File name: | fzip_5.3.23.1.exe |
Full analysis: | https://app.any.run/tasks/ef97ff30-b8a4-4cea-882a-59eb69a99fc3 |
Verdict: | Malicious activity |
Analysis date: | October 05, 2022, 01:33:30 |
OS: | Windows 7 Professional Service Pack 1 (build: 7601, 32 bit) |
Indicators: | |
MIME: | application/x-dosexec |
File info: | PE32 executable (GUI) Intel 80386, for MS Windows |
MD5: | 856D8A2970194EE404CEBD6107F12B39 |
SHA1: | 61F457D27D449522196F6E1FF31D34DBEA4811E0 |
SHA256: | 21BBFF74FD1F37A1008F924B23CBDF899DE50F37518A27953DD6EB83C4B0D113 |
SSDEEP: | 196608:zifJLkzg/gzqDjJcGuTAN1ol0K+YnLxY+LpPrjEzSfQ:+fJLkIgzqnJcGuTm1ol0xey+dTY |
.exe | | | Win64 Executable (generic) (76.4) |
---|---|---|
.exe | | | Win32 Executable (generic) (12.4) |
.exe | | | Generic Win/DOS Executable (5.5) |
.exe | | | DOS Executable Generic (5.5) |
Architecture: | IMAGE_FILE_MACHINE_I386 |
---|---|
Subsystem: | IMAGE_SUBSYSTEM_WINDOWS_GUI |
Compilation Date: | 2022-Mar-23 08:45:00 |
Detected languages: |
|
Debug artifacts: |
|
CompanyName: | hefei yunbiao |
FileDescription: | FZip |
FileVersion: | 5.3.23.1 |
InternalName: | Setup.exe |
LegalCopyright: | Copyright(c) 2020-2021 HeFei YunBiao. All Rights Reserved. |
ProductName: | FZip |
ProductVersion: | 5.3.23.1 |
e_magic: | MZ |
---|---|
e_cblp: | 144 |
e_cp: | 3 |
e_crlc: | - |
e_cparhdr: | 4 |
e_minalloc: | - |
e_maxalloc: | 65535 |
e_ss: | - |
e_sp: | 184 |
e_csum: | - |
e_ip: | - |
e_cs: | - |
e_ovno: | - |
e_oemid: | - |
e_oeminfo: | - |
e_lfanew: | 296 |
Signature: | PE |
---|---|
Machine: | IMAGE_FILE_MACHINE_I386 |
NumberofSections: | 6 |
TimeDateStamp: | 2022-Mar-23 08:45:00 |
PointerToSymbolTable: | - |
NumberOfSymbols: | - |
SizeOfOptionalHeader: | 224 |
Characteristics: |
|
Name | Virtual Address | Virtual Size | Raw Size | Charateristics | Entropy |
---|---|---|---|---|---|
.text | 4096 | 544022 | 544256 | IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ | 6.55523 |
.rdata | 548864 | 134682 | 135168 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ | 5.16166 |
.data | 684032 | 14192 | 9216 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE | 3.98935 |
.gfids | 700416 | 444 | 512 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ | 3.51827 |
.tls | 704512 | 9 | 512 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE | 0.0203931 |
.rsrc | 708608 | 5918968 | 5919232 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ | 7.98425 |
Title | Entropy | Size | Codepage | Language | Type |
---|---|---|---|---|---|
1 | 3.90978 | 296 | UNKNOWN | Chinese - PRC | RT_ICON |
2 | 4.97111 | 1384 | UNKNOWN | Chinese - PRC | RT_ICON |
3 | 6.50055 | 67624 | UNKNOWN | Chinese - PRC | RT_ICON |
4 | 6.53138 | 38056 | UNKNOWN | Chinese - PRC | RT_ICON |
5 | 6.49221 | 21640 | UNKNOWN | Chinese - PRC | RT_ICON |
6 | 6.50127 | 16936 | UNKNOWN | Chinese - PRC | RT_ICON |
7 | 6.45883 | 4264 | UNKNOWN | Chinese - PRC | RT_ICON |
8 | 6.47788 | 1128 | UNKNOWN | Chinese - PRC | RT_ICON |
107 | 2.96491 | 118 | UNKNOWN | Chinese - PRC | RT_GROUP_ICON |
109 | 3.24529 | 80 | UNKNOWN | Chinese - PRC | RT_MENU |
ADVAPI32.dll |
COMCTL32.dll |
GDI32.dll |
IMM32.dll |
IPHLPAPI.DLL |
KERNEL32.dll |
OLEAUT32.dll |
SHELL32.dll |
SHLWAPI.dll |
USER32.dll |
PID | CMD | Path | Indicators | Parent process |
---|---|---|---|---|
3108 | "C:\Users\admin\AppData\Local\Temp\fzip_5.3.23.1.exe" | C:\Users\admin\AppData\Local\Temp\fzip_5.3.23.1.exe | — | Explorer.EXE |
User: admin Company: hefei yunbiao Integrity Level: MEDIUM Description: FZip Exit code: 3221226540 Version: 5.3.23.1 | ||||
4092 | "C:\Users\admin\AppData\Local\Temp\fzip_5.3.23.1.exe" | C:\Users\admin\AppData\Local\Temp\fzip_5.3.23.1.exe | Explorer.EXE | |
User: admin Company: hefei yunbiao Integrity Level: HIGH Description: FZip Exit code: 0 Version: 5.3.23.1 | ||||
2624 | regsvr32 "C:\Program Files\FZip\5.3.23.1\FZipShell.dll" /s | C:\Windows\system32\regsvr32.exe | — | fzip_5.3.23.1.exe |
User: admin Company: Microsoft Corporation Integrity Level: HIGH Description: Microsoft(C) Register Server Exit code: 0 Version: 6.1.7600.16385 (win7_rtm.090713-1255) | ||||
2908 | regsvr32 "C:\Program Files\FZip\5.3.23.1\FZipHelp.dll" /s | C:\Windows\system32\regsvr32.exe | — | fzip_5.3.23.1.exe |
User: admin Company: Microsoft Corporation Integrity Level: HIGH Description: Microsoft(C) Register Server Exit code: 0 Version: 6.1.7600.16385 (win7_rtm.090713-1255) | ||||
3072 | "C:\Program Files\FZip\5.3.23.1\FZipService.exe" /fsvc=autoins | C:\Program Files\FZip\5.3.23.1\FZipService.exe | — | fzip_5.3.23.1.exe |
User: admin Company: hefei yunbiao Integrity Level: HIGH Description: FZipService Exit code: 0 Version: 5.3.23.1 | ||||
1928 | "C:\Program Files\FZip\5.3.23.1\FZipService.exe" | C:\Program Files\FZip\5.3.23.1\FZipService.exe | — | services.exe |
User: SYSTEM Company: hefei yunbiao Integrity Level: SYSTEM Description: FZipService Version: 5.3.23.1 | ||||
3160 | "C:\Program Files\FZip\5.3.23.1\FZipTalnc.exe" /task | C:\Program Files\FZip\5.3.23.1\FZipTalnc.exe | taskeng.exe | |
User: admin Company: hefeiyunbiao Integrity Level: HIGH Description: FZip Exit code: 0 Version: 188.3.23.11 | ||||
2060 | "C:\Program Files\FZip\5.3.23.1\FZipUpdate.exe" | C:\Program Files\FZip\5.3.23.1\FZipUpdate.exe | FZipService.exe | |
User: admin Company: hefei yunbiao Integrity Level: HIGH Exit code: 0 Version: 5.3.23.1 |
(PID) Process: | (4092) fzip_5.3.23.1.exe | Key: | HKEY_LOCAL_MACHINE\SOFTWARE\FZip |
Operation: | write | Name: | ChnID |
Value: 79999 | |||
(PID) Process: | (4092) fzip_5.3.23.1.exe | Key: | HKEY_LOCAL_MACHINE\SOFTWARE\FZip |
Operation: | write | Name: | FiEVer |
Value: 11 | |||
(PID) Process: | (4092) fzip_5.3.23.1.exe | Key: | HKEY_CURRENT_USER\Software\FZip |
Operation: | write | Name: | InstallPath |
Value: C:\Program Files\FZip\ | |||
(PID) Process: | (4092) fzip_5.3.23.1.exe | Key: | HKEY_LOCAL_MACHINE\SOFTWARE\FZip |
Operation: | write | Name: | (default) |
Value: C:\Program Files\FZip\ | |||
(PID) Process: | (4092) fzip_5.3.23.1.exe | Key: | HKEY_CURRENT_USER\Software\FZip |
Operation: | write | Name: | InstallTime |
Value: | |||
(PID) Process: | (4092) fzip_5.3.23.1.exe | Key: | HKEY_CURRENT_USER\Software\FZip |
Operation: | write | Name: | FAds |
Value: 63 | |||
(PID) Process: | (2624) regsvr32.exe | Key: | HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{D4EB7F10-2C42-48D2-A92A-A5AF68A62909}\shellex\DropHandler |
Operation: | write | Name: | (default) |
Value: {D4EB7F10-2C42-48D2-A92A-A5AF68A62909} | |||
(PID) Process: | (2624) regsvr32.exe | Key: | HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{D4EB7F10-2C42-48D2-A92A-A5AF68A62909} |
Operation: | write | Name: | (default) |
Value: FZip Shell Extension | |||
(PID) Process: | (2624) regsvr32.exe | Key: | HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{D4EB7F10-2C42-48D2-A92A-A5AF68A62909}\InprocServer32 |
Operation: | write | Name: | (default) |
Value: C:\Program Files\FZip\5.3.23.1\FZipShell.dll | |||
(PID) Process: | (2624) regsvr32.exe | Key: | HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{D4EB7F10-2C42-48D2-A92A-A5AF68A62909}\InprocServer32 |
Operation: | write | Name: | ThreadingModel |
Value: Apartment |
PID | Process | Filename | Type | |
---|---|---|---|---|
4092 | fzip_5.3.23.1.exe | C:\Users\admin\AppData\Local\Temp\7za.dll | executable | |
MD5:BD4ECB1078DE2E07D3194D6DE46B660D | SHA256:996D9EA4C63F75484A56D2033D1C608E04DDA703E303D6F2BC67D7DC553FC64E | |||
4092 | fzip_5.3.23.1.exe | C:\Program Files\FZip\5.3.23.1\FZip.dat | compressed | |
MD5:BF3221E9E03369760AFDF5F68661C988 | SHA256:504FA90A1887558583956F564648A3A460F83ED020120A46EFDBC8E70F955F44 | |||
4092 | fzip_5.3.23.1.exe | C:\Program Files\FZip\5.3.23.1\FZipBasex64.dll | executable | |
MD5:5D20C658BF09815FBC44232A02CEE77E | SHA256:6A7F85655C937CDB2DF906D4135BB4FFA64980FE62BED605DFFAB2796829E73B | |||
4092 | fzip_5.3.23.1.exe | C:\Program Files\FZip\5.3.23.1\DuiLib.dll | executable | |
MD5:78942DDC869BFF3D68D599E6F4B7B013 | SHA256:D22B11F4C5C5F17A678A7374CAFCD9C179ED0131BD00C72700E5B8AB9C1B3C16 | |||
4092 | fzip_5.3.23.1.exe | C:\Program Files\FZip\5.3.23.1\FZipAssociate.exe | executable | |
MD5:ED7EE7FF1CA8983B2FE388C31D489287 | SHA256:146000878E9881B3A65BDE171A32406AB9EEAE8CE76A87D31AA479697CE6D78F | |||
4092 | fzip_5.3.23.1.exe | C:\Program Files\FZip\5.3.23.1\FZipUpdate.exe | executable | |
MD5:0AB6F6E8F0D504086756FD8DBEB12CBA | SHA256:C27125BB4DB32F31EED3DEC8F4D98509535BE55966504A27A7D02AC1C70D18EC | |||
4092 | fzip_5.3.23.1.exe | C:\Program Files\FZip\5.3.23.1\FZip_kit.exe | executable | |
MD5:CC6D42B576631A105D4DB3C4C2967752 | SHA256:0A5641098726F74CACF888033238448E8F9A0D54BE550515C619F0D9322F7E4F | |||
4092 | fzip_5.3.23.1.exe | C:\Program Files\FZip\5.3.23.1\FZipService.exe | executable | |
MD5:C97797283A3A44F7EFC5ACF4B7F412EF | SHA256:8FF9A9CFE0DCC69FAE1E95FDCD1641DCF27E7940F4CC3A2FF81B2C4A53764884 | |||
4092 | fzip_5.3.23.1.exe | C:\Program Files\FZip\5.3.23.1\FZipBase.dll | executable | |
MD5:8BFCF5F84C38DB633D9B3E7536EFEC1A | SHA256:A4BB896ECC973A91F8D6FAA2A782CAEC1BE13A496F79AC4B04BA969ABA790DED | |||
4092 | fzip_5.3.23.1.exe | C:\Program Files\FZip\5.3.23.1\FZip.exe | executable | |
MD5:F4C50A9A7D28062D7A87BB19413121DA | SHA256:AE624D3171B2D1797B7418C04CCF947337B3B6768D52D86BE7C3765316ACC24D |
PID | Process | Method | HTTP Code | IP | URL | CN | Type | Size | Reputation |
---|---|---|---|---|---|---|---|---|---|
2060 | FZipUpdate.exe | GET | 200 | 47.98.110.124:377 | http://zapi.dey1.cn:377/update?data={"avs":0,"chnid":"79999","dat1":{"fver":"188.3.23.11"},"id":3,"major":6,"minor":1,"scx":1280,"scy":720,"state":0,"uid":"76943b6909ae80e929c80849d03fe5a6","ver":"5.3.23.1","wow":0} | CN | binary | 29 b | malicious |
4092 | fzip_5.3.23.1.exe | GET | 200 | 47.98.110.124:377 | http://zapi.dey1.cn:377/report?data={"avs":0,"chnid":"79999","dat1":{"result":"1"},"id":1,"major":6,"minor":1,"scx":1280,"scy":720,"state":0,"uid":"76943b6909ae80e929c80849d03fe5a6","ver":"5.3.23.1","wow":0} | CN | binary | 1 b | malicious |
2060 | FZipUpdate.exe | GET | 200 | 47.98.110.124:377 | http://zapi.dey1.cn:377/report?data={"avs":0,"chnid":"79999","dat1":null,"id":3,"major":6,"minor":1,"scx":1280,"scy":720,"state":0,"uid":"76943b6909ae80e929c80849d03fe5a6","ver":"5.3.23.1","wow":0} | CN | binary | 1 b | malicious |
3160 | FZipTalnc.exe | POST | 200 | 47.242.24.79:857 | http://fbq.guw2.cn:857/api/update/get | US | text | 77 b | unknown |
3160 | FZipTalnc.exe | POST | 200 | 47.242.24.79:857 | http://fbq.guw2.cn:857/api/update/report | US | binary | 1 b | unknown |
PID | Process | IP | Domain | ASN | CN | Reputation |
---|---|---|---|---|---|---|
3160 | FZipTalnc.exe | 47.242.24.79:857 | fbq.guw2.cn | Alibaba US Technology Co., Ltd. | HK | unknown |
2060 | FZipUpdate.exe | 47.98.110.124:377 | zapi.dey1.cn | Hangzhou Alibaba Advertising Co.,Ltd. | CN | unknown |
4092 | fzip_5.3.23.1.exe | 47.98.110.124:377 | zapi.dey1.cn | Hangzhou Alibaba Advertising Co.,Ltd. | CN | unknown |
— | — | 47.98.110.124:377 | zapi.dey1.cn | Hangzhou Alibaba Advertising Co.,Ltd. | CN | unknown |
3160 | FZipTalnc.exe | 47.242.24.79:715 | fbq.guw2.cn | Alibaba US Technology Co., Ltd. | HK | unknown |
Domain | IP | Reputation |
---|---|---|
zapi.dey1.cn |
| unknown |
fbq.guw2.cn |
| unknown |