Inside SHADOW-WATER-063’s Banana RAT: From Build Server to Banking Fraud

    Tuesday, May 19, 2026 In: Threat Research Print

    Date: 05/19/2026

    Severity: High 

    Summary

    An investigation team mapped the full operational model of the "Banana RAT" banking trojan. Attributed to the threat cluster SHADOW-WATER-063, the malware targets Brazilian financial institutions. MDR reconstructed the entire attack chain by correlating server tooling and client payloads. Delivery involves polymorphic payload generation, staged deployment, and fileless PowerShell execution. The trojan utilizes layered obfuscation and AES-wrapped payloads to evade endpoint detection. Once active, it enables remote input control, keylogging, screen streaming, and Pix QR code fraud.

    Indicators of Compromise (IOC) List

    Domains/URLs :

    http://24.199.90.58:80/

    http://24.199.90.58:80/payload.php

    http://24.199.90.58:80/st.txt

    c.windowsk-cdn.com

    IP Address : 

    162.141.111.227

    Hash : 

    ecdc8fade561a75d68235859ad8b1fe131db2c458b4894268e38e90ecab1c47f

    38dfeb772afbd01c04eddda120d283acfb1147a6dc3d54ac62fe23ad06e39d8f

    4912b1134e69ade7266e8508eec33ccb2d80ad693f1dbc4f1f4344c6dfcf2ff1

    d7545b6dacebdae27effb3c778c5e349027ec789c76ae4f777bd9ba56a70cdaa

    Gurucul Threat Detection and Incident Response (TDIR) Queries for Detection

    Detection Query 1 :

    domainname like "http://24.199.90.58:80/" or url like "http://24.199.90.58:80/" or siteurl like "http://24.199.90.58:80/" or domainname like "http://24.199.90.58:80/st.txt" or url like "http://24.199.90.58:80/st.txt" or siteurl like "http://24.199.90.58:80/st.txt" or domainname like "c.windowsk-cdn.com" or url like "c.windowsk-cdn.com" or siteurl like "c.windowsk-cdn.com" or domainname like "http://24.199.90.58:80/payload.php" or url like "http://24.199.90.58:80/payload.php" or siteurl like "http://24.199.90.58:80/payload.php"

    Detection Query 2 :

    dstipaddress IN ("162.141.111.227") or srcipaddress IN ("162.141.111.227")

    Detection Query 3 :

    sha256hash IN ("38dfeb772afbd01c04eddda120d283acfb1147a6dc3d54ac62fe23ad06e39d8f","ecdc8fade561a75d68235859ad8b1fe131db2c458b4894268e38e90ecab1c47f","4912b1134e69ade7266e8508eec33ccb2d80ad693f1dbc4f1f4344c6dfcf2ff1","d7545b6dacebdae27effb3c778c5e349027ec789c76ae4f777bd9ba56a70cdaa")

    Reference:    

    https://www.trendmicro.com/en_us/research/26/e/banana-rat.html                       


    Tags

    MalwareRATTrojanBrazilFinancial ServicesKeylogger

    « Previous ArticleNext Article »

    Comments

    No records to display

    Looking for Something?
    Threat Research Categories:
    Tags

    Privacy & Security StatementTerms & Conditions
    Copyright © 2026 by Gurucul - All rights reserved.