BHunt (Malware Family)

BHunt

VTCollection

BHunt collects the crypto wallets of its victims. The malware consists of several functions/modules, e.g. a reporting module that reports the presence of crypto wallets on the target computers to the C2 server. It searches for many different cryptocurrencies (e.g. Atomic, Bitcoin, Electrum, Ethereum, Exodus, Jaxx and Litecoin). The Blackjack module is used to steal wallets, Sweet_Bonanza steals victims' browser passwords. There are also modules like the Golden7 or the Chaos_crew module.

References

2022-02-10 ⋅ Blackberry ⋅ The BlackBerry Research & Intelligence Team
Threat Thursday: BHunt Scavenger Harvests Victims’ Crypto Wallets
BHunt

2022-01-19 ⋅ BleepingComputer ⋅ Bill Toulas
New BHUNT malware targets your crypto wallets and passwords
BHunt

2022-01-18 ⋅ Bitdefender ⋅ Janos Gergo Szeles
Poking Holes in Crypto-Wallets: a Short Analysis of BHUNT Stealer
BHunt

Yara Rules

[TLP:WHITE] win_bhunt_auto (20230808 | Detects win.bhunt.)

rule win_bhunt_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2023-12-06"
        version = "1"
        description = "Detects win.bhunt."
        info = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.6.0"
        signator_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.bhunt"
        malpedia_rule_date = "20231130"
        malpedia_hash = "fc8a0e9f343f6d6ded9e7df1a64dac0cc68d7351"
        malpedia_version = "20230808"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using YARA-Signator.
     * The code and documentation is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { feca f8 d0c2 f5 f8 32da 80ffd4 }
            // n = 7, score = 100
            //   feca                 | dec                 dl
            //   f8                   | clc                 
            //   d0c2                 | rol                 dl, 1
            //   f5                   | cmc                 
            //   f8                   | clc                 
            //   32da                 | xor                 bl, dl
            //   80ffd4               | cmp                 bh, 0xd4

        $sequence_1 = { 85c0 751a 8b442410 50 8bd5 8bc3 e8???????? }
            // n = 7, score = 100
            //   85c0                 | test                eax, eax
            //   751a                 | jne                 0x1c
            //   8b442410             | mov                 eax, dword ptr [esp + 0x10]
            //   50                   | push                eax
            //   8bd5                 | mov                 edx, ebp
            //   8bc3                 | mov                 eax, ebx
            //   e8????????           |                     

        $sequence_2 = { 8902 660fbcc0 8b07 8dbf04000000 663bcf 66f7c4ab75 33c3 }
            // n = 7, score = 100
            //   8902                 | mov                 dword ptr [edx], eax
            //   660fbcc0             | bsf                 ax, ax
            //   8b07                 | mov                 eax, dword ptr [edi]
            //   8dbf04000000         | lea                 edi, [edi + 4]
            //   663bcf               | cmp                 cx, di
            //   66f7c4ab75           | test                sp, 0x75ab
            //   33c3                 | xor                 eax, ebx

        $sequence_3 = { bbff000000 8bc3 8d7c2414 66c784241e1200000800 e8???????? 59 8d8600120000 }
            // n = 7, score = 100
            //   bbff000000           | mov                 ebx, 0xff
            //   8bc3                 | mov                 eax, ebx
            //   8d7c2414             | lea                 edi, [esp + 0x14]
            //   66c784241e1200000800     | mov    word ptr [esp + 0x121e], 8
            //   e8????????           |                     
            //   59                   | pop                 ecx
            //   8d8600120000         | lea                 eax, [esi + 0x1200]

        $sequence_4 = { 0fb7c2 8b55f0 03450c 2bd1 0fb74dfc }
            // n = 5, score = 100
            //   0fb7c2               | movzx               eax, dx
            //   8b55f0               | mov                 edx, dword ptr [ebp - 0x10]
            //   03450c               | add                 eax, dword ptr [ebp + 0xc]
            //   2bd1                 | sub                 edx, ecx
            //   0fb74dfc             | movzx               ecx, word ptr [ebp - 4]

        $sequence_5 = { ff7304 c645d405 56 e8???????? ff7304 ff36 e8???????? }
            // n = 7, score = 100
            //   ff7304               | push                dword ptr [ebx + 4]
            //   c645d405             | mov                 byte ptr [ebp - 0x2c], 5
            //   56                   | push                esi
            //   e8????????           |                     
            //   ff7304               | push                dword ptr [ebx + 4]
            //   ff36                 | push                dword ptr [esi]
            //   e8????????           |                     

        $sequence_6 = { 83a530ffffff00 c7852cffffff01000000 ffb530ffffff ffb52cffffff 52 ffb544ffffff e8???????? }
            // n = 7, score = 100
            //   83a530ffffff00       | and                 dword ptr [ebp - 0xd0], 0
            //   c7852cffffff01000000     | mov    dword ptr [ebp - 0xd4], 1
            //   ffb530ffffff         | push                dword ptr [ebp - 0xd0]
            //   ffb52cffffff         | push                dword ptr [ebp - 0xd4]
            //   52                   | push                edx
            //   ffb544ffffff         | push                dword ptr [ebp - 0xbc]
            //   e8????????           |                     

        $sequence_7 = { 5f 9c 04f8 26ed c59818579fa0 5f e7e6 }
            // n = 7, score = 100
            //   5f                   | pop                 edi
            //   9c                   | pushfd              
            //   04f8                 | add                 al, 0xf8
            //   26ed                 | in                  eax, dx
            //   c59818579fa0         | lds                 ebx, ptr [eax - 0x5f60a8e8]
            //   5f                   | pop                 edi
            //   e7e6                 | out                 0xe6, eax

        $sequence_8 = { 52 3a21 a7 a2???????? 50 9d 03890023b0b3 }
            // n = 7, score = 100
            //   52                   | push                edx
            //   3a21                 | cmp                 ah, byte ptr [ecx]
            //   a7                   | cmpsd               dword ptr [esi], dword ptr es:[edi]
            //   a2????????           |                     
            //   50                   | push                eax
            //   9d                   | popfd               
            //   03890023b0b3         | add                 ecx, dword ptr [ecx - 0x4c4fdd00]

        $sequence_9 = { ac 2a7279 bfae9603f7 6c a3???????? 9f 97 }
            // n = 7, score = 100
            //   ac                   | lodsb               al, byte ptr [esi]
            //   2a7279               | sub                 dh, byte ptr [edx + 0x79]
            //   bfae9603f7           | mov                 edi, 0xf70396ae
            //   6c                   | insb                byte ptr es:[edi], dx
            //   a3????????           |                     
            //   9f                   | lahf                
            //   97                   | xchg                eax, edi

    condition:
        7 of them and filesize < 19161088
}

[TLP:WHITE] win_bhunt_w0 (20220220 | Detects BHunt Malware Infostealer)

import "pe"

rule win_bhunt_w0 {
    meta:
        description = "Detects BHunt Malware Infostealer"
        author = "BlackBerry Research & Intelligence Team"
        date = "Jan 28th 2022"
        license = "This Yara rule is provided under the Apache License 2.0 (https://www.apache.org/licenses/LICENSE-2.0) and open to any user or organization, as long as you use it under this license and ensure originator credit in any derivative to The BlackBerry Research & Intelligence Team"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.bhunt"
        malpedia_version = "20220220"
        malpedia_license = "CC BY-NC-SA 4.0"
        malpedia_sharing = "TLP:WHITE"
        malpedia_rule_date = "20220220"
        malpedia_hash = ""
        
    strings:
        // C2
        $s1 = "http://minecraftsquid.hopto.org/ifo.php" wide
        // Name of assembly in metadata
        $s2 = "BHUNT" wide
        // Outlook misspelled in reg key
        $s3 = "Outllook" wide

    condition:
        // MZ Header
        uint16(0) == 0x5a4d and
        // is a .NET binary
        pe.data_directories[pe.IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR].size != 0 and
        all of ($s*)
}

Download all Yara Rules

BHunt Propose Change

References

Yara Rules

BHunt