Banana RAT Evolves: Comparing Two Recent Branches Through ANY.RUN 

Banana RAT Evolves: Comparing Two Recent Branches Through ANY.RUN 
An exposed public index on 198.245.53.26 revealed backend tooling and stage files used to compare two Banana RAT branches, showing how the operator evolved persistence, naming, and C2 while keeping the same staging host. The older branch used ETW-themed artifacts and a pseudo-Microsoft domain, while the newer branch shifted to randomized identifiers, VBS-backed persistence, and WebSocket C2 via hashed subdomains under testewin.com. #BananaRAT #testewincom #1982455326 #windowns-cdncom

Keypoints

  • The investigation began with an exposed public index on 198.245.53.26 discovered via Shodan.
  • The index exposed stage files and operational tooling, including servidor_completo_pool.py and ofuscador.py, suggesting active payload generation infrastructure.
  • The older Banana RAT branch used ETW-themed paths, static Microsoft-like filenames, and a pseudo-Microsoft C2 domain, c.windowns-cdn.com.
  • The newer branch changed to randomized installation identifiers, a VBS launcher, and hidden Scheduled Task persistence running as SYSTEM.
  • The newer payload communicated over WebSockets to a hashed testewin.com subdomain, with Cloudflare used to obscure the backend.
  • A fallback IP, 149.56.12.51, linked the newer branch back to the older infrastructure.
  • The recovered runtime payload matched the sandbox-extracted artifact by SHA256, confirming the live delivery chain.

MITRE Techniques

  • [T1059.001] Command and Scripting Interpreter: PowerShell – Used for hidden staging execution, payload loading, and memory-only invocation (‘hidden PowerShell staging execution chains’ and ‘powershell … iex(irm $po)’)
  • [T1059.005] Command and Scripting Interpreter: Visual Basic – Used a standalone .vbs launcher to execute the payload dropped into ProgramData (‘creates a VBS launcher at C:ProgramData…c9dba5b0552d.vbs’)
  • [T1053.005] Scheduled Task/Job: Scheduled Task – Created a hidden Scheduled Task that runs as SYSTEM for persistence (‘Register-ScheduledTask’ and ‘New-ScheduledTaskTrigger -AtStartup’)
  • [T1547.001] Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder – Used HKCU Run key fallback when elevated privileges were not available (‘supports a fallback under HKCUSoftwareMicrosoftWindowsCurrentVersionRun’)
  • [T1027] Obfuscated Files or Information – Employed character reconstruction and backend string transformation to hide commands and artifacts (‘ofuscador.py’ and ‘multi-layered character reconstruction algorithms’)
  • [T1564.001] Hide Artifacts: Hidden Files and Directories – Placed payloads and launchers in restricted/system-themed paths and used hidden execution (‘target payload files and persistence launchers utilize system attributes’)
  • [T1140] Deobfuscate/Decode Files or Information – Used base64-decoded wrappers and .NET reflection to invoke sensitive functionality (‘base64-decoded wrappers and .NET reflection’)
  • [T1082] System Information Discovery – Extracted MachineGuid and environment data to generate host-specific identifiers (‘extracts MachineGuid and environment flags’)
  • [T1057] Process Discovery – Checked running processes against defense-related lists (‘automated verification of active processes’)
  • [T1056.001] Input Capture: Keylogging – Monitored keyboard input to capture banking credentials (‘keybd_event’ and ‘capturing active banking credentials’)
  • [T1113] Screen Capture – Used screenshot routines and overlay injection for visual monitoring (‘screenshot routines and web overlay injections’)
  • [T1071.001] Application Layer Protocol: Web Protocols – Communicated with C2 over WebSockets (‘wss://…/agent’)

Indicators of Compromise

  • [IP address] exposed staging host and fallback infrastructure – 198.245.53.26, 149.56.12.51
  • [Domain] C2 and host-derived WebSocket infrastructure – c.windowns-cdn.com, 52facc3b24f8bad9c5c56819e385f3a1.testewin.com
  • [URL path] staging and payload delivery endpoints – /st.txt, /st.php, /payload.php, and /agent
  • [File name] dropped artifacts and loaders – Fatura-BtgPactual-22568.bat, msedgeupdate.txt, launcher.exe, c9dba5b0552d879be654.txt
  • [Script / helper file] exposed backend tooling on the public index – servidor_completo_pool.py, ofuscador.py
  • [SHA256 hash] malware samples and recovered runtime payloads – BC4C29BC0C84EA18311FBADC508F6F3A9D84B54A456E672C2AB34D6B42F56C0C, E9D918FF5F7918CFF1A3A23F3945058A66B56D6DD724066414C7E1CAB95E166D
  • [Registry key] persistence and configuration locations – HKCUSoftwareMicrosoftdc98339fa461, HKCUSoftwareMicrosoftWindowsCurrentVersionRun


Read more: https://any.run/cybersecurity-blog/banana-rat-evolution-analysis/