HanZip.exe

HanZip

DreamWiz Internet Co.,Ltd

The application HanZip.exe by DreamWiz Internet Co.,Ltd has been detected as a potentially unwanted program by 1 anti-malware scanner with very strong indications that the file is a potential threat. While running, it connects to the Internet address cache.google.com on port 80 using the HTTP protocol.
Publisher:
DreamWiz Internet  (signed by DreamWiz Internet Co.,Ltd)

Product:
HanZip

Version:
2.0.0.54

MD5:
4cb15285b45f6aecf1fbef17aa223e1d

SHA-1:
df6e6abed82fa7c9ce7f2a90f98ad5248c06e441

SHA-256:
b463cc13616ded776d09c0f978030318a563dd50a59a75b994f198ccde64822d

Scanner detections:
1 / 68

Status:
Potentially unwanted

Analysis date:
12/25/2024 6:40:50 PM UTC  (today)

Scan engine
Detection
Engine version

Reason Heuristics
PUP.DreamWiz (M)
16.4.8.17

File size:
6.9 MB (7,274,248 bytes)

Product version:
2.0.0.0

Copyright:
Copyright(C) 2012 by DreamWiz Internet all right reserved

Original file name:
HanZip.exe

File type:
Executable application (Win64 EXE)

Common path:
C:\Program Files\hantools\hanzip\hanzip.exe

Digital Signature
Authority:
thawte, Inc.

Valid from:
12/4/2015 9:00:00 AM

Valid to:
1/3/2017 8:59:59 AM

Subject:
CN="DreamWiz Internet Co.,Ltd", OU=IT Team, O="DreamWiz Internet Co.,Ltd", L=Guro-gu, S=SEOUL, C=KR

Issuer:
CN=thawte SHA256 Code Signing CA, O="thawte, Inc.", C=US

Serial number:
2C28441B5E4D45C0B4A25EBFE0B40940

File PE Metadata
Compilation timestamp:
1/14/2016 4:22:28 PM

OS version:
5.2

OS bitness:
Win64

Subsystem:
Windows GUI

Linker version:
8.0

CTPH (ssdeep):
49152:2/oK49L7vSPClsiSlXaWL09N6/xZ1rK2/VphoeorJVJvKJs3YEY5pnGrT9yvpzAV:SomSMz/1oeoNoGyhQLP

Entry address:
0x531050

Entry point:
55, 53, 48, 83, EC, 68, 48, 8B, EC, 48, C7, 45, 20, 00, 00, 00, 00, 48, C7, 45, 30, 00, 00, 00, 00, 48, C7, 45, 28, 00, 00, 00, 00, 48, C7, 45, 40, 00, 00, 00, 00, 48, C7, 45, 38, 00, 00, 00, 00, 48, 89, 6D, 48, 90, 48, 8D, 0D, 8B, 85, FE, FF, E8, 5E, 31, AE, FF, 90, 48, 8B, 05, B6, 5E, 07, 00, 48, 8B, 08, E8, 1E, F9, CE, FF, 48, 8B, 05, A7, 5E, 07, 00, 48, 8B, 08, 48, 8D, 15, C9, 02, 00, 00, E8, 08, F1, CE, FF, 48, 8B, 0D, 49, 5E, B3, FF, B2, 01, E8, 0A, AE, B4, FF, 48, 89, 05, 53, 92, 29, 00, 90, 48, 8D...
 
[+]

Entropy:
5.9568

Code size:
5.2 MB (5,441,024 bytes)

The executing file has been seen to make the following network communications in live environments.

TCP (HTTP):
Connects to nrt12s12-in-f206.1e100.net  (216.58.200.206:80)

TCP (HTTP):
Connects to nsp-s1-4-c.rt.bora.net  (203.233.37.186:80)

TCP (HTTP):
Connects to nrt20s02-in-f14.1e100.net  (172.217.26.14:80)

TCP (HTTP):
Connects to hkg12s02-in-f14.1e100.net  (216.58.199.14:80)

TCP (HTTP):
Connects to hkg07s21-in-f14.1e100.net  (216.58.221.238:80)

TCP (HTTP):
Connects to hkg07s01-in-f110.1e100.net  (216.58.221.110:80)

TCP (HTTP):
Connects to cache.google.com  (59.18.35.152:80)

Remove HanZip.exe - Powered by Reason Core Security