{ "type": "URL", "indicator": "http://24.199.90.58/payload.php", "general": { "sections": [ "general", "url_list", "http_scans", "screenshot" ], "indicator": "http://24.199.90.58/payload.php", "type": "url", "type_title": "URL", "validation": [], "base_indicator": { "id": 4368639855, "indicator": "http://24.199.90.58/payload.php", "type": "URL", "title": "", "description": "", "content": "", "access_type": "public", "access_reason": "" }, "pulse_info": { "count": 4, "pulses": [ { "id": "6a0ce3af84b924ad15e27920", "name": "Inside Banana RAT: From Build Server to Banking Fraud", "description": "An MDR investigation successfully mapped the complete operational infrastructure of Banana RAT, a Brazilian banking trojan operated by threat cluster SHADOW-WATER-063. The investigation uncovered both server-side and client-side components, revealing a sophisticated FastAPI-based polymorphic payload generation system that produces hash-unique builds to evade detection. The malware employs layered obfuscation, AES-wrapped payloads, and fileless PowerShell execution. Once deployed, it enables operator-driven fraud through remote input control, keylogging, screen streaming, bank-branded overlays, and Pix QR code interception specifically targeting Brazilian financial institutions. The tooling exclusively targets 16 Brazilian banks and crypto exchanges, with all operator artifacts written in Brazilian Portuguese, indicating a financially motivated actor operating within the Tetrade banking trojan ecosystem.", "modified": "2026-05-21T00:30:44.319000", "created": "2026-05-19T22:26:55.839000", "tags": [ "fastapi", "pix qr interception", "mekotio", "grandoreiro", "brazilian banking trojan", "guildma", "tetrade", "powershell", "financial fraud", "casbaneiro", "banana rat", "chavecloak", "polymorphic payload" ], "references": [ "https://www.trendmicro.com/en_us/research/26/e/banana-rat.html" ], "public": 1, "adversary": "SHADOW-WATER-063", "targeted_countries": [ "Brazil" ], "malware_families": [ { "id": "Banana RAT", "display_name": "Banana RAT", "target": null }, { "id": "Grandoreiro - S0531", "display_name": "Grandoreiro - S0531", "target": null }, { "id": "Mekotio", "display_name": "Mekotio", "target": null }, { "id": "Metamorfo - S0455", "display_name": "Metamorfo - S0455", "target": null }, { "id": "Casbaneiro", "display_name": "Casbaneiro", "target": null }, { "id": "Astaroth - S0373", "display_name": "Astaroth - S0373", "target": null }, { "id": "Guildma", "display_name": "Guildma", "target": null }, { "id": "CHAVECLOAK", "display_name": "CHAVECLOAK", "target": null } ], "attack_ids": [ { "id": "T1053.005", "name": "Scheduled Task", "display_name": "T1053.005 - Scheduled Task" }, { "id": "T1113", "name": "Screen Capture", "display_name": "T1113 - Screen Capture" }, { "id": "T1056.001", "name": "Keylogging", "display_name": "T1056.001 - Keylogging" }, { "id": "T1036.005", "name": "Match Legitimate Name or Location", "display_name": "T1036.005 - Match Legitimate Name or Location" }, { "id": "T1204.002", "name": "Malicious File", "display_name": "T1204.002 - Malicious File" }, { "id": "T1573.001", "name": "Symmetric Cryptography", "display_name": "T1573.001 - Symmetric Cryptography" }, { "id": "T1115", "name": "Clipboard Data", "display_name": "T1115 - Clipboard Data" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1185", "name": "Man in the Browser", "display_name": "T1185 - Man in the Browser" }, { "id": "T1112", "name": "Modify Registry", "display_name": "T1112 - Modify Registry" }, { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" }, { "id": "T1041", "name": "Exfiltration Over C2 Channel", "display_name": "T1041 - Exfiltration Over C2 Channel" }, { "id": "T1059.001", "name": "PowerShell", "display_name": "T1059.001 - PowerShell" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1001", "name": "Data Obfuscation", "display_name": "T1001 - Data Obfuscation" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1564.001", "name": "Hidden Files and Directories", "display_name": "T1564.001 - Hidden Files and Directories" } ], "industries": [ "Finance" ], "TLP": "white", "cloned_from": null, "export_count": 19, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "AlienVault", "id": "2", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_2/resized/80/avatar_dacfad0ca8.png", "is_subscribed": true, "is_following": false }, "indicator_type_counts": { "FileHash-SHA256": 4, "IPv4": 1, "URL": 3, "domain": 2, "hostname": 1 }, "indicator_count": 11, "is_author": false, "is_subscribing": null, "subscriber_count": 386462, "modified_text": "9 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "6a12fc685c724f6f873953e6", "name": "EbeeMay2026 Pt4", "description": "Multiple APT/threat actors, Malware and Campaigns", "modified": "2026-05-24T13:26:00.146000", "created": "2026-05-24T13:26:00.146000", "tags": [ "filehashsha256", "filehashmd5", "filehashsha1", "cve20232868 cve", "cve20231389 cve", "cve20214034 cve", "cve20213493 cve" ], "references": [ "IOCs-MAY2.csv" ], "public": 1, "adversary": "Deploy Shai-Hulud Clones, Banana RAT, P2Pinfect Kubernetes Compromise, TamperedChef", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "IMEBEEIMFINE", "id": "343873", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "IPv4": 71, "URL": 59, "FileHash-MD5": 169, "FileHash-SHA1": 153, "FileHash-SHA256": 225, "CIDR": 1, "CVE": 29, "domain": 128, "hostname": 111 }, "indicator_count": 946, "is_author": false, "is_subscribing": null, "subscriber_count": 39, "modified_text": "6 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "6a0e8ffd007da87e7f7f500b", "name": "Inside Banana RAT: From Build Server to Banking Fraud", "description": "", "modified": "2026-05-21T04:54:21.603000", "created": "2026-05-21T04:54:21.603000", "tags": [ "fastapi", "pix qr interception", "mekotio", "grandoreiro", "brazilian banking trojan", "guildma", "tetrade", "powershell", "financial fraud", "casbaneiro", "banana rat", "chavecloak", "polymorphic payload" ], "references": [ "https://www.trendmicro.com/en_us/research/26/e/banana-rat.html" ], "public": 1, "adversary": "SHADOW-WATER-063", "targeted_countries": [ "Brazil" ], "malware_families": [ { "id": "Banana RAT", "display_name": "Banana RAT", "target": null }, { "id": "Grandoreiro - S0531", "display_name": "Grandoreiro - S0531", "target": null }, { "id": "Mekotio", "display_name": "Mekotio", "target": null }, { "id": "Metamorfo - S0455", "display_name": "Metamorfo - S0455", "target": null }, { "id": "Casbaneiro", "display_name": "Casbaneiro", "target": null }, { "id": "Astaroth - S0373", "display_name": "Astaroth - S0373", "target": null }, { "id": "Guildma", "display_name": "Guildma", "target": null }, { "id": "CHAVECLOAK", "display_name": "CHAVECLOAK", "target": null } ], "attack_ids": [ { "id": "T1053.005", "name": "Scheduled Task", "display_name": "T1053.005 - Scheduled Task" }, { "id": "T1113", "name": "Screen Capture", "display_name": "T1113 - Screen Capture" }, { "id": "T1056.001", "name": "Keylogging", "display_name": "T1056.001 - Keylogging" }, { "id": "T1036.005", "name": "Match Legitimate Name or Location", "display_name": "T1036.005 - Match Legitimate Name or Location" }, { "id": "T1204.002", "name": "Malicious File", "display_name": "T1204.002 - Malicious File" }, { "id": "T1573.001", "name": "Symmetric Cryptography", "display_name": "T1573.001 - Symmetric Cryptography" }, { "id": "T1115", "name": "Clipboard Data", "display_name": "T1115 - Clipboard Data" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1185", "name": "Man in the Browser", "display_name": "T1185 - Man in the Browser" }, { "id": "T1112", "name": "Modify Registry", "display_name": "T1112 - Modify Registry" }, { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" }, { "id": "T1041", "name": "Exfiltration Over C2 Channel", "display_name": "T1041 - Exfiltration Over C2 Channel" }, { "id": "T1059.001", "name": "PowerShell", "display_name": "T1059.001 - PowerShell" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1001", "name": "Data Obfuscation", "display_name": "T1001 - Data Obfuscation" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1564.001", "name": "Hidden Files and Directories", "display_name": "T1564.001 - Hidden Files and Directories" } ], "industries": [ "Finance" ], "TLP": "white", "cloned_from": "6a0ce3af84b924ad15e27920", "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Tr1sa111", "id": "192483", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-SHA256": 4, "IPv4": 1, "URL": 3, "domain": 2, "hostname": 1 }, "indicator_count": 11, "is_author": false, "is_subscribing": null, "subscriber_count": 277, "modified_text": "9 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "6a0e8fc7007da87e7f7f500a", "name": "Inside Banana RAT: From Build Server to Banking Fraud", "description": "", "modified": "2026-05-21T04:53:27.750000", "created": "2026-05-21T04:53:27.750000", "tags": [ "fastapi", "pix qr interception", "mekotio", "grandoreiro", "brazilian banking trojan", "guildma", "tetrade", "powershell", "financial fraud", "casbaneiro", "banana rat", "chavecloak", "polymorphic payload" ], "references": [ "https://www.trendmicro.com/en_us/research/26/e/banana-rat.html" ], "public": 1, "adversary": "SHADOW-WATER-063", "targeted_countries": [ "Brazil" ], "malware_families": [ { "id": "Banana RAT", "display_name": "Banana RAT", "target": null }, { "id": "Grandoreiro - S0531", "display_name": "Grandoreiro - S0531", "target": null }, { "id": "Mekotio", "display_name": "Mekotio", "target": null }, { "id": "Metamorfo - S0455", "display_name": "Metamorfo - S0455", "target": null }, { "id": "Casbaneiro", "display_name": "Casbaneiro", "target": null }, { "id": "Astaroth - S0373", "display_name": "Astaroth - S0373", "target": null }, { "id": "Guildma", "display_name": "Guildma", "target": null }, { "id": "CHAVECLOAK", "display_name": "CHAVECLOAK", "target": null } ], "attack_ids": [ { "id": "T1053.005", "name": "Scheduled Task", "display_name": "T1053.005 - Scheduled Task" }, { "id": "T1113", "name": "Screen Capture", "display_name": "T1113 - Screen Capture" }, { "id": "T1056.001", "name": "Keylogging", "display_name": "T1056.001 - Keylogging" }, { "id": "T1036.005", "name": "Match Legitimate Name or Location", "display_name": "T1036.005 - Match Legitimate Name or Location" }, { "id": "T1204.002", "name": "Malicious File", "display_name": "T1204.002 - Malicious File" }, { "id": "T1573.001", "name": "Symmetric Cryptography", "display_name": "T1573.001 - Symmetric Cryptography" }, { "id": "T1115", "name": "Clipboard Data", "display_name": "T1115 - Clipboard Data" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1185", "name": "Man in the Browser", "display_name": "T1185 - Man in the Browser" }, { "id": "T1112", "name": "Modify Registry", "display_name": "T1112 - Modify Registry" }, { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" }, { "id": "T1041", "name": "Exfiltration Over C2 Channel", "display_name": "T1041 - Exfiltration Over C2 Channel" }, { "id": "T1059.001", "name": "PowerShell", "display_name": "T1059.001 - PowerShell" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1001", "name": "Data Obfuscation", "display_name": "T1001 - Data Obfuscation" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1564.001", "name": "Hidden Files and Directories", "display_name": "T1564.001 - Hidden Files and Directories" } ], "industries": [ "Finance" ], "TLP": "white", "cloned_from": "6a0ce3af84b924ad15e27920", "export_count": 1, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Tr1sa111", "id": "192483", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-SHA256": 4, "IPv4": 1, "URL": 3, "domain": 2, "hostname": 1 }, "indicator_count": 11, "is_author": false, "is_subscribing": null, "subscriber_count": 277, "modified_text": "9 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 } ], "references": [ "IOCs-MAY2.csv", "https://www.trendmicro.com/en_us/research/26/e/banana-rat.html" ], "related": { "alienvault": { "adversary": [ "SHADOW-WATER-063" ], "malware_families": [ "Chavecloak", "Casbaneiro", "Guildma", "Grandoreiro - s0531", "Banana rat", "Astaroth - s0373", "Mekotio", "Metamorfo - s0455" ], "industries": [ "Finance" ], "unique_indicators": 11 }, "other": { "adversary": [ "Deploy Shai-Hulud Clones, Banana RAT, P2Pinfect Kubernetes Compromise, TamperedChef", "SHADOW-WATER-063" ], "malware_families": [ "Chavecloak", "Casbaneiro", "Guildma", "Grandoreiro - s0531", "Banana rat", "Astaroth - s0373", "Mekotio", "Metamorfo - s0455" ], "industries": [ "Finance" ], "unique_indicators": 946 } } }, "false_positive": [], "alexa": "", "whois": "http://whois.domaintools.com/24.199.90.58", "domain": "Unavailable", "hostname": "Unavailable" }, "geo": {}, "geo_ipapicom": {}, "pulse_count": 4, "pulses": [ { "id": "6a0ce3af84b924ad15e27920", "name": "Inside Banana RAT: From Build Server to Banking Fraud", "description": "An MDR investigation successfully mapped the complete operational infrastructure of Banana RAT, a Brazilian banking trojan operated by threat cluster SHADOW-WATER-063. The investigation uncovered both server-side and client-side components, revealing a sophisticated FastAPI-based polymorphic payload generation system that produces hash-unique builds to evade detection. The malware employs layered obfuscation, AES-wrapped payloads, and fileless PowerShell execution. Once deployed, it enables operator-driven fraud through remote input control, keylogging, screen streaming, bank-branded overlays, and Pix QR code interception specifically targeting Brazilian financial institutions. The tooling exclusively targets 16 Brazilian banks and crypto exchanges, with all operator artifacts written in Brazilian Portuguese, indicating a financially motivated actor operating within the Tetrade banking trojan ecosystem.", "modified": "2026-05-21T00:30:44.319000", "created": "2026-05-19T22:26:55.839000", "tags": [ "fastapi", "pix qr interception", "mekotio", "grandoreiro", "brazilian banking trojan", "guildma", "tetrade", "powershell", "financial fraud", "casbaneiro", "banana rat", "chavecloak", "polymorphic payload" ], "references": [ "https://www.trendmicro.com/en_us/research/26/e/banana-rat.html" ], "public": 1, "adversary": "SHADOW-WATER-063", "targeted_countries": [ "Brazil" ], "malware_families": [ { "id": "Banana RAT", "display_name": "Banana RAT", "target": null }, { "id": "Grandoreiro - S0531", "display_name": "Grandoreiro - S0531", "target": null }, { "id": "Mekotio", "display_name": "Mekotio", "target": null }, { "id": "Metamorfo - S0455", "display_name": "Metamorfo - S0455", "target": null }, { "id": "Casbaneiro", "display_name": "Casbaneiro", "target": null }, { "id": "Astaroth - S0373", "display_name": "Astaroth - S0373", "target": null }, { "id": "Guildma", "display_name": "Guildma", "target": null }, { "id": "CHAVECLOAK", "display_name": "CHAVECLOAK", "target": null } ], "attack_ids": [ { "id": "T1053.005", "name": "Scheduled Task", "display_name": "T1053.005 - Scheduled Task" }, { "id": "T1113", "name": "Screen Capture", "display_name": "T1113 - Screen Capture" }, { "id": "T1056.001", "name": "Keylogging", "display_name": "T1056.001 - Keylogging" }, { "id": "T1036.005", "name": "Match Legitimate Name or Location", "display_name": "T1036.005 - Match Legitimate Name or Location" }, { "id": "T1204.002", "name": "Malicious File", "display_name": "T1204.002 - Malicious File" }, { "id": "T1573.001", "name": "Symmetric Cryptography", "display_name": "T1573.001 - Symmetric Cryptography" }, { "id": "T1115", "name": "Clipboard Data", "display_name": "T1115 - Clipboard Data" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1185", "name": "Man in the Browser", "display_name": "T1185 - Man in the Browser" }, { "id": "T1112", "name": "Modify Registry", "display_name": "T1112 - Modify Registry" }, { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" }, { "id": "T1041", "name": "Exfiltration Over C2 Channel", "display_name": "T1041 - Exfiltration Over C2 Channel" }, { "id": "T1059.001", "name": "PowerShell", "display_name": "T1059.001 - PowerShell" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1001", "name": "Data Obfuscation", "display_name": "T1001 - Data Obfuscation" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1564.001", "name": "Hidden Files and Directories", "display_name": "T1564.001 - Hidden Files and Directories" } ], "industries": [ "Finance" ], "TLP": "white", "cloned_from": null, "export_count": 19, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "AlienVault", "id": "2", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_2/resized/80/avatar_dacfad0ca8.png", "is_subscribed": true, "is_following": false }, "indicator_type_counts": { "FileHash-SHA256": 4, "IPv4": 1, "URL": 3, "domain": 2, "hostname": 1 }, "indicator_count": 11, "is_author": false, "is_subscribing": null, "subscriber_count": 386462, "modified_text": "9 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "6a12fc685c724f6f873953e6", "name": "EbeeMay2026 Pt4", "description": "Multiple APT/threat actors, Malware and Campaigns", "modified": "2026-05-24T13:26:00.146000", "created": "2026-05-24T13:26:00.146000", "tags": [ "filehashsha256", "filehashmd5", "filehashsha1", "cve20232868 cve", "cve20231389 cve", "cve20214034 cve", "cve20213493 cve" ], "references": [ "IOCs-MAY2.csv" ], "public": 1, "adversary": "Deploy Shai-Hulud Clones, Banana RAT, P2Pinfect Kubernetes Compromise, TamperedChef", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "IMEBEEIMFINE", "id": "343873", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "IPv4": 71, "URL": 59, "FileHash-MD5": 169, "FileHash-SHA1": 153, "FileHash-SHA256": 225, "CIDR": 1, "CVE": 29, "domain": 128, "hostname": 111 }, "indicator_count": 946, "is_author": false, "is_subscribing": null, "subscriber_count": 39, "modified_text": "6 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "6a0e8ffd007da87e7f7f500b", "name": "Inside Banana RAT: From Build Server to Banking Fraud", "description": "", "modified": "2026-05-21T04:54:21.603000", "created": "2026-05-21T04:54:21.603000", "tags": [ "fastapi", "pix qr interception", "mekotio", "grandoreiro", "brazilian banking trojan", "guildma", "tetrade", "powershell", "financial fraud", "casbaneiro", "banana rat", "chavecloak", "polymorphic payload" ], "references": [ "https://www.trendmicro.com/en_us/research/26/e/banana-rat.html" ], "public": 1, "adversary": "SHADOW-WATER-063", "targeted_countries": [ "Brazil" ], "malware_families": [ { "id": "Banana RAT", "display_name": "Banana RAT", "target": null }, { "id": "Grandoreiro - S0531", "display_name": "Grandoreiro - S0531", "target": null }, { "id": "Mekotio", "display_name": "Mekotio", "target": null }, { "id": "Metamorfo - S0455", "display_name": "Metamorfo - S0455", "target": null }, { "id": "Casbaneiro", "display_name": "Casbaneiro", "target": null }, { "id": "Astaroth - S0373", "display_name": "Astaroth - S0373", "target": null }, { "id": "Guildma", "display_name": "Guildma", "target": null }, { "id": "CHAVECLOAK", "display_name": "CHAVECLOAK", "target": null } ], "attack_ids": [ { "id": "T1053.005", "name": "Scheduled Task", "display_name": "T1053.005 - Scheduled Task" }, { "id": "T1113", "name": "Screen Capture", "display_name": "T1113 - Screen Capture" }, { "id": "T1056.001", "name": "Keylogging", "display_name": "T1056.001 - Keylogging" }, { "id": "T1036.005", "name": "Match Legitimate Name or Location", "display_name": "T1036.005 - Match Legitimate Name or Location" }, { "id": "T1204.002", "name": "Malicious File", "display_name": "T1204.002 - Malicious File" }, { "id": "T1573.001", "name": "Symmetric Cryptography", "display_name": "T1573.001 - Symmetric Cryptography" }, { "id": "T1115", "name": "Clipboard Data", "display_name": "T1115 - Clipboard Data" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1185", "name": "Man in the Browser", "display_name": "T1185 - Man in the Browser" }, { "id": "T1112", "name": "Modify Registry", "display_name": "T1112 - Modify Registry" }, { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" }, { "id": "T1041", "name": "Exfiltration Over C2 Channel", "display_name": "T1041 - Exfiltration Over C2 Channel" }, { "id": "T1059.001", "name": "PowerShell", "display_name": "T1059.001 - PowerShell" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1001", "name": "Data Obfuscation", "display_name": "T1001 - Data Obfuscation" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1564.001", "name": "Hidden Files and Directories", "display_name": "T1564.001 - Hidden Files and Directories" } ], "industries": [ "Finance" ], "TLP": "white", "cloned_from": "6a0ce3af84b924ad15e27920", "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Tr1sa111", "id": "192483", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-SHA256": 4, "IPv4": 1, "URL": 3, "domain": 2, "hostname": 1 }, "indicator_count": 11, "is_author": false, "is_subscribing": null, "subscriber_count": 277, "modified_text": "9 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "6a0e8fc7007da87e7f7f500a", "name": "Inside Banana RAT: From Build Server to Banking Fraud", "description": "", "modified": "2026-05-21T04:53:27.750000", "created": "2026-05-21T04:53:27.750000", "tags": [ "fastapi", "pix qr interception", "mekotio", "grandoreiro", "brazilian banking trojan", "guildma", "tetrade", "powershell", "financial fraud", "casbaneiro", "banana rat", "chavecloak", "polymorphic payload" ], "references": [ "https://www.trendmicro.com/en_us/research/26/e/banana-rat.html" ], "public": 1, "adversary": "SHADOW-WATER-063", "targeted_countries": [ "Brazil" ], "malware_families": [ { "id": "Banana RAT", "display_name": "Banana RAT", "target": null }, { "id": "Grandoreiro - S0531", "display_name": "Grandoreiro - S0531", "target": null }, { "id": "Mekotio", "display_name": "Mekotio", "target": null }, { "id": "Metamorfo - S0455", "display_name": "Metamorfo - S0455", "target": null }, { "id": "Casbaneiro", "display_name": "Casbaneiro", "target": null }, { "id": "Astaroth - S0373", "display_name": "Astaroth - S0373", "target": null }, { "id": "Guildma", "display_name": "Guildma", "target": null }, { "id": "CHAVECLOAK", "display_name": "CHAVECLOAK", "target": null } ], "attack_ids": [ { "id": "T1053.005", "name": "Scheduled Task", "display_name": "T1053.005 - Scheduled Task" }, { "id": "T1113", "name": "Screen Capture", "display_name": "T1113 - Screen Capture" }, { "id": "T1056.001", "name": "Keylogging", "display_name": "T1056.001 - Keylogging" }, { "id": "T1036.005", "name": "Match Legitimate Name or Location", "display_name": "T1036.005 - Match Legitimate Name or Location" }, { "id": "T1204.002", "name": "Malicious File", "display_name": "T1204.002 - Malicious File" }, { "id": "T1573.001", "name": "Symmetric Cryptography", "display_name": "T1573.001 - Symmetric Cryptography" }, { "id": "T1115", "name": "Clipboard Data", "display_name": "T1115 - Clipboard Data" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1185", "name": "Man in the Browser", "display_name": "T1185 - Man in the Browser" }, { "id": "T1112", "name": "Modify Registry", "display_name": "T1112 - Modify Registry" }, { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" }, { "id": "T1041", "name": "Exfiltration Over C2 Channel", "display_name": "T1041 - Exfiltration Over C2 Channel" }, { "id": "T1059.001", "name": "PowerShell", "display_name": "T1059.001 - PowerShell" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1001", "name": "Data Obfuscation", "display_name": "T1001 - Data Obfuscation" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1564.001", "name": "Hidden Files and Directories", "display_name": "T1564.001 - Hidden Files and Directories" } ], "industries": [ "Finance" ], "TLP": "white", "cloned_from": "6a0ce3af84b924ad15e27920", "export_count": 1, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Tr1sa111", "id": "192483", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-SHA256": 4, "IPv4": 1, "URL": 3, "domain": 2, "hostname": 1 }, "indicator_count": 11, "is_author": false, "is_subscribing": null, "subscriber_count": 277, "modified_text": "9 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 } ], "error": null, "vt": { "error": "VirusTotal rate limit reached. Try again shortly.", "indicator": "http://24.199.90.58/payload.php", "type": "URL" }, "abuseipdb": null, "urlhaus": { "indicator": "http://24.199.90.58/payload.php", "type": "URL", "found": false, "verdict": "clean", "error": null }, "from_cache": true, "_cached_at": 1780186142.0835114 }