Skip to content

S0390 SQLRat

SQLRat is malware that executes SQL scripts to avoid leaving traditional host artifacts. FIN7 has been observed using it.1

Item Value
ID S0390
Associated Names
Version 1.2
Created 18 June 2019
Last Modified 22 March 2023
Navigation Layer View In ATT&CK® Navigator

Techniques Used

Domain ID Name Use
enterprise T1059 Command and Scripting Interpreter -
enterprise T1059.001 PowerShell SQLRat has used PowerShell to create a Meterpreter session.1
enterprise T1059.003 Windows Command Shell SQLRat has used SQL to execute JavaScript and VB scripts on the host system.1
enterprise T1140 Deobfuscate/Decode Files or Information SQLRat has scripts that are responsible for deobfuscating additional scripts.1
enterprise T1070 Indicator Removal -
enterprise T1070.004 File Deletion SQLRat has used been observed deleting scripts once used.1
enterprise T1105 Ingress Tool Transfer SQLRat can make a direct SQL connection to a Microsoft database controlled by the attackers, retrieve an item from the bindata table, then write and execute the file on disk.1
enterprise T1027 Obfuscated Files or Information -
enterprise T1027.010 Command Obfuscation SQLRat has used a character insertion obfuscation technique, making the script appear to contain Chinese characters.1
enterprise T1053 Scheduled Task/Job -
enterprise T1053.005 Scheduled Task SQLRat has created scheduled tasks in %appdata%\Roaming\Microsoft\Templates\.1
enterprise T1204 User Execution -
enterprise T1204.002 Malicious File SQLRat relies on users clicking on an embedded image to execute the scripts.1

Groups That Use This Software

ID Name References
G0046 FIN7 1