analyze malware
  • Huge database of samples and IOCs
  • Custom VM setup
  • Unlimited submissions
  • Interactive approach
Sign up, it’s free
File name:

telegramgroupscraper.com_Setup.exe

Full analysis: https://app.any.run/tasks/8b7e3cca-60cf-4f32-a717-ef271cbc7f44
Verdict: Malicious activity
Analysis date: December 06, 2022, 01:25:29
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Tags:
installer
Indicators:
MIME: application/x-dosexec
File info: PE32 executable (GUI) Intel 80386, for MS Windows
MD5:

9BFE06B6D19F1AB32CE9CEA7C38F455E

SHA1:

39A32C1BE053DDA7A8E2BB38D9F4CF601A213D74

SHA256:

3E2C7630BC24CE949233704478E4E49B8EE48416AAA29EE2F9F16137F1FD837C

SSDEEP:

98304:cSi6ve4zOknJ2rBiy/w61r2M1drHGZCR+DidXvh6d204OOR5qHW:vve4FnGBiYt5nrHGsegJ6M8YY2

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Drops the executable file immediately after the start

      • telegramgroupscraper.com_Setup.tmp (PID: 548)

    • Application was dropped or rewritten from another process

      • telegramgroupscraper.com.exe (PID: 3360)

  • SUSPICIOUS

    • Executable content was dropped or overwritten

      • telegramgroupscraper.com_Setup.tmp (PID: 548)

    • Reads the Windows owner or organization settings

      • telegramgroupscraper.com_Setup.tmp (PID: 548)

    • Changes default file association

      • telegramgroupscraper.com_Setup.tmp (PID: 548)

    • Reads the Internet Settings

      • telegramgroupscraper.com.exe (PID: 3360)

  • INFO

    • Reads the computer name

      • telegramgroupscraper.com_Setup.tmp (PID: 548)
      • telegramgroupscraper.com.exe (PID: 3360)

    • Checks supported languages

      • telegramgroupscraper.com_Setup.exe (PID: 856)
      • telegramgroupscraper.com_Setup.tmp (PID: 548)
      • telegramgroupscraper.com.exe (PID: 3360)

    • Application was dropped or rewritten from another process

      • telegramgroupscraper.com_Setup.tmp (PID: 548)

    • Drops a file that was compiled in debug mode

      • telegramgroupscraper.com_Setup.tmp (PID: 548)

    • Application launched itself

      • iexplore.exe (PID: 3808)

    • Creates a software uninstall entry

      • telegramgroupscraper.com_Setup.tmp (PID: 548)

    • Manual execution by a user

      • explorer.exe (PID: 3316)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | Inno Setup installer (51.8)
.exe | InstallShield setup (20.3)
.exe | Win32 EXE PECompact compressed (generic) (19.6)
.dll | Win32 Dynamic Link Library (generic) (3.1)
.exe | Win32 Executable (generic) (2.1)

Summary

Architecture: IMAGE_FILE_MACHINE_I386
Subsystem: IMAGE_SUBSYSTEM_WINDOWS_GUI
Compilation Date: 2020-Nov-15 09:48:30
Detected languages:
  • Dutch - Netherlands
  • English - United States
Comments: This installation was built with Inno Setup.
CompanyName: telegramgroupscraper.com
FileDescription: telegramgroupscraper.com Setup
FileVersion: -
LegalCopyright: -
OriginalFileName: -
ProductName: telegramgroupscraper.com
ProductVersion: telegramgroupscraper.com

DOS Header

e_magic: MZ
e_cblp: 80
e_cp: 2
e_crlc: -
e_cparhdr: 4
e_minalloc: 15
e_maxalloc: 65535
e_ss: -
e_sp: 184
e_csum: -
e_ip: -
e_cs: -
e_ovno: 26
e_oemid: -
e_oeminfo: -
e_lfanew: 256

PE Headers

Signature: PE
Machine: IMAGE_FILE_MACHINE_I386
NumberofSections: 10
TimeDateStamp: 2020-Nov-15 09:48:30
PointerToSymbolTable: -
NumberOfSymbols: -
SizeOfOptionalHeader: 224
Characteristics:
  • IMAGE_FILE_32BIT_MACHINE
  • IMAGE_FILE_BYTES_REVERSED_HI
  • IMAGE_FILE_BYTES_REVERSED_LO
  • IMAGE_FILE_EXECUTABLE_IMAGE
  • IMAGE_FILE_LINE_NUMS_STRIPPED
  • IMAGE_FILE_LOCAL_SYMS_STRIPPED
  • IMAGE_FILE_RELOCS_STRIPPED

Sections

Name
Virtual Address
Virtual Size
Raw Size
Charateristics
Entropy
.text
4096
734748
735232
IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
6.35606
.itext
741376
5768
6144
IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
5.97275
.data
749568
14244
14336
IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
5.0444
.bss
765952
28136
0
IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.idata
794624
3894
4096
IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
4.8987
.didata
798720
420
512
IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
2.75636
.edata
802816
154
512
IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
1.87222
.tls
806912
24
0
IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.rdata
811008
93
512
IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
1.38389
.rsrc
815104
18432
18432
IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
4.42143

Resources

Title
Entropy
Size
Codepage
Language
Type
1
3.25755
296
UNKNOWN
Dutch - Netherlands
RT_ICON
2
3.47151
1384
UNKNOWN
Dutch - Netherlands
RT_ICON
3
3.91708
744
UNKNOWN
Dutch - Netherlands
RT_ICON
4
3.91366
2216
UNKNOWN
Dutch - Netherlands
RT_ICON
4086
3.16547
864
UNKNOWN
UNKNOWN
RT_STRING
4087
3.40938
608
UNKNOWN
UNKNOWN
RT_STRING
4088
3.31153
1116
UNKNOWN
UNKNOWN
RT_STRING
4089
3.33977
1036
UNKNOWN
UNKNOWN
RT_STRING
4090
3.36723
724
UNKNOWN
UNKNOWN
RT_STRING
4091
3.33978
184
UNKNOWN
UNKNOWN
RT_STRING

Imports

advapi32.dll
comctl32.dll
kernel32.dll
kernel32.dll (delay-loaded)
netapi32.dll
oleaut32.dll
user32.dll
version.dll

Exports

Title
Ordinal
Address
dbkFCallWrapperAddr
1
779836
__dbk_fcall_wrapper
2
53408
TMethodImplementationIntercept
3
344160
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
40
Monitored processes
6
Malicious processes
2
Suspicious processes
1

Behavior graph

Click at the process to see the details
drop and start start drop and start telegramgroupscraper.com_setup.exe no specs telegramgroupscraper.com_setup.tmp telegramgroupscraper.com.exe no specs iexplore.exe iexplore.exe explorer.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
856"C:\Users\admin\AppData\Local\Temp\telegramgroupscraper.com_Setup.exe" C:\Users\admin\AppData\Local\Temp\telegramgroupscraper.com_Setup.exeExplorer.EXE
User:
admin
Company:
telegramgroupscraper.com
Integrity Level:
MEDIUM
Description:
telegramgroupscraper.com Setup
Version:
Modules
Images
c:\users\admin\appdata\local\temp\telegramgroupscraper.com_setup.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\user32.dll
c:\windows\system32\usp10.dll
c:\windows\system32\lpk.dll
c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.24483_none_2b200f664577e14b\comctl32.dll
548"C:\Users\admin\AppData\Local\Temp\is-HNIQI.tmp\telegramgroupscraper.com_Setup.tmp" /SL5="$50198,3328045,780800,C:\Users\admin\AppData\Local\Temp\telegramgroupscraper.com_Setup.exe" C:\Users\admin\AppData\Local\Temp\is-HNIQI.tmp\telegramgroupscraper.com_Setup.tmp
telegramgroupscraper.com_Setup.exe
User:
admin
Company:
telegramgroupscraper.com
Integrity Level:
MEDIUM
Description:
Setup/Uninstall
Version:
51.1052.0.0
Modules
Images
c:\users\admin\appdata\local\temp\is-hniqi.tmp\telegramgroupscraper.com_setup.tmp
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\mpr.dll
c:\windows\system32\comdlg32.dll
c:\windows\system32\shlwapi.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\user32.dll
3360"C:\Users\admin\AppData\Local\Programs\telegramgroupscraper.com\telegramgroupscraper.com.exe"C:\Users\admin\AppData\Local\Programs\telegramgroupscraper.com\telegramgroupscraper.com.exetelegramgroupscraper.com_Setup.tmp
User:
admin
Integrity Level:
MEDIUM
Description:
telegramgroupscraper.com
Exit code:
2148734720
Version:
1.0.0.0
Modules
Images
c:\windows\system32\ntdll.dll
c:\users\admin\appdata\local\programs\telegramgroupscraper.com\telegramgroupscraper.com.exe
c:\windows\system32\mscoree.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\microsoft.net\framework\v4.0.30319\mscoreei.dll
3808"C:\Program Files\Internet Explorer\iexplore.exe" http://go.microsoft.com/fwlink/?prd=11324&pver=4.5&sbp=AppLaunch&plcid=0x409&o1=.NETFramework,Version=v4.7.2&processName=telegramgroupscraper.com.exe&platform=0000&osver=5&isServer=0&shimver=4.0.30319.34209C:\Program Files\Internet Explorer\iexplore.exe
telegramgroupscraper.com.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Internet Explorer
Exit code:
1
Version:
11.00.9600.16428 (winblue_gdr.131013-1700)
Modules
Images
c:\program files\internet explorer\iexplore.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\api-ms-win-downlevel-advapi32-l1-1-0.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\sechost.dll
c:\windows\system32\iertutil.dll
2668"C:\Program Files\Internet Explorer\iexplore.exe" SCODEF:3808 CREDAT:267521 /prefetch:2C:\Program Files\Internet Explorer\iexplore.exe
iexplore.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
LOW
Description:
Internet Explorer
Exit code:
0
Version:
11.00.9600.16428 (winblue_gdr.131013-1700)
Modules
Images
c:\program files\internet explorer\iexplore.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\api-ms-win-downlevel-advapi32-l1-1-0.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\iertutil.dll
3316"C:\Windows\explorer.exe" C:\Windows\explorer.exeExplorer.EXE
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Explorer
Exit code:
1
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\explorer.exe
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\user32.dll
Total events
11 952
Read events
11 823
Write events
0
Delete events
0

Modification events

No data
Executable files
41
Suspicious files
12
Text files
33
Unknown types
12

Dropped files

PID
Process
Filename
Type
548telegramgroupscraper.com_Setup.tmpC:\Users\admin\AppData\Local\Programs\telegramgroupscraper.com\is-PBRRG.tmpexecutable
MD5:B0C0EFD2A6799663CF62A96E4F6ED5ED
SHA256:8691B0E5D8A1089DC98D01DD09DAA248A48F9240B9530AE761EB9C46284E10CE
548telegramgroupscraper.com_Setup.tmpC:\Users\admin\AppData\Local\Programs\telegramgroupscraper.com\telegramgroupscraper.com.exeexecutable
MD5:B0C0EFD2A6799663CF62A96E4F6ED5ED
SHA256:8691B0E5D8A1089DC98D01DD09DAA248A48F9240B9530AE761EB9C46284E10CE
548telegramgroupscraper.com_Setup.tmpC:\Users\admin\AppData\Local\Programs\telegramgroupscraper.com\unins000.exeexecutable
MD5:C02C99AEC880AA9EA63F6CAEEAB7442E
SHA256:4E503F1577B0F8D471F98AC4181431A9AE8F1A40D9F013C18820201766E00568
856telegramgroupscraper.com_Setup.exeC:\Users\admin\AppData\Local\Temp\is-HNIQI.tmp\telegramgroupscraper.com_Setup.tmpexecutable
MD5:37ACF61A0E756724AC44FFCADAFE03B6
SHA256:5B21E1C62D880DF39A5CDC0FCE3FF8F3251D830D86B184C21C8385C2183F47AF
548telegramgroupscraper.com_Setup.tmpC:\Users\admin\AppData\Local\Programs\telegramgroupscraper.com\is-JT5KK.tmpexecutable
MD5:C02C99AEC880AA9EA63F6CAEEAB7442E
SHA256:4E503F1577B0F8D471F98AC4181431A9AE8F1A40D9F013C18820201766E00568
548telegramgroupscraper.com_Setup.tmpC:\Users\admin\AppData\Local\Programs\telegramgroupscraper.com\MaterialDesignColors.dllexecutable
MD5:0B3FA388485AC78EF83D1221BA6693B7
SHA256:9FA38197EED5CA1FAC2D056FCFD2767A74648BC836725D255477B251567BADB6
548telegramgroupscraper.com_Setup.tmpC:\Users\admin\AppData\Local\Programs\telegramgroupscraper.com\is-2TD5N.tmpexecutable
MD5:0B3FA388485AC78EF83D1221BA6693B7
SHA256:9FA38197EED5CA1FAC2D056FCFD2767A74648BC836725D255477B251567BADB6
548telegramgroupscraper.com_Setup.tmpC:\Users\admin\AppData\Local\Programs\telegramgroupscraper.com\is-0S1LI.tmpbinary
MD5:027432065A3C483883BEFB13F8F162FB
SHA256:AB8143C0C0876BC285F208B85BDE0E2C5C54343B1139BD25B570B3D6B52912CF
548telegramgroupscraper.com_Setup.tmpC:\Users\admin\AppData\Local\Programs\telegramgroupscraper.com\IndexRange.dllexecutable
MD5:2402C4F4AF67AC863292AE95FE40BFF4
SHA256:AAAE75E3FAA1FCCF0DE0B33B1A4EF6FE2DABB0F3B05E046CCE31ECACD49CB6E9
548telegramgroupscraper.com_Setup.tmpC:\Users\admin\AppData\Local\Programs\telegramgroupscraper.com\HtmlAgilityPack.pdbpdb
MD5:9002EF1EDC7ED8BA88CCF58AFD89CA69
SHA256:5EC04202765C637FAFD7BF443A1BB486A289E17130567E34402203252A5C076C
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
4
TCP/UDP connections
15
DNS requests
6
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
2668
iexplore.exe
GET
200
93.184.220.29:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBQ50otx%2Fh0Ztl%2Bz8SiPI7wEWVxDlQQUTiJUIBiV5uNu5g%2F6%2BrkS7QYXjzkCEALnkXH7gCHpP%2BLZg4NMUMA%3D
US
der
471 b
whitelisted
3808
iexplore.exe
GET
200
93.184.220.29:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTBL0V27RVZ7LBduom%2FnYB45SPUEwQU5Z1ZMIJHWMys%2BghUNoZ7OrUETfACEA%2BnRyLFPYjID1ie%2Bx%2BdSjo%3D
US
der
1.47 Kb
whitelisted
2668
iexplore.exe
GET
200
93.184.221.240:80
http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/disallowedcertstl.cab?18d8ceee3bd64f70
US
compressed
4.70 Kb
whitelisted
2668
iexplore.exe
GET
200
93.184.221.240:80
http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/disallowedcertstl.cab?09d5eccd6ad25f4d
US
compressed
4.70 Kb
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
2668
iexplore.exe
96.16.143.41:443
go.microsoft.com
AKAMAI-AS
DE
whitelisted
2668
iexplore.exe
93.184.220.29:80
ocsp.digicert.com
EDGECAST
GB
whitelisted
3808
iexplore.exe
204.79.197.200:443
www.bing.com
MICROSOFT-CORP-MSN-AS-BLOCK
US
whitelisted
2668
iexplore.exe
13.107.246.45:443
dotnet.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
US
suspicious
3808
iexplore.exe
93.184.220.29:80
ocsp.digicert.com
EDGECAST
GB
whitelisted
2668
iexplore.exe
93.184.221.240:80
ctldl.windowsupdate.com
EDGECAST
GB
whitelisted

DNS requests

Domain
IP
Reputation
go.microsoft.com
  • 96.16.143.41
whitelisted
ctldl.windowsupdate.com
  • 93.184.221.240
whitelisted
api.bing.com
  • 13.107.5.80
whitelisted
www.bing.com
  • 204.79.197.200
  • 13.107.21.200
whitelisted
ocsp.digicert.com
  • 93.184.220.29
whitelisted
dotnet.microsoft.com
  • 13.107.246.45
  • 13.107.213.45
whitelisted

Threats

No threats detected
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2024 ANY.RUN LLC. ALL RIGHTS RESERVED
ANY.RUN
Reports
telegramgroupscraper.com_Setup.exe