Katz Stealer Threat Analysis

May 27, 2025, 7:50 a.m.

Description

Katz Stealer is a sophisticated credential-stealing malware-as-a-service that targets multiple browsers, cryptocurrency wallets, and communication platforms. It employs advanced evasion techniques like geofencing, VM detection, and process hollowing. The infection chain involves obfuscated JavaScript, PowerShell scripts, and .NET payloads. Key features include browser credential theft, crypto wallet exfiltration, and Discord process hijacking. The malware also gathers system information, captures screenshots, and monitors clipboards. Detection opportunities include network traffic analysis, file system monitoring, and process behavior analysis. The analysis provides YARA and Sigma rules for detection, along with a comprehensive list of IOCs.

Date

  • Created: May 26, 2025, 11:17 p.m.
  • Published: May 26, 2025, 11:17 p.m.
  • Modified: May 27, 2025, 7:50 a.m.

Indicators

  • e73f6e1f6c28469e14a88a633aef1bc502d2dbb1d4d2dfcaaef7409b8ce6dc99
  • fb2b9163e8edf104b603030cff2dc62fe23d8f158dd90ea483642fce2ceda027
  • e4249cf9557799e8123e0b21b6a4be5ab8b67d56dc5bfad34a1d4e76f7fd2b19
  • e345d793477abbecc2c455c8c76a925c0dfe99ec4c65b7c353e8a8c8b14da2b6
  • c601721933d11254ae329b05882337db1069f81e4d04cd4550c4b4b4fe35f9cd
  • b912f06cf65233b9767953ccf4e60a1a7c262ae54506b311c65f411db6f70128
  • b249814a74dff9316dc29b670e1d8ed80eb941b507e206ca0dfdc4ff033b1c1f
  • 96ada593d54949707437fa39628960b1c5d142a5b1cb371339acc8f86dbc7678
  • 964ec70fc2fdf23f928f78c8af63ce50aff058b05787e43c034e04ea6cbe30ef
  • 925e6375deaa38d978e00a73f9353a9d0df81f023ab85cf9a1dc046e403830a8
  • 5dd629b610aee4ed7777e81fc5135d20f59e43b5d9cc55cdad291fcf4b9d20eb
  • 2852770f459c0c6a0ecfc450b29201bd348a55fb3a7a5ecdcc9986127fdb786b
  • 2798bf4fd8e2bc591f656fa107bd871451574d543882ddec3020417964d2faa9
  • 25b1ec4d62c67bd51b43de181e0f7d1bda389345b8c290e35f93ccb444a2cf7a
  • 22af84327cb8ecafa44b51e9499238ca2798cec38c2076b702c60c72505329cb
  • 15953e0191edaa246045dda0d7489b3832f27fdc3fcc5027f26b89692aefd6e1
  • fdc86a5b3d7df37a72c3272836f743747c47bfbc538f05af9ecf78547fa2e789
  • fcad234dc2ad5e2d8215bcf6caac29aef62666c34564e723fa6d2eee8b6468ed
  • e1a0d6929662bcbc9e5e0827cb8b6d7818088e996cf971d2a4a1c1ca4208e533
  • d92bb6e47cb0a0bdbb51403528ccfe643a9329476af53b5a729f04a4d2139647
  • b10796c41e1cec7c84a3c68bfcaa7b20f49b620d1c94304a6b3ed73471fa9031
  • ad76e2727469525dec7e56977589dd250ca57a29b8b0d42cd5c42e536c285241
  • 6dc8e99da68b703e86fa90a8794add87614f254f804a8d5d65927e0676107a9d
  • 5a984e2e308fe84e4e2071dd877772361719ba0217c2c23da79dbb82dc15eac8
  • 4f12c5dca2099492d0c0cd22edef841cbe8360af9be2d8e9b57c2f83d401c1a7
  • 1ac196ac6393d786618c944a7ab77fb189a6b4ba00af5c0f987c3dc65876c060
  • 0df13fd42fb4a4374981474ea87895a3830eddcc7f3bd494e76acd604c4004f7
  • 31.177.109.39
  • 185.107.74.40
  • http://twist2katz.com/
  • pub-ce02802067934e0eb072f69bf6427bf6.r2.dev
  • twist2katz.com
  • katzstealer.com
  • katz-stealer.com