How To Create A Telegram-RAT (Remote Access Trojan) 2020


There are a lot of hidden channels and bots with different illegal and piracy content.

In this tutorial we are going to learn how to build a Telegram as Remote Access Toolkit (RAT) that is undetectable by antivirus.

So, you can download it from Github or somewhere else and try to use IM as RAT

Almost all of these projects use a Python code. So, anyone can compile a python code to .exe using tools like pyinstaller or kind of this.

On final you’ll get — BOOM! — an executable RAT tool, which is undetectable for antivirus’s!
Cool, hah?

Here are some capabilities of mvrozanti/RAT-via-Telegram for instance:

arp - display arp table
capture_pc - screenshot PC
cmd_exec - execute shell command
cp - copy files
cd - change current directory
delete - delete a file/folder
download - download file from target
decode_all - decode ALL encoded local files
dns - display DNS Cache
encode_all - encode ALL local files
freeze_keyboard - enable keyboard freeze
unfreeze_keyboard - disable keyboard freeze
get_chrome - Get Google Chrome's login/passwords
hear - record microphone
ip_info - via
keylogs - get keylogs
ls - list contents of current or specified directory
msg_box - display message box with text
mv - move files
pc_info - PC information
ping - makes sure target is up
play - plays a youtube video
proxy - opens a proxy server
pwd - show current directory
python_exec - interpret python
reboot - reboot computer
run - run a file
schedule - schedule a command to run at specific time
self_destruct - destroy all traces
shutdown - shutdown computer
tasklist - display services and processes running
to - select targets by it's name
update - update executable
wallpaper - change wallpaper

An attacker can customize the RAT (change an icon, add a certificate etc), then compile and send it as a phishing email attachment. What’s next? Anything!

Search for files (even on a network drives), execute apps and scripts, upload and download documents, receive a key logs, blah-blah — anything!

Of course — an attacker needs the infected workstation has Internet access. But I think it’s not a big deal for some reasons.


1. Modern malwares mostly created for long-term exploitation of IT-infrastructure. So, try to find a persistence points. The common way is to check the auto run keys:

On this screenshot you see an application with Adobe icon but it has non-standard name and location — check it on Virustotal or related service if you found kind of this one.

By the way — this is the results of checking Telegram-based RAT executive file. As you see, just minor part of engines detected it as suspicious.

2. Since something strange was found in the auto run, the next obvious step is to check the process list. Well, here we’ve found this Adobe-like process with active network session:

Ok, let’s check this IP address… And — BOOM! — it’s a Telegram IP

3. How to find out the behaviour of this process? Try to use Process Monitor!

To get a more comfortable view don’t forget to use filter by process & filesystem operations:

You can see a lot of different operations on files and folders and some filenames give us an important information about the process functions (win32clipboard.pyd).

Moreover, we noticed the active process creates a number of temporary python files — we can use this knowledge further, during the investigation process.

4. For instance, two ways to understand what date when RAT was started first time:

Check the processes’ network usage statistics from SRUM using NetworkUsageView

hope you will like my tutorial fellas :slight_smile:


That was dope… :cowboy_hat_face:

1 Like