analyze malware
  • Huge database of samples and IOCs
  • Custom VM setup
  • Unlimited submissions
  • Interactive approach
Sign up, it’s free
File name:

fzip_5.3.23.1.exe

Full analysis: https://app.any.run/tasks/ef97ff30-b8a4-4cea-882a-59eb69a99fc3
Verdict: Malicious activity
Analysis date: October 05, 2022, 01:33:30
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Indicators:
MIME: application/x-dosexec
File info: PE32 executable (GUI) Intel 80386, for MS Windows
MD5:

856D8A2970194EE404CEBD6107F12B39

SHA1:

61F457D27D449522196F6E1FF31D34DBEA4811E0

SHA256:

21BBFF74FD1F37A1008F924B23CBDF899DE50F37518A27953DD6EB83C4B0D113

SSDEEP:

196608:zifJLkzg/gzqDjJcGuTAN1ol0K+YnLxY+LpPrjEzSfQ:+fJLkIgzqnJcGuTm1ol0xey+dTY

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.
  • MALICIOUS

    • Drops executable file immediately after starts

      • fzip_5.3.23.1.exe (PID: 4092)
    • Registers / Runs the DLL via REGSVR32.EXE

      • fzip_5.3.23.1.exe (PID: 4092)
    • Loads dropped or rewritten executable

      • fzip_5.3.23.1.exe (PID: 4092)
      • FZipService.exe (PID: 1928)
      • FZipService.exe (PID: 3072)
      • regsvr32.exe (PID: 2908)
      • regsvr32.exe (PID: 2624)
      • FZipUpdate.exe (PID: 2060)
    • Loads the Task Scheduler COM API

      • fzip_5.3.23.1.exe (PID: 4092)
    • Application was dropped or rewritten from another process

      • FZipService.exe (PID: 3072)
      • FZipService.exe (PID: 1928)
      • FZipTalnc.exe (PID: 3160)
      • FZipUpdate.exe (PID: 2060)
  • SUSPICIOUS

    • Reads the computer name

      • fzip_5.3.23.1.exe (PID: 4092)
      • FZipService.exe (PID: 3072)
      • FZipService.exe (PID: 1928)
      • FZipTalnc.exe (PID: 3160)
      • FZipUpdate.exe (PID: 2060)
    • Checks supported languages

      • fzip_5.3.23.1.exe (PID: 4092)
      • FZipService.exe (PID: 3072)
      • FZipService.exe (PID: 1928)
      • FZipTalnc.exe (PID: 3160)
      • FZipUpdate.exe (PID: 2060)
    • Creates a directory in Program Files

      • fzip_5.3.23.1.exe (PID: 4092)
    • Executable content was dropped or overwritten

      • fzip_5.3.23.1.exe (PID: 4092)
    • Creates files in the program directory

      • fzip_5.3.23.1.exe (PID: 4092)
    • Creates/Modifies COM task schedule object

      • regsvr32.exe (PID: 2624)
      • regsvr32.exe (PID: 2908)
    • Drops a file with a compile date too recent

      • fzip_5.3.23.1.exe (PID: 4092)
    • Changes default file association

      • fzip_5.3.23.1.exe (PID: 4092)
    • Creates a software uninstall entry

      • fzip_5.3.23.1.exe (PID: 4092)
    • Creates files in the user directory

      • fzip_5.3.23.1.exe (PID: 4092)
      • FZipTalnc.exe (PID: 3160)
    • Executed as Windows Service

      • FZipService.exe (PID: 1928)
    • Executed via Task Scheduler

      • FZipTalnc.exe (PID: 3160)
    • Searches for installed software

      • FZipTalnc.exe (PID: 3160)
  • INFO

    • Checks supported languages

      • regsvr32.exe (PID: 2624)
      • regsvr32.exe (PID: 2908)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | Win64 Executable (generic) (76.4)
.exe | Win32 Executable (generic) (12.4)
.exe | Generic Win/DOS Executable (5.5)
.exe | DOS Executable Generic (5.5)

Summary

Architecture: IMAGE_FILE_MACHINE_I386
Subsystem: IMAGE_SUBSYSTEM_WINDOWS_GUI
Compilation Date: 2022-Mar-23 08:45:00
Detected languages:
  • Chinese - PRC
Debug artifacts:
  • E:\FZip\[Branches]\Branch-9\Output\Release\Pdb\FZipInstall.pdb
CompanyName: hefei yunbiao
FileDescription: FZip
FileVersion: 5.3.23.1
InternalName: Setup.exe
LegalCopyright: Copyright(c) 2020-2021 HeFei YunBiao. All Rights Reserved.
ProductName: FZip
ProductVersion: 5.3.23.1

DOS Header

e_magic: MZ
e_cblp: 144
e_cp: 3
e_crlc: -
e_cparhdr: 4
e_minalloc: -
e_maxalloc: 65535
e_ss: -
e_sp: 184
e_csum: -
e_ip: -
e_cs: -
e_ovno: -
e_oemid: -
e_oeminfo: -
e_lfanew: 296

PE Headers

Signature: PE
Machine: IMAGE_FILE_MACHINE_I386
NumberofSections: 6
TimeDateStamp: 2022-Mar-23 08:45:00
PointerToSymbolTable: -
NumberOfSymbols: -
SizeOfOptionalHeader: 224
Characteristics:
  • IMAGE_FILE_32BIT_MACHINE
  • IMAGE_FILE_EXECUTABLE_IMAGE
  • IMAGE_FILE_RELOCS_STRIPPED

Sections

Name
Virtual Address
Virtual Size
Raw Size
Charateristics
Entropy
.text
4096
544022
544256
IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
6.55523
.rdata
548864
134682
135168
IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
5.16166
.data
684032
14192
9216
IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
3.98935
.gfids
700416
444
512
IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
3.51827
.tls
704512
9
512
IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
0.0203931
.rsrc
708608
5918968
5919232
IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
7.98425

Resources

Title
Entropy
Size
Codepage
Language
Type
1
3.90978
296
UNKNOWN
Chinese - PRC
RT_ICON
2
4.97111
1384
UNKNOWN
Chinese - PRC
RT_ICON
3
6.50055
67624
UNKNOWN
Chinese - PRC
RT_ICON
4
6.53138
38056
UNKNOWN
Chinese - PRC
RT_ICON
5
6.49221
21640
UNKNOWN
Chinese - PRC
RT_ICON
6
6.50127
16936
UNKNOWN
Chinese - PRC
RT_ICON
7
6.45883
4264
UNKNOWN
Chinese - PRC
RT_ICON
8
6.47788
1128
UNKNOWN
Chinese - PRC
RT_ICON
107
2.96491
118
UNKNOWN
Chinese - PRC
RT_GROUP_ICON
109
3.24529
80
UNKNOWN
Chinese - PRC
RT_MENU

Imports

ADVAPI32.dll
COMCTL32.dll
GDI32.dll
IMM32.dll
IPHLPAPI.DLL
KERNEL32.dll
OLEAUT32.dll
SHELL32.dll
SHLWAPI.dll
USER32.dll
No data.
screenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
45
Monitored processes
8
Malicious processes
4
Suspicious processes
0

Behavior graph

Click at the process to see the details
drop and start start fzip_5.3.23.1.exe no specs fzip_5.3.23.1.exe regsvr32.exe no specs regsvr32.exe no specs fzipservice.exe no specs fzipservice.exe no specs fziptalnc.exe fzipupdate.exe

Process information

PID
CMD
Path
Indicators
Parent process
3108"C:\Users\admin\AppData\Local\Temp\fzip_5.3.23.1.exe" C:\Users\admin\AppData\Local\Temp\fzip_5.3.23.1.exeExplorer.EXE
User:
admin
Company:
hefei yunbiao
Integrity Level:
MEDIUM
Description:
FZip
Exit code:
3221226540
Version:
5.3.23.1
4092"C:\Users\admin\AppData\Local\Temp\fzip_5.3.23.1.exe" C:\Users\admin\AppData\Local\Temp\fzip_5.3.23.1.exe
Explorer.EXE
User:
admin
Company:
hefei yunbiao
Integrity Level:
HIGH
Description:
FZip
Exit code:
0
Version:
5.3.23.1
2624regsvr32 "C:\Program Files\FZip\5.3.23.1\FZipShell.dll" /sC:\Windows\system32\regsvr32.exefzip_5.3.23.1.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Microsoft(C) Register Server
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
2908regsvr32 "C:\Program Files\FZip\5.3.23.1\FZipHelp.dll" /sC:\Windows\system32\regsvr32.exefzip_5.3.23.1.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Microsoft(C) Register Server
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
3072"C:\Program Files\FZip\5.3.23.1\FZipService.exe" /fsvc=autoinsC:\Program Files\FZip\5.3.23.1\FZipService.exefzip_5.3.23.1.exe
User:
admin
Company:
hefei yunbiao
Integrity Level:
HIGH
Description:
FZipService
Exit code:
0
Version:
5.3.23.1
1928"C:\Program Files\FZip\5.3.23.1\FZipService.exe"C:\Program Files\FZip\5.3.23.1\FZipService.exeservices.exe
User:
SYSTEM
Company:
hefei yunbiao
Integrity Level:
SYSTEM
Description:
FZipService
Version:
5.3.23.1
3160"C:\Program Files\FZip\5.3.23.1\FZipTalnc.exe" /taskC:\Program Files\FZip\5.3.23.1\FZipTalnc.exe
taskeng.exe
User:
admin
Company:
hefeiyunbiao
Integrity Level:
HIGH
Description:
FZip
Exit code:
0
Version:
188.3.23.11
2060"C:\Program Files\FZip\5.3.23.1\FZipUpdate.exe" C:\Program Files\FZip\5.3.23.1\FZipUpdate.exe
FZipService.exe
User:
admin
Company:
hefei yunbiao
Integrity Level:
HIGH
Exit code:
0
Version:
5.3.23.1
Total events
933
Read events
894
Write events
37
Delete events
2

Modification events

(PID) Process:(4092) fzip_5.3.23.1.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\FZip
Operation:writeName:ChnID
Value:
79999
(PID) Process:(4092) fzip_5.3.23.1.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\FZip
Operation:writeName:FiEVer
Value:
11
(PID) Process:(4092) fzip_5.3.23.1.exeKey:HKEY_CURRENT_USER\Software\FZip
Operation:writeName:InstallPath
Value:
C:\Program Files\FZip\
(PID) Process:(4092) fzip_5.3.23.1.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\FZip
Operation:writeName:(default)
Value:
C:\Program Files\FZip\
(PID) Process:(4092) fzip_5.3.23.1.exeKey:HKEY_CURRENT_USER\Software\FZip
Operation:writeName:InstallTime
Value:
(PID) Process:(4092) fzip_5.3.23.1.exeKey:HKEY_CURRENT_USER\Software\FZip
Operation:writeName:FAds
Value:
63
(PID) Process:(2624) regsvr32.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{D4EB7F10-2C42-48D2-A92A-A5AF68A62909}\shellex\DropHandler
Operation:writeName:(default)
Value:
{D4EB7F10-2C42-48D2-A92A-A5AF68A62909}
(PID) Process:(2624) regsvr32.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{D4EB7F10-2C42-48D2-A92A-A5AF68A62909}
Operation:writeName:(default)
Value:
FZip Shell Extension
(PID) Process:(2624) regsvr32.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{D4EB7F10-2C42-48D2-A92A-A5AF68A62909}\InprocServer32
Operation:writeName:(default)
Value:
C:\Program Files\FZip\5.3.23.1\FZipShell.dll
(PID) Process:(2624) regsvr32.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{D4EB7F10-2C42-48D2-A92A-A5AF68A62909}\InprocServer32
Operation:writeName:ThreadingModel
Value:
Apartment
Executable files
25
Suspicious files
1
Text files
1
Unknown types
4

Dropped files

PID
Process
Filename
Type
4092fzip_5.3.23.1.exeC:\Users\admin\AppData\Local\Temp\7za.dllexecutable
MD5:BD4ECB1078DE2E07D3194D6DE46B660D
SHA256:996D9EA4C63F75484A56D2033D1C608E04DDA703E303D6F2BC67D7DC553FC64E
4092fzip_5.3.23.1.exeC:\Program Files\FZip\5.3.23.1\FZip.datcompressed
MD5:BF3221E9E03369760AFDF5F68661C988
SHA256:504FA90A1887558583956F564648A3A460F83ED020120A46EFDBC8E70F955F44
4092fzip_5.3.23.1.exeC:\Program Files\FZip\5.3.23.1\FZipBasex64.dllexecutable
MD5:5D20C658BF09815FBC44232A02CEE77E
SHA256:6A7F85655C937CDB2DF906D4135BB4FFA64980FE62BED605DFFAB2796829E73B
4092fzip_5.3.23.1.exeC:\Program Files\FZip\5.3.23.1\DuiLib.dllexecutable
MD5:78942DDC869BFF3D68D599E6F4B7B013
SHA256:D22B11F4C5C5F17A678A7374CAFCD9C179ED0131BD00C72700E5B8AB9C1B3C16
4092fzip_5.3.23.1.exeC:\Program Files\FZip\5.3.23.1\FZipAssociate.exeexecutable
MD5:ED7EE7FF1CA8983B2FE388C31D489287
SHA256:146000878E9881B3A65BDE171A32406AB9EEAE8CE76A87D31AA479697CE6D78F
4092fzip_5.3.23.1.exeC:\Program Files\FZip\5.3.23.1\FZipUpdate.exeexecutable
MD5:0AB6F6E8F0D504086756FD8DBEB12CBA
SHA256:C27125BB4DB32F31EED3DEC8F4D98509535BE55966504A27A7D02AC1C70D18EC
4092fzip_5.3.23.1.exeC:\Program Files\FZip\5.3.23.1\FZip_kit.exeexecutable
MD5:CC6D42B576631A105D4DB3C4C2967752
SHA256:0A5641098726F74CACF888033238448E8F9A0D54BE550515C619F0D9322F7E4F
4092fzip_5.3.23.1.exeC:\Program Files\FZip\5.3.23.1\FZipService.exeexecutable
MD5:C97797283A3A44F7EFC5ACF4B7F412EF
SHA256:8FF9A9CFE0DCC69FAE1E95FDCD1641DCF27E7940F4CC3A2FF81B2C4A53764884
4092fzip_5.3.23.1.exeC:\Program Files\FZip\5.3.23.1\FZipBase.dllexecutable
MD5:8BFCF5F84C38DB633D9B3E7536EFEC1A
SHA256:A4BB896ECC973A91F8D6FAA2A782CAEC1BE13A496F79AC4B04BA969ABA790DED
4092fzip_5.3.23.1.exeC:\Program Files\FZip\5.3.23.1\FZip.exeexecutable
MD5:F4C50A9A7D28062D7A87BB19413121DA
SHA256:AE624D3171B2D1797B7418C04CCF947337B3B6768D52D86BE7C3765316ACC24D
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
5
TCP/UDP connections
5
DNS requests
2
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
2060
FZipUpdate.exe
GET
200
47.98.110.124:377
http://zapi.dey1.cn:377/update?data={"avs":0,"chnid":"79999","dat1":{"fver":"188.3.23.11"},"id":3,"major":6,"minor":1,"scx":1280,"scy":720,"state":0,"uid":"76943b6909ae80e929c80849d03fe5a6","ver":"5.3.23.1","wow":0}
CN
binary
29 b
malicious
4092
fzip_5.3.23.1.exe
GET
200
47.98.110.124:377
http://zapi.dey1.cn:377/report?data={"avs":0,"chnid":"79999","dat1":{"result":"1"},"id":1,"major":6,"minor":1,"scx":1280,"scy":720,"state":0,"uid":"76943b6909ae80e929c80849d03fe5a6","ver":"5.3.23.1","wow":0}
CN
binary
1 b
malicious
2060
FZipUpdate.exe
GET
200
47.98.110.124:377
http://zapi.dey1.cn:377/report?data={"avs":0,"chnid":"79999","dat1":null,"id":3,"major":6,"minor":1,"scx":1280,"scy":720,"state":0,"uid":"76943b6909ae80e929c80849d03fe5a6","ver":"5.3.23.1","wow":0}
CN
binary
1 b
malicious
3160
FZipTalnc.exe
POST
200
47.242.24.79:857
http://fbq.guw2.cn:857/api/update/get
US
text
77 b
unknown
3160
FZipTalnc.exe
POST
200
47.242.24.79:857
http://fbq.guw2.cn:857/api/update/report
US
binary
1 b
unknown
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
3160
FZipTalnc.exe
47.242.24.79:857
fbq.guw2.cn
Alibaba US Technology Co., Ltd.
HK
unknown
2060
FZipUpdate.exe
47.98.110.124:377
zapi.dey1.cn
Hangzhou Alibaba Advertising Co.,Ltd.
CN
unknown
4092
fzip_5.3.23.1.exe
47.98.110.124:377
zapi.dey1.cn
Hangzhou Alibaba Advertising Co.,Ltd.
CN
unknown
47.98.110.124:377
zapi.dey1.cn
Hangzhou Alibaba Advertising Co.,Ltd.
CN
unknown
3160
FZipTalnc.exe
47.242.24.79:715
fbq.guw2.cn
Alibaba US Technology Co., Ltd.
HK
unknown

DNS requests

Domain
IP
Reputation
zapi.dey1.cn
  • 47.98.110.124
unknown
fbq.guw2.cn
  • 47.242.24.79
unknown

Threats

No threats detected
No debug info