File name:

tsetup-x64.5.4.0.exe

Full analysis: https://app.any.run/tasks/125c149e-a1ad-45a3-8a72-16486e0a4142
Verdict: Malicious activity
Threats:

Stealers are a group of malicious software that are intended for gaining unauthorized access to users’ information and transferring it to the attacker. The stealer malware category includes various types of programs that focus on their particular kind of data, including files, passwords, and cryptocurrency. Stealers are capable of spying on their targets by recording their keystrokes and taking screenshots. This type of malware is primarily distributed as part of phishing campaigns.

Malware Trends Tracker     >>>
Analysis date: August 25, 2024, 21:40:38
OS: Windows 10 Professional (build: 19045, 64 bit)
Tags:
stealer
Indicators:
MIME: application/x-dosexec
File info: PE32 executable (GUI) Intel 80386, for MS Windows
MD5:

45177991CB1978D5CB3C06461AE8BE12

SHA1:

C2AA0581C86EAE32CC3D7DA720BF5E7B6E019E0E

SHA256:

B9C5F836DCBEF426B53B882FA4CD0CBEBD9C43F1734FC20B5001AB9823B8A318

SSDEEP:

393216:pozVaHvDnuGKXVbu6UXczxYiJL7DlHlWI/eDVi8oFQFa:K5kuFY1wVJX5ui8oFQFa

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Actions looks like stealing of personal data

      • tsetup-x64.5.4.0.tmp (PID: 6572)
      • Telegram.exe (PID: 1656)

  • SUSPICIOUS

    • Drops the executable file immediately after the start

      • tsetup-x64.5.4.0.exe (PID: 2136)
      • tsetup-x64.5.4.0.tmp (PID: 6572)

    • Executable content was dropped or overwritten

      • tsetup-x64.5.4.0.exe (PID: 2136)
      • tsetup-x64.5.4.0.tmp (PID: 6572)

    • Reads the Windows owner or organization settings

      • tsetup-x64.5.4.0.tmp (PID: 6572)

    • Process drops legitimate windows executable

      • tsetup-x64.5.4.0.tmp (PID: 6572)

    • Reads the date of Windows installation

      • Telegram.exe (PID: 1656)

    • Process communicates with Telegram (possibly using it as an attacker's C2 server)

      • Telegram.exe (PID: 1656)

  • INFO

    • Checks supported languages

      • tsetup-x64.5.4.0.tmp (PID: 6572)
      • tsetup-x64.5.4.0.exe (PID: 2136)
      • Telegram.exe (PID: 1656)

    • Reads the computer name

      • tsetup-x64.5.4.0.tmp (PID: 6572)
      • Telegram.exe (PID: 1656)

    • Create files in a temporary directory

      • tsetup-x64.5.4.0.tmp (PID: 6572)
      • tsetup-x64.5.4.0.exe (PID: 2136)
      • Telegram.exe (PID: 1656)

    • Creates a software uninstall entry

      • tsetup-x64.5.4.0.tmp (PID: 6572)

    • Creates files or folders in the user directory

      • Telegram.exe (PID: 1656)
      • tsetup-x64.5.4.0.tmp (PID: 6572)

    • Reads the machine GUID from the registry

      • Telegram.exe (PID: 1656)

    • Checks proxy server information

      • Telegram.exe (PID: 1656)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | Inno Setup installer (67.7)
.exe | Win32 EXE PECompact compressed (generic) (25.6)
.exe | Win32 Executable (generic) (2.7)
.exe | Win16/32 Executable Delphi generic (1.2)
.exe | Generic Win/DOS Executable (1.2)

EXIF

EXE

MachineType: Intel 386 or later, and compatibles
TimeStamp: 2022:04:14 16:10:23+00:00
ImageFileCharacteristics: No relocs, Executable, No line numbers, No symbols, Bytes reversed lo, 32-bit, Bytes reversed hi
PEType: PE32
LinkerVersion: 2.25
CodeSize: 741888
InitializedDataSize: 71680
UninitializedDataSize: -
EntryPoint: 0xb5eec
OSVersion: 6.1
ImageVersion: 6
SubsystemVersion: 6.1
Subsystem: Windows GUI
FileVersionNumber: 5.4.0.0
ProductVersionNumber: 5.4.0.0
FileFlagsMask: 0x003f
FileFlags: (none)
FileOS: Win32
ObjectFileType: Executable application
FileSubtype: -
LanguageCode: Neutral
CharacterSet: Unicode
Comments: This installation was built with Inno Setup.
CompanyName: Telegram FZ-LLC
FileDescription: Telegram Desktop Setup
FileVersion: 5.4.0
LegalCopyright: Telegram FZ-LLC 2014-2024
OriginalFileName:
ProductName: Telegram Desktop
ProductVersion: 5.4
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
120
Monitored processes
3
Malicious processes
3
Suspicious processes
0

Behavior graph

Click at the process to see the details
start tsetup-x64.5.4.0.exe tsetup-x64.5.4.0.tmp telegram.exe

Process information

PID
CMD
Path
Indicators
Parent process
1656"C:\Users\admin\AppData\Roaming\Telegram Desktop\Telegram.exe"C:\Users\admin\AppData\Roaming\Telegram Desktop\Telegram.exe
tsetup-x64.5.4.0.tmp
User:
admin
Company:
Telegram FZ-LLC
Integrity Level:
MEDIUM
Description:
Telegram Desktop
Version:
5.4.0.0
Modules
Images
c:\users\admin\appdata\roaming\telegram desktop\telegram.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\shell32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\win32u.dll
2136"C:\Users\admin\Desktop\tsetup-x64.5.4.0.exe" C:\Users\admin\Desktop\tsetup-x64.5.4.0.exe
explorer.exe
User:
admin
Company:
Telegram FZ-LLC
Integrity Level:
MEDIUM
Description:
Telegram Desktop Setup
Exit code:
0
Version:
5.4.0
Modules
Images
c:\users\admin\desktop\tsetup-x64.5.4.0.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\user32.dll
6572"C:\Users\admin\AppData\Local\Temp\is-3O2L7.tmp\tsetup-x64.5.4.0.tmp" /SL5="$603C8,44821718,814592,C:\Users\admin\Desktop\tsetup-x64.5.4.0.exe" C:\Users\admin\AppData\Local\Temp\is-3O2L7.tmp\tsetup-x64.5.4.0.tmp
tsetup-x64.5.4.0.exe
User:
admin
Company:
Telegram FZ-LLC
Integrity Level:
MEDIUM
Description:
Setup/Uninstall
Exit code:
0
Version:
51.1052.0.0
Modules
Images
c:\users\admin\appdata\local\temp\is-3o2l7.tmp\tsetup-x64.5.4.0.tmp
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\comdlg32.dll
Total events
9 780
Read events
9 737
Write events
37
Delete events
6

Modification events

(PID) Process:(6572) tsetup-x64.5.4.0.tmpKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\RestartManager\Session0000
Operation:writeName:Owner
Value:
AC190000017A657B37F7DA01
(PID) Process:(6572) tsetup-x64.5.4.0.tmpKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\RestartManager\Session0000
Operation:writeName:SessionHash
Value:
44CDF2E60FDA966B0F8F4EC0DFD9B155F4CE0A37372C6B85F184447AC089B2EE
(PID) Process:(6572) tsetup-x64.5.4.0.tmpKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\RestartManager\Session0000
Operation:writeName:Sequence
Value:
1
(PID) Process:(6572) tsetup-x64.5.4.0.tmpKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\RestartManager\Session0000
Operation:writeName:RegFiles0000
Value:
C:\Users\admin\AppData\Roaming\Telegram Desktop\Telegram.exe
(PID) Process:(6572) tsetup-x64.5.4.0.tmpKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\RestartManager\Session0000
Operation:writeName:RegFilesHash
Value:
457FD9BAAA8477B129007B5501335868C765D231E7C2213EFB2E77C782C7F047
(PID) Process:(6572) tsetup-x64.5.4.0.tmpKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{53F49750-6209-4FBF-9CA8-7A333C87D1ED}_is1
Operation:writeName:Inno Setup: Setup Version
Value:
6.2.1
(PID) Process:(6572) tsetup-x64.5.4.0.tmpKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{53F49750-6209-4FBF-9CA8-7A333C87D1ED}_is1
Operation:writeName:Inno Setup: App Path
Value:
C:\Users\admin\AppData\Roaming\Telegram Desktop
(PID) Process:(6572) tsetup-x64.5.4.0.tmpKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{53F49750-6209-4FBF-9CA8-7A333C87D1ED}_is1
Operation:writeName:InstallLocation
Value:
C:\Users\admin\AppData\Roaming\Telegram Desktop\
(PID) Process:(6572) tsetup-x64.5.4.0.tmpKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{53F49750-6209-4FBF-9CA8-7A333C87D1ED}_is1
Operation:writeName:Inno Setup: Icon Group
Value:
Telegram Desktop
(PID) Process:(6572) tsetup-x64.5.4.0.tmpKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{53F49750-6209-4FBF-9CA8-7A333C87D1ED}_is1
Operation:writeName:Inno Setup: User
Value:
admin
Executable files
8
Suspicious files
72
Text files
7
Unknown types
0

Dropped files

PID
Process
Filename
Type
6572tsetup-x64.5.4.0.tmpC:\Users\admin\AppData\Roaming\Telegram Desktop\is-ICLK2.tmp
MD5:
SHA256:
6572tsetup-x64.5.4.0.tmpC:\Users\admin\AppData\Roaming\Telegram Desktop\Telegram.exe
MD5:
SHA256:
6572tsetup-x64.5.4.0.tmpC:\Users\admin\AppData\Roaming\Telegram Desktop\Updater.exeexecutable
MD5:F061D9FA563D2BAD5058655F8CE8951A
SHA256:44870CF5ADB12108744B0AA5A535CE0F469B8E4509428C1D515829237EEB8808
6572tsetup-x64.5.4.0.tmpC:\Users\admin\AppData\Roaming\Telegram Desktop\modules\x64\d3d\d3dcompiler_47.dllexecutable
MD5:A7349236212B0E5CEC2978F2CFA49A1A
SHA256:A05D04A270F68C8C6D6EA2D23BEBF8CD1D5453B26B5442FA54965F90F1C62082
6572tsetup-x64.5.4.0.tmpC:\Users\admin\AppData\Roaming\Telegram Desktop\modules\x64\d3d\is-D4M4C.tmpexecutable
MD5:A7349236212B0E5CEC2978F2CFA49A1A
SHA256:A05D04A270F68C8C6D6EA2D23BEBF8CD1D5453B26B5442FA54965F90F1C62082
6572tsetup-x64.5.4.0.tmpC:\Users\admin\AppData\Roaming\Telegram Desktop\is-SBJ1O.tmpexecutable
MD5:F061D9FA563D2BAD5058655F8CE8951A
SHA256:44870CF5ADB12108744B0AA5A535CE0F469B8E4509428C1D515829237EEB8808
6572tsetup-x64.5.4.0.tmpC:\Users\admin\AppData\Roaming\Telegram Desktop\unins000.exeexecutable
MD5:7BF93D8A0F6378E86596F8990D73AF73
SHA256:44029F87CE4A37F2A6D42A8BED5A214BA5248C52D27F8B12F28671943114A7E8
2136tsetup-x64.5.4.0.exeC:\Users\admin\AppData\Local\Temp\is-3O2L7.tmp\tsetup-x64.5.4.0.tmpexecutable
MD5:7BF93D8A0F6378E86596F8990D73AF73
SHA256:44029F87CE4A37F2A6D42A8BED5A214BA5248C52D27F8B12F28671943114A7E8
6572tsetup-x64.5.4.0.tmpC:\Users\admin\AppData\Local\Temp\is-195VH.tmp\_isetup\_setup64.tmpexecutable
MD5:E4211D6D009757C078A9FAC7FF4F03D4
SHA256:388A796580234EFC95F3B1C70AD4CB44BFDDC7BA0F9203BF4902B9929B136F95
1656Telegram.exeC:\Users\admin\AppData\Roaming\Telegram Desktop\tdata\shortcuts-custom.jsontext
MD5:874B930B4C2FDDC8043F59113C044A14
SHA256:F4F666F4B831E84710983B0E9E905E87342B669F61109FD693688D89C12309D8
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
170
TCP/UDP connections
108
DNS requests
13
Threats
140

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
1656
Telegram.exe
POST
200
95.161.76.100:80
http://95.161.76.100:80/api
unknown
unknown
1656
Telegram.exe
POST
200
149.154.167.51:80
http://149.154.167.51:80/api
unknown
unknown
GET
1.0.0.1:443
https://mozilla.cloudflare-dns.com/dns-query?name=apv3.stel.com&type=16&random_padding=2xB3D3paWBVBLZiO8Cwe1s7t6D1bLKeKVpnqCGrNhmDPHy0bb8xbKRprV3RNJtJc6ioeEEHuSeOLOTytz1eUBnAV6fBB5YrC6TeG5vQdv4ATB4fPre7dDg8nNcOOR
unknown
GET
149.154.167.99:443
https://td.telegram.org/tx64/tx64upd5004001
unknown
1656
Telegram.exe
POST
149.154.167.51:80
http://149.154.167.51:80/api
unknown
unknown
1656
Telegram.exe
POST
149.154.175.100:80
http://149.154.175.100:80/api
unknown
unknown
1656
Telegram.exe
POST
200
149.154.167.51:80
http://149.154.167.51:80/api
unknown
unknown
1656
Telegram.exe
POST
149.154.175.100:80
http://149.154.175.100:80/api
unknown
unknown
1656
Telegram.exe
POST
149.154.167.51:80
http://149.154.167.51:80/api
unknown
unknown
1656
Telegram.exe
POST
95.161.76.100:80
http://95.161.76.100:80/api
unknown
unknown
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
192.168.100.255:138
whitelisted
20.73.194.208:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
51.104.136.2:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
239.255.255.250:1900
whitelisted
4
System
192.168.100.255:137
whitelisted
3540
svchost.exe
40.127.240.158:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
unknown
1656
Telegram.exe
149.154.167.51:443
Telegram Messenger Inc
GB
unknown
1656
Telegram.exe
95.161.76.100:443
Telegram Messenger Inc
AG
unknown
1656
Telegram.exe
95.161.76.100:80
Telegram Messenger Inc
AG
unknown
1656
Telegram.exe
149.154.167.51:80
Telegram Messenger Inc
GB
unknown

DNS requests

Domain
IP
Reputation
settings-win.data.microsoft.com
  • 20.73.194.208
  • 51.104.136.2
  • 40.127.240.158
whitelisted
google.com
  • 216.58.206.46
  • 142.250.184.238
whitelisted
td.telegram.org
  • 149.154.167.99
whitelisted
mozilla.cloudflare-dns.com
  • 162.159.61.4
  • 172.64.41.4
whitelisted
dns.google.com
  • 8.8.8.8
  • 8.8.4.4
whitelisted
firebaseremoteconfig.googleapis.com
  • 142.250.184.202
  • 142.250.186.74
  • 142.250.185.202
  • 216.58.212.138
  • 142.250.181.234
  • 216.58.212.170
  • 142.250.185.234
  • 142.250.185.170
  • 216.58.206.42
  • 142.250.184.234
  • 142.250.186.106
  • 216.58.206.74
  • 142.250.186.42
  • 172.217.16.202
  • 142.250.185.74
  • 172.217.18.10
whitelisted
google.ru
  • 142.250.186.99
whitelisted
firestore.googleapis.com
  • 172.217.16.138
whitelisted
www.google.ru
  • 142.250.186.163
whitelisted
www.google.com
  • 142.250.185.228
whitelisted

Threats

PID
Process
Class
Message
1656
Telegram.exe
Misc activity
ET INFO Observed Cloudflare DNS over HTTPS Domain (cloudflare-dns .com in TLS SNI)
1656
Telegram.exe
Misc activity
ET INFO Observed Google DNS over HTTPS Domain (dns .google .com in TLS SNI)
138 ETPRO signatures available at the full report
Process
Message
Telegram.exe
WebView2: Failed to find an installed WebView2 runtime or non-stable Microsoft Edge installation.
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
tsetup-x64.5.4.0.exe