I know, I did a boo-boo. I saw the posting of Bee Stealer (BeeStealer) on the XSS forum in the first half of May, but somehow it didn’t register in the back-end (brain), and therefore missed to include it earlier. Better late than never. Below is a copy-paste of the thread from the XSS forum. Machine translated with some minor edits by me.
Technical information:
Written in c/c++ (x64, crt is statically linked)
Almost all manipulations take place on the server, as well as almost everywhere syscalls are used, because of this the stealer has a good log delivery rate.
If the stealer dies in runtime, part of the log will still reach.
Collects
Chromium-based browsers (cc+cvv, ibans, passwords, cookies, wallets, autofills, google auth tokens) (app bound encryption bypass)
Geko-based browsers (passwords, cookies, wallets, autofills)
Filegrabber (desktop/download/document)
Sticky notes
Filezilla
Binance app.json + browser data
Keepass/KeePassXC
System info
Screenshot
Telegram
List of chromium extensions
MetaMask, BinanceWallet, Phantom, sollet, MetaWallet, Yoroi, Nami, Flint, CardWallet, guildwallet, TronWallet, CryptoAirdrops, Bitoke, Coin89, XDefiWallet, Keplr, FreaksAxie, Oasis, Rabby, MathWallet, NiftyWallet, Guarda, EQUALWallet, BitAppWallet, iWallet, Wombat, MEW_CX, GuildWallet, Saturn Wallet, CloverWallet, LiqualityWallet, TerraStation, AuroWallet, Polymesh Wallet, ICONex, NaboxWallet, KHC, Temple, TezBox, CyanoWallet Byone, OneKey, Leaf_Wallet, BitClip, NashExtension, HyconLiteClient, unisat, Coinbase, JaxxLiberty, NeoLine, RoninWallet, EOS Authenticator,
BraveWallet_Chrome, Oxygen_Atomic, Trezor Password Manager, Trust Wallet, Exodus Web3, Opera wallet, Brave wallet
List of Firefox extensions
Metamask
Ronin
Keplr
Phantom
List of desktop wallets
Binance
Zcash
Armory
bytecoin
com.liberty.jaxx
Ethereum
atomic
Guarda
Exodus
Web panel
Everything is on my servers, possible to make individual proxies if you want. Access to the panel only through TOR.
Convenient extraction of logs:
- no filters
- Download only those logs that have not been extracted before
- With filters (country, date [start-end], min-max cookies/colds/passwords).
Search logs in table by zip/ip/country/tag
Convenient statistics on the dashboard (number of empty logs, number of logs for a day/week/month, logs graph for a month)
Builder .exe
$300 – 1 month
$900 – 3 months
$1800 – 6 months
First contact into PM.
Rules
Crypting the build is mandatory.
All CIS keyboard layouts and countries are blocked, CIS machines will not deliver logs.