SQLRat (Malware Family)
By Fraunhofer FKIE
Archived: 2026-04-05 15:13:07 UTC
SQLRat
Actor(s): Anunak
SQLRat campaigns typically involve a lure document that includes an image overlayed by a VB Form trigger.
Once a user has double-clicked the embedded image, the form executes a VB setup script. The script writes files
to the path %appdata%\Roaming\Microsoft\Templates\, then creates two task entries triggered to run daily. The
scripts are responsible for deobfuscating and executing the main JavaScript file mspromo.dot. The file uses a
character insertion obfuscation technique, making it appear to contain Chinese characters. After deobfuscating the
file, the main JavaScript is easily recognizable. It contains a number of functions designed to drop files and
execute scripts on a host system. The SQLRat script is designed to make a direct SQL connection to a Microsoft
database controlled by the attackers and execute the contents of various tables.
References
There is no Yara-Signature yet.
Source: https://malpedia.caad.fkie.fraunhofer.de/details/js.sqlrat
https://malpedia.caad.fkie.fraunhofer.de/details/js.sqlrat
Page 1 of 1