BHunt (Malware Family)

BHunt

VTCollection

BHunt collects the crypto wallets of its victims. The malware consists of several functions/modules, e.g. a reporting module that reports the presence of crypto wallets on the target computers to the C2 server. It searches for many different cryptocurrencies (e.g. Atomic, Bitcoin, Electrum, Ethereum, Exodus, Jaxx and Litecoin). The Blackjack module is used to steal wallets, Sweet_Bonanza steals victims' browser passwords. There are also modules like the Golden7 or the Chaos_crew module.

References

2022-02-10 ⋅ Blackberry ⋅ The BlackBerry Research & Intelligence Team
Threat Thursday: BHunt Scavenger Harvests Victims’ Crypto Wallets
BHunt

2022-01-19 ⋅ BleepingComputer ⋅ Bill Toulas
New BHUNT malware targets your crypto wallets and passwords
BHunt

2022-01-18 ⋅ Bitdefender ⋅ Janos Gergo Szeles
Poking Holes in Crypto-Wallets: a Short Analysis of BHUNT Stealer
BHunt

Yara Rules

[TLP:WHITE] win_bhunt_auto (20260504 | Detects win.bhunt.)

rule win_bhunt_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2026-05-04"
        version = "1"
        description = "Detects win.bhunt."
        info = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.6.0"
        signator_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.bhunt"
        malpedia_rule_date = "20260422"
        malpedia_hash = "a182e35da64e6d71cb55f125c4d4225196523f14"
        malpedia_version = "20260504"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using YARA-Signator.
     * The code and documentation is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { 59 eb0a 68???????? e8???????? 59 8b742430 ff442418 }
            // n = 7, score = 100
            //   59                   | pop                 ecx
            //   eb0a                 | jmp                 0xc
            //   68????????           |                     
            //   e8????????           |                     
            //   59                   | pop                 ecx
            //   8b742430             | mov                 esi, dword ptr [esp + 0x30]
            //   ff442418             | inc                 dword ptr [esp + 0x18]

        $sequence_1 = { 50 81c768030000 57 e8???????? c745f001000000 83c40c 8b7dfc }
            // n = 7, score = 100
            //   50                   | push                eax
            //   81c768030000         | add                 edi, 0x368
            //   57                   | push                edi
            //   e8????????           |                     
            //   c745f001000000       | mov                 dword ptr [ebp - 0x10], 1
            //   83c40c               | add                 esp, 0xc
            //   8b7dfc               | mov                 edi, dword ptr [ebp - 4]

        $sequence_2 = { ff73f4 8bc6 ff30 e8???????? 59 59 8b43e4 }
            // n = 7, score = 100
            //   ff73f4               | push                dword ptr [ebx - 0xc]
            //   8bc6                 | mov                 eax, esi
            //   ff30                 | push                dword ptr [eax]
            //   e8????????           |                     
            //   59                   | pop                 ecx
            //   59                   | pop                 ecx
            //   8b43e4               | mov                 eax, dword ptr [ebx - 0x1c]

        $sequence_3 = { 63e2 4d 0fbfd8 50 6641 ffc5 4c }
            // n = 7, score = 100
            //   63e2                 | arpl                dx, sp
            //   4d                   | dec                 ebp
            //   0fbfd8               | movsx               ebx, ax
            //   50                   | push                eax
            //   6641                 | inc                 cx
            //   ffc5                 | inc                 ebp
            //   4c                   | dec                 esp

        $sequence_4 = { 8945c8 8b4308 8945cc 68???????? eb0c 68???????? eb05 }
            // n = 7, score = 100
            //   8945c8               | mov                 dword ptr [ebp - 0x38], eax
            //   8b4308               | mov                 eax, dword ptr [ebx + 8]
            //   8945cc               | mov                 dword ptr [ebp - 0x34], eax
            //   68????????           |                     
            //   eb0c                 | jmp                 0xe
            //   68????????           |                     
            //   eb05                 | jmp                 7

        $sequence_5 = { 57 9d 43 b4a2 99 0bdd 4b }
            // n = 7, score = 100
            //   57                   | push                edi
            //   9d                   | popfd               
            //   43                   | inc                 ebx
            //   b4a2                 | mov                 ah, 0xa2
            //   99                   | cdq                 
            //   0bdd                 | or                  ebx, ebp
            //   4b                   | dec                 ebx

        $sequence_6 = { 81ef04000000 8b07 33c3 f9 f8 2d1f6f2761 f9 }
            // n = 7, score = 100
            //   81ef04000000         | sub                 edi, 4
            //   8b07                 | mov                 eax, dword ptr [edi]
            //   33c3                 | xor                 eax, ebx
            //   f9                   | stc                 
            //   f8                   | clc                 
            //   2d1f6f2761           | sub                 eax, 0x61276f1f
            //   f9                   | stc                 

        $sequence_7 = { ff7304 ff75fc e8???????? e9???????? 8b7dfc e8???????? 85c0 }
            // n = 7, score = 100
            //   ff7304               | push                dword ptr [ebx + 4]
            //   ff75fc               | push                dword ptr [ebp - 4]
            //   e8????????           |                     
            //   e9????????           |                     
            //   8b7dfc               | mov                 edi, dword ptr [ebp - 4]
            //   e8????????           |                     
            //   85c0                 | test                eax, eax

        $sequence_8 = { ff73e4 eb0f 0fb643b4 50 ff73e4 6a00 }
            // n = 6, score = 100
            //   ff73e4               | push                dword ptr [ebx - 0x1c]
            //   eb0f                 | jmp                 0x11
            //   0fb643b4             | movzx               eax, byte ptr [ebx - 0x4c]
            //   50                   | push                eax
            //   ff73e4               | push                dword ptr [ebx - 0x1c]
            //   6a00                 | push                0

        $sequence_9 = { 8b86f3c0ac70 26100a d804d4 f8 a6 3f 13f1 }
            // n = 7, score = 100
            //   8b86f3c0ac70         | mov                 eax, dword ptr [esi + 0x70acc0f3]
            //   26100a               | adc                 byte ptr es:[edx], cl
            //   d804d4               | fadd                dword ptr [esp + edx*8]
            //   f8                   | clc                 
            //   a6                   | cmpsb               byte ptr [esi], byte ptr es:[edi]
            //   3f                   | aas                 
            //   13f1                 | adc                 esi, ecx

    condition:
        7 of them and filesize < 19161088
}

[TLP:WHITE] win_bhunt_w0 (20220220 | Detects BHunt Malware Infostealer)

import "pe"

rule win_bhunt_w0 {
    meta:
        description = "Detects BHunt Malware Infostealer"
        author = "BlackBerry Research & Intelligence Team"
        date = "Jan 28th 2022"
        license = "This Yara rule is provided under the Apache License 2.0 (https://www.apache.org/licenses/LICENSE-2.0) and open to any user or organization, as long as you use it under this license and ensure originator credit in any derivative to The BlackBerry Research & Intelligence Team"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.bhunt"
        malpedia_version = "20220220"
        malpedia_license = "CC BY-NC-SA 4.0"
        malpedia_sharing = "TLP:WHITE"
        malpedia_rule_date = "20220220"
        malpedia_hash = ""
        
    strings:
        // C2
        $s1 = "http://minecraftsquid.hopto.org/ifo.php" wide
        // Name of assembly in metadata
        $s2 = "BHUNT" wide
        // Outlook misspelled in reg key
        $s3 = "Outllook" wide

    condition:
        // MZ Header
        uint16(0) == 0x5a4d and
        // is a .NET binary
        pe.data_directories[pe.IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR].size != 0 and
        all of ($s*)
}

Download all Yara Rules

BHunt Propose Change

References

Yara Rules

BHunt