Bankshot - S0239 (1f6e3702-7ca1-4582-b2e7-4591297d05a8)

Bankshot is a remote access tool (RAT) that was first reported by the Department of Homeland Security in December of 2017. In 2018, Lazarus Group used the Bankshot implant in attacks against the Turkish financial sector. (Citation: McAfee Bankshot)

Cluster A	Galaxy A	Cluster B	Galaxy B	Level
Deobfuscate/Decode Files or Information - T1140 (3ccef7ae-cb5e-48f6-8302-897105fbf55c)	Attack Pattern	Bankshot - S0239 (1f6e3702-7ca1-4582-b2e7-4591297d05a8)	Malware	1
Bankshot - S0239 (1f6e3702-7ca1-4582-b2e7-4591297d05a8)	Malware	Local Account - T1087.001 (25659dd6-ea12-45c4-97e6-381e3e4b593e)	Attack Pattern	1
Data from Local System - T1005 (3c4a2599-71ee-4405-ba1e-0e28414b4bc5)	Attack Pattern	Bankshot - S0239 (1f6e3702-7ca1-4582-b2e7-4591297d05a8)	Malware	1
Non-Standard Port - T1571 (b18eae87-b469-4e14-b454-b171b416bc18)	Attack Pattern	Bankshot - S0239 (1f6e3702-7ca1-4582-b2e7-4591297d05a8)	Malware	1
Bankshot - S0239 (1f6e3702-7ca1-4582-b2e7-4591297d05a8)	Malware	Exfiltration Over C2 Channel - T1041 (92d7da27-2d91-488e-a00c-059dc162766d)	Attack Pattern	1
Bankshot - S0239 (1f6e3702-7ca1-4582-b2e7-4591297d05a8)	Malware	Create Process with Token - T1134.002 (677569f9-a8b0-459e-ab24-7f18091fa7bf)	Attack Pattern	1
Bankshot - S0239 (1f6e3702-7ca1-4582-b2e7-4591297d05a8)	Malware	Timestomp - T1070.006 (47f2d673-ca62-47e9-929b-1b0be9657611)	Attack Pattern	1
Exploitation for Client Execution - T1203 (be2dcee9-a7a7-4e38-afd6-21b31ecc3d63)	Attack Pattern	Bankshot - S0239 (1f6e3702-7ca1-4582-b2e7-4591297d05a8)	Malware	1
System Information Discovery - T1082 (354a7f88-63fb-41b5-a801-ce3b377b36f1)	Attack Pattern	Bankshot - S0239 (1f6e3702-7ca1-4582-b2e7-4591297d05a8)	Malware	1
Indicator Removal - T1070 (799ace7f-e227-4411-baa0-8868704f2a69)	Attack Pattern	Bankshot - S0239 (1f6e3702-7ca1-4582-b2e7-4591297d05a8)	Malware	1
Bankshot - S0239 (1f6e3702-7ca1-4582-b2e7-4591297d05a8)	Malware	Query Registry - T1012 (c32f7008-9fea-41f7-8366-5eb9b74bd896)	Attack Pattern	1
Domain Account - T1087.002 (21875073-b0ee-49e3-9077-1e2a885359af)	Attack Pattern	Bankshot - S0239 (1f6e3702-7ca1-4582-b2e7-4591297d05a8)	Malware	1
Process Discovery - T1057 (8f4a33ec-8b1f-4b80-a2f6-642b2e479580)	Attack Pattern	Bankshot - S0239 (1f6e3702-7ca1-4582-b2e7-4591297d05a8)	Malware	1
Bankshot - S0239 (1f6e3702-7ca1-4582-b2e7-4591297d05a8)	Malware	File and Directory Discovery - T1083 (7bc57495-ea59-4380-be31-a64af124ef18)	Attack Pattern	1
Bankshot - S0239 (1f6e3702-7ca1-4582-b2e7-4591297d05a8)	Malware	File Deletion - T1070.004 (d63a3fb8-9452-4e9d-a60a-54be68d5998c)	Attack Pattern	1
Modify Registry - T1112 (57340c81-c025-4189-8fa0-fc7ede51bae4)	Attack Pattern	Bankshot - S0239 (1f6e3702-7ca1-4582-b2e7-4591297d05a8)	Malware	1
Bankshot - S0239 (1f6e3702-7ca1-4582-b2e7-4591297d05a8)	Malware	Native API - T1106 (391d824f-0ef1-47a0-b0ee-c59a75e27670)	Attack Pattern	1
Bankshot - S0239 (1f6e3702-7ca1-4582-b2e7-4591297d05a8)	Malware	Windows Service - T1543.003 (2959d63f-73fd-46a1-abd2-109d7dcede32)	Attack Pattern	1
Web Protocols - T1071.001 (df8b2a25-8bdf-4856-953c-a04372b1c161)	Attack Pattern	Bankshot - S0239 (1f6e3702-7ca1-4582-b2e7-4591297d05a8)	Malware	1
Bankshot - S0239 (1f6e3702-7ca1-4582-b2e7-4591297d05a8)	Malware	Non-Standard Encoding - T1132.002 (d467bc38-284b-4a00-96ac-125f447799fc)	Attack Pattern	1
Bankshot - S0239 (1f6e3702-7ca1-4582-b2e7-4591297d05a8)	Malware	Ingress Tool Transfer - T1105 (e6919abc-99f9-4c6c-95a5-14761e7b2add)	Attack Pattern	1
Automated Collection - T1119 (30208d3e-0d6b-43c8-883e-44462a514619)	Attack Pattern	Bankshot - S0239 (1f6e3702-7ca1-4582-b2e7-4591297d05a8)	Malware	1
Protocol or Service Impersonation - T1001.003 (c325b232-d5bc-4dde-a3ec-71f3db9e8adc)	Attack Pattern	Bankshot - S0239 (1f6e3702-7ca1-4582-b2e7-4591297d05a8)	Malware	1
Bankshot - S0239 (1f6e3702-7ca1-4582-b2e7-4591297d05a8)	Malware	Windows Command Shell - T1059.003 (d1fcf083-a721-4223-aedf-bf8960798d62)	Attack Pattern	1
Local Account - T1087.001 (25659dd6-ea12-45c4-97e6-381e3e4b593e)	Attack Pattern	Account Discovery - T1087 (72b74d71-8169-42aa-92e0-e7b04b9f5a08)	Attack Pattern	2
Access Token Manipulation - T1134 (dcaa092b-7de9-4a21-977f-7fcb77e89c48)	Attack Pattern	Create Process with Token - T1134.002 (677569f9-a8b0-459e-ab24-7f18091fa7bf)	Attack Pattern	2
Indicator Removal - T1070 (799ace7f-e227-4411-baa0-8868704f2a69)	Attack Pattern	Timestomp - T1070.006 (47f2d673-ca62-47e9-929b-1b0be9657611)	Attack Pattern	2
Domain Account - T1087.002 (21875073-b0ee-49e3-9077-1e2a885359af)	Attack Pattern	Account Discovery - T1087 (72b74d71-8169-42aa-92e0-e7b04b9f5a08)	Attack Pattern	2
Indicator Removal - T1070 (799ace7f-e227-4411-baa0-8868704f2a69)	Attack Pattern	File Deletion - T1070.004 (d63a3fb8-9452-4e9d-a60a-54be68d5998c)	Attack Pattern	2
Create or Modify System Process - T1543 (106c0cf6-bf73-4601-9aa8-0945c2715ec5)	Attack Pattern	Windows Service - T1543.003 (2959d63f-73fd-46a1-abd2-109d7dcede32)	Attack Pattern	2
Web Protocols - T1071.001 (df8b2a25-8bdf-4856-953c-a04372b1c161)	Attack Pattern	Application Layer Protocol - T1071 (355be19c-ffc9-46d5-8d50-d6a036c675b6)	Attack Pattern	2
Data Encoding - T1132 (cc7b8c4e-9be0-47ca-b0bb-83915ec3ee2f)	Attack Pattern	Non-Standard Encoding - T1132.002 (d467bc38-284b-4a00-96ac-125f447799fc)	Attack Pattern	2
Data Obfuscation - T1001 (ad255bfe-a9e6-4b52-a258-8d3462abe842)	Attack Pattern	Protocol or Service Impersonation - T1001.003 (c325b232-d5bc-4dde-a3ec-71f3db9e8adc)	Attack Pattern	2
Command and Scripting Interpreter - T1059 (7385dfaf-6886-4229-9ecd-6fd678040830)	Attack Pattern	Windows Command Shell - T1059.003 (d1fcf083-a721-4223-aedf-bf8960798d62)	Attack Pattern	2