHITE] win_bhunt_auto (20230715 | Detects win.bhunt.)

rule win_bhunt_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2023-07-11"
        version = "1"
        description = "Detects win.bhunt."
        info = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.6.0"
        signator_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.bhunt"
        malpedia_rule_date = "20230705"
        malpedia_hash = "42d0574f4405bd7d2b154d321d345acb18834a41"
        malpedia_version = "20230715"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using YARA-Signator.
     * The code and documentation is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { 1dcd1e66b1 1dcc7bc13d e23c 37 5d c81d949f a4 }
            // n = 7, score = 100
            //   1dcd1e66b1           | sbb                 eax, 0xb1661ecd
            //   1dcc7bc13d           | sbb                 eax, 0x3dc17bcc
            //   e23c                 | loop                0x3e
            //   37                   | aaa                 
            //   5d                   | pop                 ebp
            //   c81d949f             | enter               -0x6be3, -0x61
            //   a4                   | movsb               byte ptr es:[edi], byte ptr [esi]

        $sequence_1 = { a2???????? 9a05fcd0c3ff9b 2f a4 6940287c3c0e30 6448 8c28 }
            // n = 7, score = 100
            //   a2????????           |                     
            //   9a05fcd0c3ff9b       | lcall               0x9bff:0xc3d0fc05
            //   2f                   | das                 
            //   a4                   | movsb               byte ptr es:[edi], byte ptr [esi]
            //   6940287c3c0e30       | imul                eax, dword ptr [eax + 0x28], 0x300e3c7c
            //   6448                 | dec                 eax
            //   8c28                 | mov                 word ptr [eax], gs

        $sequence_2 = { 3bcb 0f8210010000 83f80f 0f8707010000 7209 83f9e0 0f87fc000000 }
            // n = 7, score = 100
            //   3bcb                 | cmp                 ecx, ebx
            //   0f8210010000         | jb                  0x116
            //   83f80f               | cmp                 eax, 0xf
            //   0f8707010000         | ja                  0x10d
            //   7209                 | jb                  0xb
            //   83f9e0               | cmp                 ecx, -0x20
            //   0f87fc000000         | ja                  0x102

        $sequence_3 = { 0f85b4010000 68???????? ebba 8b4510 5f e8???????? }
            // n = 6, score = 100
            //   0f85b4010000         | jne                 0x1ba
            //   68????????           |                     
            //   ebba                 | jmp                 0xffffffbc
            //   8b4510               | mov                 eax, dword ptr [ebp + 0x10]
            //   5f                   | pop                 edi
            //   e8????????           |                     

        $sequence_4 = { ff7508 e8???????? 3bf3 59 59 7d0f 68???????? }
            // n = 7, score = 100
            //   ff7508               | push                dword ptr [ebp + 8]
            //   e8????????           |                     
            //   3bf3                 | cmp                 esi, ebx
            //   59                   | pop                 ecx
            //   59                   | pop                 ecx
            //   7d0f                 | jge                 0x11
            //   68????????           |                     

        $sequence_5 = { f6d5 40 0f9cc7 4d 0fb7ef 5f 41 }
            // n = 7, score = 100
            //   f6d5                 | not                 ch
            //   40                   | inc                 eax
            //   0f9cc7               | setl                bh
            //   4d                   | dec                 ebp
            //   0fb7ef               | movzx               ebp, di
            //   5f                   | pop                 edi
            //   41                   | inc                 ecx

        $sequence_6 = { 85c0 7c0b 8b490c 6bc018 8b0408 eb05 b8???????? }
            // n = 7, score = 100
            //   85c0                 | test                eax, eax
            //   7c0b                 | jl                  0xd
            //   8b490c               | mov                 ecx, dword ptr [ecx + 0xc]
            //   6bc018               | imul                eax, eax, 0x18
            //   8b0408               | mov                 eax, dword ptr [eax + ecx]
            //   eb05                 | jmp                 7
            //   b8????????           |                     

        $sequence_7 = { d4d1 f779f9 4a 350802d56a 1e 085f44 41 }
            // n = 7, score = 100
            //   d4d1                 | aam                 0xd1
            //   f779f9               | idiv                dword ptr [ecx - 7]
            //   4a                   | dec                 edx
            //   350802d56a           | xor                 eax, 0x6ad50208
            //   1e                   | push                ds
            //   085f44               | or                  byte ptr [edi + 0x44], bl
            //   41                   | inc                 ecx

        $sequence_8 = { ff75f4 6a33 53 e8???????? 6afe 68???????? 6a02 }
            // n = 7, score = 100
            //   ff75f4               | push                dword ptr [ebp - 0xc]
            //   6a33                 | push                0x33
            //   53                   | push                ebx
            //   e8????????           |                     
            //   6afe                 | push                -2
            //   68????????           |                     
            //   6a02                 | push                2

        $sequence_9 = { 7e7b eb03 8b458c 3b4590 8b854cffffff 0f83ff000000 8b5594 }
            // n = 7, score = 100
            //   7e7b                 | jle                 0x7d
            //   eb03                 | jmp                 5
            //   8b458c               | mov                 eax, dword ptr [ebp - 0x74]
            //   3b4590               | cmp                 eax, dword ptr [ebp - 0x70]
            //   8b854cffffff         | mov                 eax, dword ptr [ebp - 0xb4]
            //   0f83ff000000         | jae                 0x105
            //   8b5594               | mov                 edx, dword ptr [ebp - 0x6c]

    condition:
        7 of them and filesize < 19161088
}

[TLP:WHITE] win_bhunt_w0 (20220220 | Detects BHunt Malware Infostealer)

import "pe"

rule win_bhunt_w0 {
    meta:
        description = "Detects BHunt Malware Infostealer"
        author = "BlackBerry Research & Intelligence Team"
        date = "Jan 28th 2022"
        license = "This Yara rule is provided under the Apache License 2.0 (https://www.apache.org/licenses/LICENSE-2.0) and open to any user or organization, as long as you use it under this license and ensure originator credit in any derivative to The BlackBerry Research & Intelligence Team"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.bhunt"
        malpedia_version = "20220220"
        malpedia_license = "CC BY-NC-SA 4.0"
        malpedia_sharing = "TLP:WHITE"
        malpedia_rule_date = "20220220"
        malpedia_hash = ""
        
    strings:
        // C2
        $s1 = "http://minecraftsquid.hopto.org/ifo.php" wide
        // Name of assembly in metadata
        $s2 = "BHUNT" wide
        // Outlook misspelled in reg key
        $s3 = "Outllook" wide

    condition:
        // MZ Header
        uint16(0) == 0x5a4d and
        // is a .NET binary
        pe.data_directories[pe.IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR].size != 0 and
        all of ($s*)
}

Download all Yara Rules

BHunt Propose Change

References

Yara Rules

BHunt