Follow 
Detection stack
- AIDR
- Alert
- ETL
- Query
Summary
ResokerRAT is a newly identified remote access trojan that uses the Telegram Bot API for command-and-control. It persists via a Run registry value and includes capabilities to elevate privileges, capture screenshots, block Task Manager, and weaken UAC controls. To reduce visibility, it executes PowerShell in a hidden window and attempts to terminate common analysis tools. Detection can pivot on its mutex, key registry modifications, and Telegram-based C2 activity.
Investigation
Analysis of Resoker highlights mutex creation, anti-debug logic, and aggressive process termination aimed at security and analysis utilities. The malware sets a keyboard hook, accepts a defined set of Telegram-delivered commands, and changes registry values to disable Task Manager and relax UAC behavior. Follow-on payloads can be retrieved through concealed PowerShell execution, supporting modular expansion after initial compromise.
Mitigation
Monitor for the known mutex and alert on registry changes tied to DisableTaskMgr and UAC-related keys. Restrict or block outbound access to Telegram API endpoints where feasible, and enforce application control to prevent unauthorized PowerShell execution. Host-based detections that flag keyboard-hook behavior and suspicious hidden-window PowerShell activity can further reduce impact.
Response
If detected, isolate the host, stop the malicious process, and remove the Run-key persistence entry. Preserve volatile evidence (mutex value, Telegram bot/C2 indicators, command-line telemetry) and perform a full forensic sweep for additional payloads or persistence. Revert registry changes affecting Task Manager and UAC, rotate exposed credentials if theft is suspected, and re-apply least-privilege execution policies to prevent recurrence.
"graph TB %% Class definitions classDef action fill:#ffcc99 classDef technique fill:#99ccff classDef persistence fill:#ffd699 classDef command_and_control fill:#ffdd99 %% Node definitions action_execution["<b>Action</b> – <b>T1059.001 PowerShell</b>: Execute hidden PowerShell command via Resoker.exe<br/><b>Technique</b>: Use PowerShell to run commands"] class action_execution action tech_hide_window["<b>Technique</b> – <b>T1564.003 Hidden Window</b>: Run command in hidden window to evade user visibility"] class tech_hide_window technique action_process_enum["<b>Action</b> – <b>T1057 Process Discovery</b>: Enumerate running processes and terminate analysis tools"] class action_process_enum action action_keylogging["<b>Action</b> – <b>T1056.001 Keylogging</b>: Install global lowu2011level keyboard hook to capture input"] class action_keylogging action persistence_run_key["<b>Persistence</b> – <b>T1037.005 Registry Run Keys</b>: Create HKCU Run registry entry for autou2011start"] class persistence_run_key persistence defense_disable_taskmgr["<b>Technique</b> – <b>T1562.001 Disable Task Manager</b>: Set DisableTaskMgr registry value to 1"] class defense_disable_taskmgr technique action_screen_capture["<b>Action</b> – <b>T1113 Screen Capture</b>: Capture screen via PowerShell and save PNG files"] class action_screen_capture action action_download["<b>Action</b> – <b>T1059.001 PowerShell</b> and <b>T1202 Indirect Command Execution</b>: Download additional files using hidden PowerShell commands"] class action_download action c2_telegram["<b>Command and Control</b> – <b>T1102.002 Web Service</b> and <b>T1102.003 Oneu2011way Messages</b>: Communicate with attacker via Telegram Bot API over HTTPS"] class c2_telegram command_and_control %% Connections showing attack flow action_execution –>|uses| tech_hide_window action_execution –>|triggers| action_process_enum action_process_enum –>|terminates| action_keylogging action_process_enum –>|establishes| persistence_run_key persistence_run_key –>|hardens| defense_disable_taskmgr action_process_enum –>|enables| action_screen_capture action_screen_capture –>|invokes| action_download action_download –>|exfiltrates via| c2_telegram "
Attack Flow
Detections
Possible Telegram Abuse As Command And Control Channel (via dns_query)
View
Possible Persistence Points [ASEPs – Software/NTUSER Hive] (via registry_event)
View
Download or Upload via Powershell (via cmdline)
View
IOCs (DestinationIP) to detect: Resoker: A Telegram Based Remote Access Trojan
View
IOCs (HashMd5) to detect: Resoker: A Telegram Based Remote Access Trojan
View
IOCs (SourceIP) to detect: Resoker: A Telegram Based Remote Access Trojan
View
Detection of ResokerRAT Execution [Windows Process Creation]
View
Detect Silent PowerShell Execution for Screen Capture [Windows Powershell]
View
Simulation Execution
Prerequisite: The Telemetry & Baseline Pre‑flight Check must have passed.
Rationale: This section details the precise execution of the adversary technique (TTP) designed to trigger the detection rule. The commands and narrative MUST directly reflect the TTPs identified and aim to generate the exact telemetry expected by the detection logic.
-
Attack Narrative & Commands:
An adversary who has obtained a foothold on a Windows workstation wishes to capture the user’s desktop without raising visual cues. He launches PowerShell with the-WindowStyle Hiddenswitch, loads the .NETSystem.Windows.FormsandSystem.Drawingassemblies, captures the primary screen using theCopyFromScreenmethod, and writes the bitmap to a temporary file. The command is crafted in a single line to ensure the full string appears in the PowerShell Script Block log, matching all four detection selectors. -
Regression Test Script:
# Silent screen capture – reproduces the detection telemetry $psCommand = @" Add-Type -AssemblyName System.Windows.Forms Add-Type -AssemblyName System.Drawing $bounds = [System.Windows.Forms.Screen]::PrimaryScreen.Bounds $bitmap = New-Object System.Drawing.Bitmap $bounds.Width, $bounds.Height $graphics = [System.Drawing.Graphics]::FromImage($bitmap) $graphics.CopyFromScreen($bounds.Location, [System.Drawing.Point]::Empty, $bounds.Size) $output = "C:Tempscreenshot.png" $bitmap.Save($output, [System.Drawing.Imaging.ImageFormat]::Png) Write-Host "Screenshot saved to $output" "@ # Execute hidden PowerShell with the assembled command powershell -WindowStyle Hidden -Command $psCommand -
Cleanup Commands:
# Remove the screenshot and any residual objects Remove-Item -Path "C:Tempscreenshot.png" -ErrorAction SilentlyContinue