{ "id": "d2ca3dfa-37f1-4918-9093-e9f69c202ff0", "created_at": "2026-04-06T00:15:26.105742Z", "updated_at": "2026-04-10T03:30:55.771769Z", "deleted_at": null, "sha1_hash": "8e54b13d3009d0d57826c4b2957aa86b677498b9", "title": "SQLRat (Malware Family)", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 29632, "plain_text": "SQLRat (Malware Family)\r\nBy Fraunhofer FKIE\r\nArchived: 2026-04-05 15:13:07 UTC\r\nSQLRat\r\nActor(s): Anunak\r\nSQLRat campaigns typically involve a lure document that includes an image overlayed by a VB Form trigger.\r\nOnce a user has double-clicked the embedded image, the form executes a VB setup script. The script writes files\r\nto the path %appdata%\\Roaming\\Microsoft\\Templates\\, then creates two task entries triggered to run daily. The\r\nscripts are responsible for deobfuscating and executing the main JavaScript file mspromo.dot. The file uses a\r\ncharacter insertion obfuscation technique, making it appear to contain Chinese characters. After deobfuscating the\r\nfile, the main JavaScript is easily recognizable. It contains a number of functions designed to drop files and\r\nexecute scripts on a host system. The SQLRat script is designed to make a direct SQL connection to a Microsoft\r\ndatabase controlled by the attackers and execute the contents of various tables.\r\nReferences\r\nThere is no Yara-Signature yet.\r\nSource: https://malpedia.caad.fkie.fraunhofer.de/details/js.sqlrat\r\nhttps://malpedia.caad.fkie.fraunhofer.de/details/js.sqlrat\r\nPage 1 of 1", "extraction_quality": 1, "language": "EN", "sources": [ "ETDA" ], "references": [ "https://malpedia.caad.fkie.fraunhofer.de/details/js.sqlrat" ], "report_names": [ "js.sqlrat" ], "threat_actors": [ { "id": "c9617bb6-45c8-495e-9759-2177e61a8e91", "created_at": "2022-10-25T15:50:23.405039Z", "updated_at": "2026-04-10T02:00:05.387643Z", "deleted_at": null, "main_name": "Carbanak", "aliases": [ "Carbanak", "Anunak" ], "source_name": "MITRE:Carbanak", "tools": [ "Carbanak", "Mimikatz", "PsExec", "netsh" ], "source_id": "MITRE", "reports": null }, { "id": "9de1979b-40fc-44dc-855d-193edda4f3b8", "created_at": "2025-08-07T02:03:24.92723Z", "updated_at": "2026-04-10T02:00:03.755516Z", "deleted_at": null, "main_name": "GOLD LOCUST", "aliases": [ "Anunak", "Carbanak", "Carbon Spider ", "FIN7 ", "Silicon " ], "source_name": "Secureworks:GOLD LOCUST", "tools": [ "Carbanak" ], "source_id": "Secureworks", "reports": null }, { "id": "ed3810b7-141a-4ed0-8a01-6a972b80458d", "created_at": "2022-10-25T16:07:23.443259Z", "updated_at": "2026-04-10T02:00:04.602946Z", "deleted_at": null, "main_name": "Carbanak", "aliases": [ "Anunak", "Carbanak", "Carbon Spider", "ELBRUS", "G0008", "Gold Waterfall", "Sangria Tempest" ], "source_name": "ETDA:Carbanak", "tools": [ "AVE_MARIA", "Agentemis", "AmmyyRAT", "Antak", "Anunak", "Ave Maria", "AveMariaRAT", "BABYMETAL", "BIRDDOG", "Backdoor Batel", "Batel", "Bateleur", "BlackMatter", "Boostwrite", "Cain \u0026 Abel", "Carbanak", "Cl0p", "Cobalt Strike", "CobaltStrike", "DNSMessenger", "DNSRat", "DNSbot", "DRIFTPIN", "DarkSide", "FOXGRABBER", "FlawedAmmyy", "HALFBAKED", "JS Flash", "KLRD", "MBR Eraser", "Mimikatz", "Nadrac", "Odinaff", "POWERPIPE", "POWERSOURCE", "PsExec", "SQLRAT", "Sekur", "Sekur RAT", "SocksBot", "SoftPerfect Network Scanner", "Spy.Agent.ORM", "TEXTMATE", "TeamViewer", "TiniMet", "TinyMet", "Toshliph", "VB Flash", "WARPRISM", "avemaria", "cobeacon" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775434526, "ts_updated_at": 1775791855, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/8e54b13d3009d0d57826c4b2957aa86b677498b9.pdf", "text": "https://archive.orkl.eu/8e54b13d3009d0d57826c4b2957aa86b677498b9.txt", "img": "https://archive.orkl.eu/8e54b13d3009d0d57826c4b2957aa86b677498b9.jpg" } }