Banana RAT is a Windows remote access trojan and banking malware associated with Brazilian banking fraud and tracked in some reporting under the threat cluster SHADOW-WATER-063. It is delivered through Brazilian invoice-themed lures, especially fake NF-e (Nota Fiscal Eletronica) documents, including malicious batch files such as Consultar_NF-e.bat and Fatura-BtgPactual-22568.bat distributed via phishing links or WhatsApp. The infection chain uses hidden PowerShell staging to retrieve additional components such as st.txt, st.php, payload.php, and msedge.txt, with payloads described as AES-256 encrypted, decrypted in memory, and generated polymorphically to produce byte-unique variants. Reported staging and infrastructure include 198[.]245[.]53[.]26, 24[.]199[.]90[.]58, c.windowns-cdn.com, c.windowsk-cdn.com, windowsk-cdn[.]com, testewin.com, cdn.testewin.com, and fallback IPs including 149[.]56[.]12[.]51 and 162.141.111[.]227. Observed persistence includes hidden scheduled tasks, including SYSTEM-level scheduled tasks in newer variants, and fallback Run key persistence under HKCU\Software\Microsoft\Windows\CurrentVersion\Run. Newer branches used randomized installation folders and filenames, a VBS launcher written under ProgramData, and encrypted WebSocket C2 over host-derived subdomains based on MD5(MachineGuid).testewin.com; older branches used fixed Microsoft-themed filenames and ETW-themed paths together with pseudo-Microsoft C2 domains. Across reporting, Banana RAT is described as a full-featured banking-oriented RAT capable of stealing banking credentials, interfering with payment transactions, keylogging, screen and session monitoring, screen capture or streaming, remote input control, file transfer and enumeration, system and process discovery, and banking-overlay or Pix QR-code manipulation for fraud. It is reported to target Brazilian financial activity, including banking sessions, Pix-related transactions, major Brazilian banks, and localized cryptocurrency exchanges. High-confidence file and artifact indicators mentioned in the content include Consultar_NF-e.bat, Fatura-BtgPactual-22568.bat, st.txt, st.php, payload.php, msedge.txt, MicrosoftEdgeUpdateCore.exe, c9dba5b0552d.vbs, st.php.malw, and payload_new.php.malw.
Mallory pivots from this family to the IOCs, detections, and named campaigns that touch your stack, and pages you when something new lands.
1 distinct threat actor attributed by public researchers. Open in Mallory to see the full evidence chain and overlapping campaigns.
A newly discovered banking trojan is targeting Brazilians by disguising itself as a legitimate electronic invoice. The malware, known as Banana RAT, uses fake NF-e (Nota Fiscal Eletronica) documents to trick victims into running malicious batch files that quietly install a powerful remote access tool on their Windows systems.
24 distinct techniques documented for this family, organized by ATT&CK tactic.
Persistence relied on a scheduled task tied to a named executable... the newer version... shifts to a VBS launcher paired with a hidden scheduled task running with system-level privileges.
ANY.RUN behavior showed: hidden PowerShell execution, base64-encoded PowerShell, task-scheduler-backed execution
ofuscador.py, which took plain PowerShell commands and rewrote them into a scrambled character sequence reassembled and run at execution time.
Sitting alongside it was a second script, ofuscador.py, which took plain PowerShell commands and rewrote them into a scrambled character sequence reassembled and run at execution time.
The earlier version... relied on fixed file names and folder paths designed to look like legitimate Windows update components. It used a lookalike domain with a spelling error...
Capability Assessment Based on payload content, sandbox behavior, and prior branch context, this branch supports: ... System and process discovery
It streams the victim’s screen live to the operator, logs every keystroke, injects fake banking overlays...
The malware connects back to its command-and-control server on port 443 using a custom binary protocol encrypted with AES-256-CBC.
Communication with attacker servers happens over an encrypted WebSocket channel, using an address built from a hashed identifier unique to each infected computer...
36 indicators attributed across vendor reports, sandbox runs, and researcher write-ups. Full values are available in Mallory.
IPs, domains, and DNS infrastructure linked to this family.
File hashes (MD5, SHA-1, SHA-256) from samples and reports.
Other indicator types observed in public reporting.
8 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.
Banana RAT is a remote access trojan associated with Brazilian banking fraud. It targets financial activity by stealing banking credentials and interfering with payment transactions, and in this campaign it used exposed backend infrastructure to generate and obfuscate fresh payload variants on demand for evasion.
A banking-oriented remote access payload used to target Brazilian financial activity. The article describes two evolving branches with hidden PowerShell staging, persistence via Scheduled Task and Run key fallback, WebSocket C2, screen and session monitoring, remote input capability, system and process discovery, file transfer and enumeration, key input tracking, screen capture/overlay workflows, and runtime C# compilation.
A fully featured banking-oriented remote access payload targeting Brazilian financial activity. The article describes capabilities including hidden PowerShell staging, scheduled task and Run key persistence, WebSocket C2, screen and session monitoring, remote input, system and process discovery, file transfer, keylogging, screen capture, and runtime C# compilation.
Mentioned only as related guide content for a Brazilian banking trojan tied to Pix fraud.
Match every observed IP, domain, and hash against your live telemetry.
Named campaigns wielding this family, with evidence pinned to each claim.
CVEs this family uses for access and lateral movement.
YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.
Every documented technique, ranked by evidence weight.
Reddit, Mastodon, and CTI community discussion around this family.