The sub-techniques beta is now live! Read the release blog post for more info.


SQLRat is malware that executes SQL scripts to avoid leaving traditional host artifacts. FIN7 has been observed using it.[1]

ID: S0390
Version: 1.0
Created: 18 June 2019
Last Modified: 30 June 2019

Techniques Used

Domain ID Name Use
Enterprise T1140 Deobfuscate/Decode Files or Information

SQLRat has scripts that are responsible for deobfuscating additional scripts.[1]

Enterprise T1107 File Deletion

SQLRat has used been observed deleting scripts once used. [1]

Enterprise T1027 Obfuscated Files or Information

SQLRat has used a character insertion obfuscation technique, making the script appear to contain Chinese characters.[1]

Enterprise T1086 PowerShell

SQLRat has used PowerShell to create a Meterpreter session.[1]

Enterprise T1105 Remote File Copy

SQLRat can make a direct SQL connection to a Microsoft database controlled by the attackers, retrieve an item from the bindata table, then write and execute the file on disk. [1]

Enterprise T1053 Scheduled Task

SQLRat has created scheduled tasks in %appdata%\Roaming\Microsoft\Templates\.[1]

Enterprise T1064 Scripting

SQLRat has used SQL to execute JavaScript and VB scripts on the host system.[1]

Enterprise T1204 User Execution

SQLRat relies on users clicking on an embedded image to execute the scripts.[1]

Groups That Use This Software

ID Name References
G0046 FIN7 [1]