SOFTWARE
Overview 3PARA RAT 4H RAT adbupd Adups ADVSTORESHELL Agent Tesla Agent.btz Allwinner Android Overlay Malware Android/Chuli.A ANDROIDOS_ANSERVER.A AndroRAT Arp ASPXSpy Astaroth at AuditCred AutoIt backdoor Azorult Backdoor.Oldrea BACKSPACE BADCALL BADNEWS BadPatch Bandook Bankshot BBSRAT BISCUIT Bisonal BITSAdmin BLACKCOFFEE BlackEnergy BONDUPDATER BOOTRASH BrainTest Brave Prince Briba BS2005 BUBBLEWRAP Cachedump CALENDAR Calisto CallMe Cannon Carbanak Carbon Cardinal RAT Catchamas CCBkdr certutil Chaos Charger ChChes Cherry Picker China Chopper CHOPSTICK CloudDuke cmd Cobalt Strike Cobian RAT CoinTicker Comnie ComRAT CORALDECK CORESHELL CosmicDuke CozyCar Crimson CrossRAT DarkComet Daserf DDKONG DealersChoice Dendroid Denis Derusbi Dipsind DOGCALL Dok Downdelph DownPaper DressCode DroidJack dsquery DualToy Duqu DustySky Dyre Ebury Elise ELMER Emissary Emotet Empire Epic EvilGrab Exaramel Expand FakeM FALLCHILL Felismus FELIXROOT Fgdump Final1stspy FinFisher Flame FLASHFLOOD FLIPSIDE Forfiles FruitFly FTP Gazer GeminiDuke gh0st RAT GLOOXMAIL Gold Dragon Gooligan GravityRAT GreyEnergy gsecdump H1N1 Hacking Team UEFI Rootkit HALFBAKED HAMMERTOSS HAPPYWORK HARDRAIN Havij hcdLoader HDoor Helminth Hi-Zor HIDEDRV Hikit HOMEFRY HOPLIGHT HTRAN HTTPBrowser httpclient HummingBad HummingWhale Hydraq ifconfig iKitten Impacket InnaputRAT InvisiMole Invoke-PSImage ipconfig ISMInjector Ixeshe Janicab JHUHUGIT JPIN jRAT Judy KARAE Kasidet Kazuar Keydnap KEYMARBLE KeyRaider Koadic Komplex KOMPROGO KONNI Kwampirs LaZagne Linfo Linux Rabbit LockerGoga LOWBALL Lslsass Lurid MacSpy Marcher Matroyshka MazarBOT meek Micropsia Mimikatz MimiPenguin Miner-C MiniDuke MirageFox Mis-Type Misdat Mivast MobileOrder MoonWind More_eggs Mosquito MURKYTOP Naid NanHaiShu NanoCore NavRAT nbtstat NDiskMonitor Nerex Net Net Crawler NETEAGLE netsh netstat NetTraveler NETWIRE Nidiran Nltest NOKKI NotCompatible NotPetya OBAD OceanSalt Octopus OLDBAIT OldBoot Olympic Destroyer OnionDuke OopsIE Orz OSInfo OSX_OCEANLOTUS.D OwaAuth P2P ZeuS Pasam Pass-The-Hash Toolkit Pegasus for Android Pegasus for iOS PHOREAL PinchDuke Ping Pisloader PJApps PLAINTEE PlugX pngdowner PoisonIvy POORAIM PoshC2 POSHSPY Power Loader PowerDuke POWERSOURCE PowerSploit POWERSTATS POWERTON POWRUNER Prikormka Proton Proxysvc PsExec Psylo Pteranodon PUNCHBUGGY PUNCHTRACK Pupy pwdump QUADAGENT QuasarRAT RARSTONE RATANKBA RawDisk RawPOS RCSAndroid Reaver RedDrop RedLeaves Reg Regin Remcos Remexi RemoteCMD Remsec Responder RGDoor RIPTIDE ROCKBOOT RogueRobin ROKRAT route Rover RTM Ruler RuMMS RunningRAT S-Type Sakula SamSam schtasks SDelete SeaDuke Seasalt SEASHARPEE Shamoon ShiftyBug SHIPSHAPE SHOTPUT SHUTTERSPEED Skeleton Key Skygofree SLOWDRIFT Smoke Loader SNUGRIDE Socksbot SOUNDBITE SPACESHIP SpeakUp spwebmember SpyDealer SpyNote RAT sqlmap SslMM Starloader Stealth Mango StreamEx Sykipot SynAck Sys10 Systeminfo T9000 Taidoor Tangelo Tasklist TDTESS TEXTMATE TINYTYPHON TinyZBot Tor TrickBot Trojan-SMS.AndroidOS.Agent.ao Trojan-SMS.AndroidOS.FakeInst.a Trojan-SMS.AndroidOS.OpFake.a Trojan.Karagany Trojan.Mebromi Truvasys TURNEDUP Twitoor TYPEFRAME UACMe UBoatRAT Umbreon Unknown Logger UPPERCUT Uroburos USBStealer Vasport VERMIN Volgmer WannaCry WEBC2 Wiarp Windows Credential Editor WINDSHIELD WINERACK Winexe Wingbird WinMM Winnti Wiper WireLurker X-Agent for Android XAgentOSX Xbash Xbot xCmd XcodeGhost XLoader XTunnel YiSpecter yty Zebrocy ZergHelper Zeroaccess ZeroT Zeus Panda ZLib zwShell
  1. Home
  2. Software
  3. Bankshot

Bankshot

Bankshot is a remote access tool (RAT) that was first reported by the Department of Homeland Security in December of 2017. In 2018, Lazarus Group used the Bankshot implant in attacks against the Turkish financial sector. [1]

ID: S0239
Associated Software: Trojan Manuscript

Type: MALWARE
Platforms: Windows

Version: 1.0

Associated Software Descriptions

NameDescription
Trojan Manuscript[1]

Techniques Used

DomainIDNameUse
EnterpriseT1134Access Token ManipulationBankshot grabs a user token using WTSQueryUserToken and then creates a process by impersonating a logged-on user.[1]
EnterpriseT1087Account DiscoveryBankshot gathers domain and account names/information through process monitoring.[1]
EnterpriseT1119Automated CollectionBankshot recursively generates a list of files within a directory and sends them back to the control server.[1]
EnterpriseT1059Command-Line InterfaceBankshot uses the command-line interface to execute arbitrary commands.[1][2]
EnterpriseT1132Data EncodingBankshot encodes commands from the control server using a range of characters and gzip.[1]
EnterpriseT1005Data from Local SystemBankshot collects files from the local system.[1]
EnterpriseT1001Data ObfuscationBankshot generates a false TLS handshake using a public certificate to disguise C2 network communications.[2]
EnterpriseT1140Deobfuscate/Decode Files or InformationBankshot decodes embedded XOR strings.[2]
EnterpriseT1106Execution through APIBankshot creates processes using the Windows API calls: CreateProcessA() and CreateProcessAsUserA().[1]
EnterpriseT1041Exfiltration Over Command and Control ChannelBankshot exfiltrates data over its C2 channel.[1]
EnterpriseT1203Exploitation for Client ExecutionBankshot leverages a known zero-day vulnerability in Adobe Flash to execute the implant into the victims’ machines.[1]
EnterpriseT1083File and Directory DiscoveryBankshot searches for files on the victim's machine.[2]
EnterpriseT1107File DeletionBankshot marks files to be deleted upon the next system reboot and uninstalls and removes itself from the system.[1]
EnterpriseT1070Indicator Removal on HostBankshot delets all artifacts associated with the malware from the infected machine.[2]
EnterpriseT1031Modify Existing ServiceBankshot can terminate a specific process by its process id.[1][2]
EnterpriseT1112Modify RegistryBankshot writes data into the Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Pniumj.[2]
EnterpriseT1057Process DiscoveryBankshot identifies processes and collects the process ids.[1]
EnterpriseT1012Query RegistryBankshot searches for certain Registry keys to be configured before executing the payload.[2]
EnterpriseT1105Remote File CopyBankshot uploads files and secondary payloads to the victim's machine.[2]
EnterpriseT1071Standard Application Layer ProtocolBankshot uses HTTP for command and control communication.[1]
EnterpriseT1082System Information DiscoveryBankshot gathers system information, network addresses, disk type, disk free space, and the operation system version.[1][2]
EnterpriseT1099TimestompBankshot modifies the time of a file as specified by the control server.[1]
EnterpriseT1065Uncommonly Used PortBankshot binds and listens on port 1058.[2]

Groups

Groups that use this software:

Lazarus Group

References

  1. Sherstobitoff, R. (2018, March 08). Hidden Cobra Targets Turkish Financial Sector With New Bankshot Implant. Retrieved May 18, 2018.
  1. US-CERT. (2017, December 13). Malware Analysis Report (MAR) - 10135536-B. Retrieved July 17, 2018.