SYMBOLCOMMON_NAMEaka. SYNONYMS
win.bhunt (Back to overview)

BHunt


BHunt collects the crypto wallets of its victims. The malware consists of several functions/modules, e.g. a reporting module that reports the presence of crypto wallets on the target computers to the C2 server. It searches for many different cryptocurrencies (e.g. Atomic, Bitcoin, Electrum, Ethereum, Exodus, Jaxx and Litecoin). The Blackjack module is used to steal wallets, Sweet_Bonanza steals victims' browser passwords. There are also modules like the Golden7 or the Chaos_crew module.

References
2022-02-10BlackberryThe BlackBerry Research & Intelligence Team
@online{team:20220210:threat:3b6c884, author = {The BlackBerry Research & Intelligence Team}, title = {{Threat Thursday: BHunt Scavenger Harvests Victims’ Crypto Wallets}}, date = {2022-02-10}, organization = {Blackberry}, url = {https://blogs.blackberry.com/en/2022/02/threat-thursday-bhunt-scavenger}, language = {English}, urldate = {2022-02-14} } Threat Thursday: BHunt Scavenger Harvests Victims’ Crypto Wallets
BHunt
2022-01-19BleepingComputerBill Toulas
@online{toulas:20220119:new:278c493, author = {Bill Toulas}, title = {{New BHUNT malware targets your crypto wallets and passwords}}, date = {2022-01-19}, organization = {BleepingComputer}, url = {https://www.bleepingcomputer.com/news/security/new-bhunt-malware-targets-your-crypto-wallets-and-passwords/}, language = {English}, urldate = {2022-02-19} } New BHUNT malware targets your crypto wallets and passwords
BHunt
2022-01-18BitdefenderJanos Gergo Szeles
@techreport{szeles:20220118:poking:a2bd8a5, author = {Janos Gergo Szeles}, title = {{Poking Holes in Crypto-Wallets: a Short Analysis of BHUNT Stealer}}, date = {2022-01-18}, institution = {Bitdefender}, url = {https://www.bitdefender.com/files/News/CaseStudies/study/411/Bitdefender-PR-Whitepaper-CyberWallet-creat5874-en-EN.pdf}, language = {English}, urldate = {2022-02-26} } Poking Holes in Crypto-Wallets: a Short Analysis of BHUNT Stealer
BHunt
Yara Rules
[TLP:WHITE] win_bhunt_auto (20230125 | Detects win.bhunt.)
rule win_bhunt_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2023-01-25"
        version = "1"
        description = "Detects win.bhunt."
        info = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.6.0"
        signator_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.bhunt"
        malpedia_rule_date = "20230124"
        malpedia_hash = "2ee0eebba83dce3d019a90519f2f972c0fcf9686"
        malpedia_version = "20230125"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using YARA-Signator.
     * The code and documentation is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { f9 f7d9 663bd1 85fe 33d9 f5 f7c272618526 }
            // n = 7, score = 100
            //   f9                   | stc                 
            //   f7d9                 | neg                 ecx
            //   663bd1               | cmp                 dx, cx
            //   85fe                 | test                esi, edi
            //   33d9                 | xor                 ebx, ecx
            //   f5                   | cmc                 
            //   f7c272618526         | test                edx, 0x26856172

        $sequence_1 = { da5f4f 0fe0994f37ac20 d8d2 67e287 6798 91 4a }
            // n = 7, score = 100
            //   da5f4f               | ficomp              dword ptr [edi + 0x4f]
            //   0fe0994f37ac20       | pavgb               mm3, qword ptr [ecx + 0x20ac374f]
            //   d8d2                 | fcom                st(2)
            //   67e287               | loop                0xffffff8a
            //   6798                 | cwde                
            //   91                   | xchg                eax, ecx
            //   4a                   | dec                 edx

        $sequence_2 = { 96 0115???????? 27 d5d6 70c3 4c 2f }
            // n = 7, score = 100
            //   96                   | xchg                eax, esi
            //   0115????????         |                     
            //   27                   | daa                 
            //   d5d6                 | aad                 0xd6
            //   70c3                 | jo                  0xffffffc5
            //   4c                   | dec                 esp
            //   2f                   | das                 

        $sequence_3 = { fb d7 c9 d052fa b3cc 4d }
            // n = 6, score = 100
            //   fb                   | sti                 
            //   d7                   | xlatb               
            //   c9                   | leave               
            //   d052fa               | rcl                 byte ptr [edx - 6], 1
            //   b3cc                 | mov                 bl, 0xcc
            //   4d                   | dec                 ebp

        $sequence_4 = { 36668b02 3bed 81fe243c6927 f8 81c502000000 6689442500 f6d8 }
            // n = 7, score = 100
            //   36668b02             | mov                 ax, word ptr ss:[edx]
            //   3bed                 | cmp                 ebp, ebp
            //   81fe243c6927         | cmp                 esi, 0x27693c24
            //   f8                   | clc                 
            //   81c502000000         | add                 ebp, 2
            //   6689442500           | mov                 word ptr [ebp], ax
            //   f6d8                 | neg                 al

        $sequence_5 = { ff7508 33f6 57 46 e8???????? 8d85b8f7ffff 50 }
            // n = 7, score = 100
            //   ff7508               | push                dword ptr [ebp + 8]
            //   33f6                 | xor                 esi, esi
            //   57                   | push                edi
            //   46                   | inc                 esi
            //   e8????????           |                     
            //   8d85b8f7ffff         | lea                 eax, [ebp - 0x848]
            //   50                   | push                eax

        $sequence_6 = { 51 e8???????? 5f 5e c9 c20800 55 }
            // n = 7, score = 100
            //   51                   | push                ecx
            //   e8????????           |                     
            //   5f                   | pop                 edi
            //   5e                   | pop                 esi
            //   c9                   | leave               
            //   c20800               | ret                 8
            //   55                   | push                ebp

        $sequence_7 = { ff7304 8b45fc ff30 8d7be4 e8???????? 59 59 }
            // n = 7, score = 100
            //   ff7304               | push                dword ptr [ebx + 4]
            //   8b45fc               | mov                 eax, dword ptr [ebp - 4]
            //   ff30                 | push                dword ptr [eax]
            //   8d7be4               | lea                 edi, [ebx - 0x1c]
            //   e8????????           |                     
            //   59                   | pop                 ecx
            //   59                   | pop                 ecx

        $sequence_8 = { 80781c00 0f8589010000 8b4824 8b09 8b7d08 898d24ffffff 8b09 }
            // n = 7, score = 100
            //   80781c00             | cmp                 byte ptr [eax + 0x1c], 0
            //   0f8589010000         | jne                 0x18f
            //   8b4824               | mov                 ecx, dword ptr [eax + 0x24]
            //   8b09                 | mov                 ecx, dword ptr [ecx]
            //   8b7d08               | mov                 edi, dword ptr [ebp + 8]
            //   898d24ffffff         | mov                 dword ptr [ebp - 0xdc], ecx
            //   8b09                 | mov                 ecx, dword ptr [ecx]

        $sequence_9 = { e9???????? 8d89d7252c66 81fd9f557828 f9 0fc9 8d8937064b16 }
            // n = 6, score = 100
            //   e9????????           |                     
            //   8d89d7252c66         | lea                 ecx, [ecx + 0x662c25d7]
            //   81fd9f557828         | cmp                 ebp, 0x2878559f
            //   f9                   | stc                 
            //   0fc9                 | bswap               ecx
            //   8d8937064b16         | lea                 ecx, [ecx + 0x164b0637]

    condition:
        7 of them and filesize < 19161088
}
[TLP:WHITE] win_bhunt_w0   (20220220 | Detects BHunt Malware Infostealer)
import "pe"

rule win_bhunt_w0 {
    meta:
        description = "Detects BHunt Malware Infostealer"
        author = "BlackBerry Research & Intelligence Team"
        date = "Jan 28th 2022"
        license = "This Yara rule is provided under the Apache License 2.0 (https://www.apache.org/licenses/LICENSE-2.0) and open to any user or organization, as long as you use it under this license and ensure originator credit in any derivative to The BlackBerry Research & Intelligence Team"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.bhunt"
        malpedia_version = "20220220"
        malpedia_license = "CC BY-NC-SA 4.0"
        malpedia_sharing = "TLP:WHITE"
        malpedia_rule_date = "20220220"
        malpedia_hash = ""
        
    strings:
        // C2
        $s1 = "http://minecraftsquid.hopto.org/ifo.php" wide
        // Name of assembly in metadata
        $s2 = "BHUNT" wide
        // Outlook misspelled in reg key
        $s3 = "Outllook" wide

    condition:
        // MZ Header
        uint16(0) == 0x5a4d and
        // is a .NET binary
        pe.data_directories[pe.IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR].size != 0 and
        all of ($s*)
}
Download all Yara Rules