Currently viewing ATT&CK v15.1 which was live between April 23, 2024 and October 30, 2024. Learn more about the versioning system or see the live site.
  1. Home
  2. Software
  3. SQLRat

SQLRat

SQLRat is malware that executes SQL scripts to avoid leaving traditional host artifacts. FIN7 has been observed using it.[1]

ID: S0390
Type: MALWARE
Version: 1.2
Created: 18 June 2019
Last Modified: 22 March 2023
Enterprise Layer
download view

Techniques Used

Domain ID Name Use
Enterprise T1059 .001 Command and Scripting Interpreter: PowerShell

SQLRat has used PowerShell to create a Meterpreter session.[1]
.003 Command and Scripting Interpreter: Windows Command Shell

SQLRat has used SQL to execute JavaScript and VB scripts on the host system.[1]
Enterprise T1140 Deobfuscate/Decode Files or Information

SQLRat has scripts that are responsible for deobfuscating additional scripts.[1]
Enterprise T1070 .004 Indicator Removal: File Deletion

SQLRat has used been observed deleting scripts once used.[1]

Enterprise T1105 Ingress Tool Transfer

SQLRat can make a direct SQL connection to a Microsoft database controlled by the attackers, retrieve an item from the bindata table, then write and execute the file on disk.[1]

Enterprise T1027 .010 Obfuscated Files or Information: Command Obfuscation

SQLRat has used a character insertion obfuscation technique, making the script appear to contain Chinese characters.[1]
Enterprise T1053 .005 Scheduled Task/Job: Scheduled Task

SQLRat has created scheduled tasks in %appdata%\Roaming\Microsoft\Templates\.[1]
Enterprise T1204 .002 User Execution: Malicious File

SQLRat relies on users clicking on an embedded image to execute the scripts.[1]

Groups That Use This Software

ID Name References
G0046 FIN7

[1]

References

  1. Platt, J. and Reeves, J.. (2019, March). FIN7 Revisited: Inside Astra Panel and SQLRat Malware. Retrieved June 18, 2019.