Skip to content

Hide Navigation Hide TOC

Bankshot - S0239 (1f6e3702-7ca1-4582-b2e7-4591297d05a8)

Bankshot is a remote access tool (RAT) that was first reported by the Department of Homeland Security in December of 2017. In 2018, Lazarus Group used the Bankshot implant in attacks against the Turkish financial sector. (Citation: McAfee Bankshot)

Cluster A Galaxy A Cluster B Galaxy B Level
File and Directory Discovery - T1083 (7bc57495-ea59-4380-be31-a64af124ef18) Attack Pattern Bankshot - S0239 (1f6e3702-7ca1-4582-b2e7-4591297d05a8) Malware 1
Bankshot - S0239 (1f6e3702-7ca1-4582-b2e7-4591297d05a8) Malware Windows Service - T1543.003 (2959d63f-73fd-46a1-abd2-109d7dcede32) Attack Pattern 1
Bankshot - S0239 (1f6e3702-7ca1-4582-b2e7-4591297d05a8) Malware Timestomp - T1070.006 (47f2d673-ca62-47e9-929b-1b0be9657611) Attack Pattern 1
Bankshot - S0239 (1f6e3702-7ca1-4582-b2e7-4591297d05a8) Malware Query Registry - T1012 (c32f7008-9fea-41f7-8366-5eb9b74bd896) Attack Pattern 1
Non-Standard Port - T1571 (b18eae87-b469-4e14-b454-b171b416bc18) Attack Pattern Bankshot - S0239 (1f6e3702-7ca1-4582-b2e7-4591297d05a8) Malware 1
Local Account - T1087.001 (25659dd6-ea12-45c4-97e6-381e3e4b593e) Attack Pattern Bankshot - S0239 (1f6e3702-7ca1-4582-b2e7-4591297d05a8) Malware 1
System Information Discovery - T1082 (354a7f88-63fb-41b5-a801-ce3b377b36f1) Attack Pattern Bankshot - S0239 (1f6e3702-7ca1-4582-b2e7-4591297d05a8) Malware 1
Bankshot - S0239 (1f6e3702-7ca1-4582-b2e7-4591297d05a8) Malware Process Discovery - T1057 (8f4a33ec-8b1f-4b80-a2f6-642b2e479580) Attack Pattern 1
Protocol or Service Impersonation - T1001.003 (c325b232-d5bc-4dde-a3ec-71f3db9e8adc) Attack Pattern Bankshot - S0239 (1f6e3702-7ca1-4582-b2e7-4591297d05a8) Malware 1
Modify Registry - T1112 (57340c81-c025-4189-8fa0-fc7ede51bae4) Attack Pattern Bankshot - S0239 (1f6e3702-7ca1-4582-b2e7-4591297d05a8) Malware 1
Bankshot - S0239 (1f6e3702-7ca1-4582-b2e7-4591297d05a8) Malware Native API - T1106 (391d824f-0ef1-47a0-b0ee-c59a75e27670) Attack Pattern 1
Windows Command Shell - T1059.003 (d1fcf083-a721-4223-aedf-bf8960798d62) Attack Pattern Bankshot - S0239 (1f6e3702-7ca1-4582-b2e7-4591297d05a8) Malware 1
Deobfuscate/Decode Files or Information - T1140 (3ccef7ae-cb5e-48f6-8302-897105fbf55c) Attack Pattern Bankshot - S0239 (1f6e3702-7ca1-4582-b2e7-4591297d05a8) Malware 1
Domain Account - T1087.002 (21875073-b0ee-49e3-9077-1e2a885359af) Attack Pattern Bankshot - S0239 (1f6e3702-7ca1-4582-b2e7-4591297d05a8) Malware 1
Data from Local System - T1005 (3c4a2599-71ee-4405-ba1e-0e28414b4bc5) Attack Pattern Bankshot - S0239 (1f6e3702-7ca1-4582-b2e7-4591297d05a8) Malware 1
Automated Collection - T1119 (30208d3e-0d6b-43c8-883e-44462a514619) Attack Pattern Bankshot - S0239 (1f6e3702-7ca1-4582-b2e7-4591297d05a8) Malware 1
Exfiltration Over C2 Channel - T1041 (92d7da27-2d91-488e-a00c-059dc162766d) Attack Pattern Bankshot - S0239 (1f6e3702-7ca1-4582-b2e7-4591297d05a8) Malware 1
File Deletion - T1070.004 (d63a3fb8-9452-4e9d-a60a-54be68d5998c) Attack Pattern Bankshot - S0239 (1f6e3702-7ca1-4582-b2e7-4591297d05a8) Malware 1
Bankshot - S0239 (1f6e3702-7ca1-4582-b2e7-4591297d05a8) Malware Create Process with Token - T1134.002 (677569f9-a8b0-459e-ab24-7f18091fa7bf) Attack Pattern 1
Bankshot - S0239 (1f6e3702-7ca1-4582-b2e7-4591297d05a8) Malware Exploitation for Client Execution - T1203 (be2dcee9-a7a7-4e38-afd6-21b31ecc3d63) Attack Pattern 1
Local Storage Discovery - T1680 (f2514ae4-4e9b-4f26-a5ba-c4ae85fe93c3) Attack Pattern Bankshot - S0239 (1f6e3702-7ca1-4582-b2e7-4591297d05a8) Malware 1
Bankshot - S0239 (1f6e3702-7ca1-4582-b2e7-4591297d05a8) Malware Ingress Tool Transfer - T1105 (e6919abc-99f9-4c6c-95a5-14761e7b2add) Attack Pattern 1
Indicator Removal - T1070 (799ace7f-e227-4411-baa0-8868704f2a69) Attack Pattern Bankshot - S0239 (1f6e3702-7ca1-4582-b2e7-4591297d05a8) Malware 1
Non-Standard Encoding - T1132.002 (d467bc38-284b-4a00-96ac-125f447799fc) Attack Pattern Bankshot - S0239 (1f6e3702-7ca1-4582-b2e7-4591297d05a8) Malware 1
Web Protocols - T1071.001 (df8b2a25-8bdf-4856-953c-a04372b1c161) Attack Pattern Bankshot - S0239 (1f6e3702-7ca1-4582-b2e7-4591297d05a8) Malware 1
Create or Modify System Process - T1543 (106c0cf6-bf73-4601-9aa8-0945c2715ec5) Attack Pattern Windows Service - T1543.003 (2959d63f-73fd-46a1-abd2-109d7dcede32) Attack Pattern 2
Indicator Removal - T1070 (799ace7f-e227-4411-baa0-8868704f2a69) Attack Pattern Timestomp - T1070.006 (47f2d673-ca62-47e9-929b-1b0be9657611) Attack Pattern 2
Local Account - T1087.001 (25659dd6-ea12-45c4-97e6-381e3e4b593e) Attack Pattern Account Discovery - T1087 (72b74d71-8169-42aa-92e0-e7b04b9f5a08) Attack Pattern 2
Protocol or Service Impersonation - T1001.003 (c325b232-d5bc-4dde-a3ec-71f3db9e8adc) Attack Pattern Data Obfuscation - T1001 (ad255bfe-a9e6-4b52-a258-8d3462abe842) Attack Pattern 2
Windows Command Shell - T1059.003 (d1fcf083-a721-4223-aedf-bf8960798d62) Attack Pattern Command and Scripting Interpreter - T1059 (7385dfaf-6886-4229-9ecd-6fd678040830) Attack Pattern 2
Domain Account - T1087.002 (21875073-b0ee-49e3-9077-1e2a885359af) Attack Pattern Account Discovery - T1087 (72b74d71-8169-42aa-92e0-e7b04b9f5a08) Attack Pattern 2
File Deletion - T1070.004 (d63a3fb8-9452-4e9d-a60a-54be68d5998c) Attack Pattern Indicator Removal - T1070 (799ace7f-e227-4411-baa0-8868704f2a69) Attack Pattern 2
Access Token Manipulation - T1134 (dcaa092b-7de9-4a21-977f-7fcb77e89c48) Attack Pattern Create Process with Token - T1134.002 (677569f9-a8b0-459e-ab24-7f18091fa7bf) Attack Pattern 2
Data Encoding - T1132 (cc7b8c4e-9be0-47ca-b0bb-83915ec3ee2f) Attack Pattern Non-Standard Encoding - T1132.002 (d467bc38-284b-4a00-96ac-125f447799fc) Attack Pattern 2
Web Protocols - T1071.001 (df8b2a25-8bdf-4856-953c-a04372b1c161) Attack Pattern Application Layer Protocol - T1071 (355be19c-ffc9-46d5-8d50-d6a036c675b6) Attack Pattern 2