Botnet Encyclopedia

A Knowledge Base of Attack Campaigns captured by Guardicore Global Sensor Network

Campaign Information

Name

Vollgar
active

First seen in Guardicore Centra

2018-05-05

Last seen in Guardicore Centra

2020-08-03

Vollgar is a long-running attack campaign which aims to infect Windows machines running MS-SQL servers. The campaign, dating back to May 2018, uses password brute force to breach victim machines, deploys multiple backdoors and executes numerous malicious modules, such as multifunctional RATs (Remote Access Tools) and cryptominers.

Customized Firewall Rules for Your Attack Surface

Deploy our threat intelligence sensors in your organization’s data center
and get rules tailored to the attacks that have tried to compromise your specific environment.

Indicators of Compromise

Associated Files

PathHashSize

C:\ProgramData\SQLAGENTSCE.exe, C:\Windows\Temp\SQLAGENTSNK.exe

ab4700bcc92e718ccdb1176b498034c184e681e8797eed46fe23be5eed825d98

88.00 KB

C:\ProgramData\taskmgzr.exe, C:\taskmgzr.exe, C:\Windows\Help\csrss.exe

979e8800d489518978e1eae9d045efb97f286a5ca2f0f6d50c73bb6366a2e048

11.00 KB

C:\ProgramData\SQLAGENTSON.exe

39c5c03c909883473ec532f05f5dff3cd07a2db02f087aac85daf4196f965192

100.00 KB

C:\ProgramData\SQLAGENTSIN.exe

044a727510f6672e400b015dedc88cda8ccdfd6c965a18c95c231a12bf6cc162

97.50 KB

C:\ProgramData\SQLAGENTVDC.exe

bd24bbcdde84d231d5b7124fc1289385c6a70af4dbc611ccccf69c1891b7ff1a

99.00 KB

C:\ProgramData\SQLAGENTSCK.exe

d6f97797d5ec307ddc7608614626942074e1460d83daea105984e3a1bb02dd44

87.00 KB

C:\ProgramData\SQLAGENTSIW.exe, C:\Windows\Temp\SQLAGENTSI.exe

2203841f4c47d6fbca1fe98ef5ccc0db5d9f356948116b8924d37863d5ee0a67

98.00 KB

C:\ProgramData\SQLAGENTVDB.exe

1335bfb876a8e9bcb1b1b6a0fa350093dd919da32761b36b2b9736e4bbba70c0

105.50 KB

C:\ProgramData\SQLAGENTVDW.exe

8edb95e6909502310eadb24273f7ff2ad42133f21ec4d4cfb8144d66192875df

101.50 KB

C:\Program Files (x86)\Microsoft SQL Server\sqlbrowserse.exe

7a6446b3990483b0fbb2978d1ace1d9fb650c543e338dcd3ed2b82fc2516be80

111.50 KB

C:\hexSQLAGENTSOK.exe, C:\Windows\System32\hexSQLAGENTSOK.exe

8ebd193c4d24b4bd443e4c001d02fc5a730d3760a83263a6f621da65fc72b76f

86.50 KB

c:\program files (x86)\microsoft sql servers\nsisvcs.exe, C:\Program Files (x86)\Microsoft SQL Servers\nsisvcs.exe

8c5541a7bc4158152b6f3a9016fc11f1df3a6f305d088d2a977a089451d04c78

38.38 MB

C:\ProgramData\SQLAGENTSVZ.exe, C:\Windows\System32\SQLAGENTSVZ.exe

202d77288b7be094c9a7402dabf6e820692635c3fd0af1a5a446009a43967c98

86.50 KB

C:\Program Files (x86)\Microsoft SQL Server\SQLIOSIMSD.exe

154aa589f2314ffade35c4108fe26a9d972c0614a35de058ff6d57750822882f

91.36 MB

C:\hexXmrServer.exe, C:\Windows\System32\hexXmrServer.exe

4694dd8a06e9b146dcac7f55d80109142d4e605cd3d29071e13f591b91be0bb1

48.16 KB

Attack Flow

Breached Services

MSSQL

Tags

Create MsSql Procedure

Persistency – Logon

User Added to Group

MSSQL

Successful MSSQL Login

User Password Changed

MSSQL Brute Force

User Created

NetBIOS

File Operation By CMD

Access Suspicious Domain

Execute MsSql Shell Command

DNS Query

Persistency – Image Hijack

CMD

Incident Summary

A user logged in using MSSQL with the following username: sa – Authentication policy: Reached Max Attempts (Part of a Brute Force Attempt)

Successful MSSQL Login

MSSQL Brute Force

A user logged in using MSSQL with the following username: sa – Authentication policy: Previously Approved User (Part of a Brute Force Attempt)

Successful MSSQL Login

MSSQL Brute Force

A user logged in using MSSQL with the following credentials: sa / ****** – Authentication policy: Previously Approved User (Part of a Brute Force Attempt) 3 times

Successful MSSQL Login

MSSQL Brute Force

MSSQL procedures were created: sp_addextendedproc and sp_dropextendedproc

Create MsSql Procedure

MSSQL executed 138 shell commands

Execute MsSql Shell Command

Process c:\windows\system32\wscript.exe attempted to access suspicious domains: g.nxxxn.ga 2 times

DNS Query

Access Suspicious Domain

c:\program files\microsoft sql server\mssql11.sqlexpress\mssql\binn\sqlservr.exe set the command line taskkill.exe to run using Persistency – Image Hijack 50 times

Persistency – Image Hijack

Persistency – Logon

Password for user Guest was changed to: ********** 2 times

User Password Changed

User Guest was added to groups: Administrators

User Added to Group

User IUER_SERVER was created with the password ********** and added to groups: Administrators 4 times

User Added to Group

User Password Changed

User Created

A user logged in using MSSQL with the following username: sa – Authentication policy: Previously Approved User (Part of a Brute Force Attempt)

Successful MSSQL Login

MSSQL Brute Force

c:\program files\microsoft sql server\mssql11.sqlexpress\mssql\binn\sqlservr.exe set the command line C:\RECYCLER\SQLAGENTIFC.exe to run using Persistency – Logon 2 times

Persistency – Image Hijack

Persistency – Logon

Connection was closed due to timeout