Fin7 Releases SQLRat

SQLRat is a remote access trojan (RAT) targeting Windows devices created by the advanced persistent threat group, FIN7. They has been active since at least 2015. This trojan is distributed via malicious attachments in phishing emails and can achieve a full compromise of an affected device.

The RAT is embedded within a Visual Basic script, requiring users to enable macros in order to start the infection process. Two task scheduler entries are created to maintain persistence on the infected machine.

When executed the RAT connects to a FIN7-owned Microsoft database to retrieve malicious scripts contained in various SQL tables. One of these scripts is an open source Meterpreter post-exploitation tool, which can maintain a connection between FIN7 and an infected device. This type of attack has not been seen before in Fin7 code.

Image 1: An image of a document used in a typical campaign.

An image of a document used in a typical campaign via

Further details –

Indicators of Compromise

IP Addresses

  • 31.18.219[.]133
  • 185.15.25[.]79
  • 185.117.89[.]134


  • C:\Users\<user>\AppData\Roaming\Microsoft\Templates\
  • C:\Users\<user>\AppData\Roaming\Microsoft\Templates\

SHA256 File Hashes

  • af60d8dfe30776b24823435b6e160d526ae500ce5583aee1ebbc909721d65120
  • 151a90d31f218b91053656aa61bcdbcc98d2009b31b90de76d74fb3b163bb420
  • fe8f6d366546c2e935cf01aae7233e12445f10b815b28702e739e6951475f687
  • d9ac4ef250a05ef8bd22c3227fd11df420cd663d5009b89a95466c1e0c301c1d
  • 2296e672f49cc9f8802571970a58fe86f8fafaf841fc44fe5c73e291eaa55daa
  • 5236ec183f819c5e5cbe3d7a1f8e5b3478b23cebacc5daa501f563e1971bace5
  • ee0cb9e6de83f807ccf9c3a02b384c1fb6e59f7de720f1eaf37141bf0487f5e6

Duncan Newell

Duncan is a technology professional with over 20 years experience of working in various IT roles. He has a interest in cyber security, and has a wide range of other skills in radio, electronics and telecommunications.

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.

%d bloggers like this: