{
	"id": "8933a383-a6f9-45d1-9f20-91dfc861ac21",
	"created_at": "2026-04-06T00:09:18.926936Z",
	"updated_at": "2026-04-10T03:21:47.8206Z",
	"deleted_at": null,
	"sha1_hash": "b50af33e1473fc2138419316e5909f51d3be2a46",
	"title": "Banatrix – an indepth look",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 128780,
	"plain_text": "Banatrix – an indepth look\nArchived: 2026-04-05 21:15:44 UTC\nOf all of the Polish malware families that we have seen last year, Banatrix\nseems to be the most technologically advanced one. This malware was used to replace the bank\naccount number in the browser memory, however its implementation allowed an attacker to execute\nany arbitrary code on the victim’s machine. This was used to extract passwords saved in the Mozilla\nFirefox browser. On this article we discuss the Banatrix C\u0026C infrastructure and its use of TOR\nnetwork both to hide the attacker’s identity and to make the botnet takedown a challenge.\nWhat Banatrix does to the infected machine?\nAs we have described in our previous article Banatrix was used to replace the victim’s bank account\nnumber in the browser memory. However, its architecture allows for a lot more. The general\nconcept behind this malware is presented in the picture below.\nFirst stage: unpacking and persistence\nUpon the first run malware drops two files: xor encrypted DLL and an exe file. This files are created\nin the%AppData% directory (which is\nhttps://www.cert.pl/en/news/single/banatrix-an-indepth-look/\nPage 1 of 4\n\nC:\\Users\\All Users on Windows XP andC:\\ProgramData on Windows Vista and newer). Encrypted DLL is saved either as.sys or as.windows.sys . Exe file (namedwms.exe orwmc.exe ) is added to the system as a Scheduled Task. The library file is decrypted and loaded into the\nprocess memory. It is then encrypted again, using a different, random key and saved with that key to\nthe same file. This results in a different file every time the malware runs.\nSecond stage: network communication\nThe library, decrypted and loaded to the process memory, is responsible for communication with the\nC\u0026C proxy. This includes downloading additional malicious code that is run on the infected\nmachine. The first step in this communication is sending the RSA-encrypted machine configuration\ndetails, like the computer and user name, OS version or language. The new version of Banatrix uses\na TOR proxy server to communicate with the real C\u0026C. This is done using a custom proxy\nprotocol. The malware contacts the hardcoded domain in one of the several TLDs, where the\nattacker set up a TOR proxy server. It then sends the.onion domain (along with some other data) to this proxy server and the server connects with that domain.\nThis real C\u0026C then sends a xor-encrypted library, which is run on the infected machine. This library\nis again loaded into the process memory and the exported function calledinit is run. This, of course, allows the attacker to execute any code on the infected machine. This is also\nhow the updates are being delivered.\nhttps://www.cert.pl/en/news/single/banatrix-an-indepth-look/\nPage 2 of 4\n\nThe newest Banatrix version contains a DGA – algorithm responsible for creation of the domain\r\nnames. However, it is somewhat different from the DGA in the other malware families. Banatrix has\r\na list of domains in 25 different TLDs. Every one of these domains is then used to create 4 different\r\ndomain names and perform DNS queries on each one. However only the fourth (last) domain will\r\nbe used as a proxy C\u0026C server – all others are simply there to confuse the researchers. Part of the\r\ndecompiled DGA is presented in the screenshot below.\r\nThird stage: code execution\r\nThe downloaded library, as we have mentioned previously, iterates over all of the processes in the\r\nsearch of the browser process. It then searches the process memory for the bank account number\r\nand replaces it with the hardcoded one. However, we have also observed that some of the victims\r\nreceived another library – one that had a function to get the user passwords saved in the Mozilla\r\nFirefox browser and send them to the dropzone server. This proves that the malware architecture\r\nallows the flexibility to execute any arbitrary code.\r\nSummary\r\nBanatrix remains a serious threat for the Polish Internet users. This claim is backed up by our\r\nsinkhole data – a little over 5,000 different IPs are trying to connect with the C\u0026C server every day.\r\nIt seems that the malware is also under a heavy development and new features are added every\r\ncouple of weeks.\r\nThe SHA256 fingerprint of the analyzed sample is:\r\n7c4d4e98601b2ae11c4a27299ded2a15e635b317ef32f48f683da016ca77c1c9. It’s has a pretty high\r\ndetection rate on VirusTotal, as you can see below.\r\nhttps://www.cert.pl/en/news/single/banatrix-an-indepth-look/\r\nPage 3 of 4\n\nSource: https://www.cert.pl/en/news/single/banatrix-an-indepth-look/\r\nhttps://www.cert.pl/en/news/single/banatrix-an-indepth-look/\r\nPage 4 of 4",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"ETDA",
		"Malpedia"
	],
	"references": [
		"https://www.cert.pl/en/news/single/banatrix-an-indepth-look/"
	],
	"report_names": [
		"banatrix-an-indepth-look"
	],
	"threat_actors": [],
	"ts_created_at": 1775434158,
	"ts_updated_at": 1775791307,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/b50af33e1473fc2138419316e5909f51d3be2a46.pdf",
		"text": "https://archive.orkl.eu/b50af33e1473fc2138419316e5909f51d3be2a46.txt",
		"img": "https://archive.orkl.eu/b50af33e1473fc2138419316e5909f51d3be2a46.jpg"
	}
}