SQLRat is malware that executes SQL scripts to avoid leaving traditional host artifacts. FIN7 has been observed using it.[1]

ID: S0390
Version: 1.1
Created: 18 June 2019
Last Modified: 30 March 2020

Techniques Used

Domain ID Name Use
Enterprise T1059 .001 Command and Scripting Interpreter: PowerShell

SQLRat has used PowerShell to create a Meterpreter session.[1]

.003 Command and Scripting Interpreter: Windows Command Shell

SQLRat has used SQL to execute JavaScript and VB scripts on the host system.[1]

Enterprise T1140 Deobfuscate/Decode Files or Information

SQLRat has scripts that are responsible for deobfuscating additional scripts.[1]

Enterprise T1070 .004 Indicator Removal on Host: File Deletion

SQLRat has used been observed deleting scripts once used.[1]

Enterprise T1105 Ingress Tool Transfer

SQLRat can make a direct SQL connection to a Microsoft database controlled by the attackers, retrieve an item from the bindata table, then write and execute the file on disk.[1]

Enterprise T1027 Obfuscated Files or Information

SQLRat has used a character insertion obfuscation technique, making the script appear to contain Chinese characters.[1]

Enterprise T1053 .005 Scheduled Task/Job: Scheduled Task

SQLRat has created scheduled tasks in %appdata%\Roaming\Microsoft\Templates\.[1]

Enterprise T1204 .002 User Execution: Malicious File

SQLRat relies on users clicking on an embedded image to execute the scripts.[1]

Groups That Use This Software

ID Name References
G0046 FIN7