The utility receives configuration data from the FaceFish rootkit, which is encrypted with the Blowfish algorithm.
The FaceFish rootkit is very popular in the wild. A detailed analysis of the rootkit in the following material Analysis report of the Facefish rootkit and Linux Servers Hijacked to Implant SSH Backdoor.
Examples:
PS D:\facefishconfig> .\facefishconfig.win64.exe --dir=C:\samples
FaceFish Dropper: C:\samples\ssh1200, 118128, 9d32e96874eec67975e3b1bd6f5a2dd550d7a3b82d5b7d47f82974750cb038ba
00000000 c3 fe dd 71 b0 04 00 00 20 00 00 00 39 05 00 00 |...q.... ...9...|
00000010 00 00 00 00 00 00 00 00 68 74 74 70 3a 2f 2f 31 |........http://1|
00000020 34 36 2e 31 39 30 2e 32 33 2e 38 36 2f 69 6e 64 |46.190.23.86/ind|
00000030 65 78 2e 70 68 70 00 00 00 00 00 00 00 00 00 00 |ex.php..........|
00000040 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |................|
00000050 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |................|
00000060 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |................|
00000070 00 00 00 00 00 00 00 00 |........|
FaceFish Rootkit: C:\samples\libs.so__, 166160, 05ba963fa7a52c48f3a9b3e9de702b735ef5e30f2931a1f8d7342410ccada105
00000000 c3 fe dd 71 b0 04 00 00 20 00 00 00 39 05 00 00 |...q.... ...9...|
00000010 00 00 00 00 00 00 00 00 68 74 74 70 3a 2f 2f 31 |........http://1|
00000020 34 36 2e 31 39 30 2e 32 33 2e 38 36 2f 69 6e 64 |46.190.23.86/ind|
00000030 65 78 2e 70 68 70 00 00 00 00 00 00 00 00 00 00 |ex.php..........|
00000040 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |................|
00000050 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |................|
00000060 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |................|
00000070 00 00 00 00 00 00 00 00 |........|
FaceFish Dropper: C:\samples\ssh3600, 118128, c50bd9865ed65a9c298768f245d8eaff1baa410735ff5673a73d1411c425b7c6
00000000 cc 2c 88 83 10 0e 00 00 20 00 00 00 00 00 00 00 |.,...... .......|
00000010 00 00 00 00 00 00 00 00 68 74 74 70 3a 2f 2f 65 |........http://e|
00000020 75 2d 64 65 62 69 61 6e 2e 63 6f 6d 2f 69 6e 64 |u-debian.com/ind|
00000030 65 78 2e 70 68 70 00 00 00 00 00 00 00 00 00 00 |ex.php..........|
00000040 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |................|
00000050 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |................|
00000060 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |................|
00000070 00 00 00 00 00 00 00 00 |........|
FaceFish Dropper: C:\samples\ssh3600_, 118128, 740a3f10b45a607abaf0045108ee6ccb8f30d7439eadb3f06a00cf0026dfc1d8
00000000 9e b6 06 0a b0 04 00 00 20 00 00 00 00 00 00 00 |........ .......|
00000010 00 00 00 00 00 00 00 00 68 74 74 70 3a 2f 2f 73 |........http://s|
00000020 74 6f 6c 6f 74 6f 2e 61 69 2f 69 6e 64 65 78 2e |toloto.ai/index.|
00000030 70 68 70 00 00 00 00 00 00 00 00 00 00 00 00 00 |php.............|
00000040 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |................|
00000050 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |................|
00000060 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |................|
00000070 00 00 00 00 00 00 00 00 |........|
FaceFish Rootkit: C:\samples\libs.so, 166160, 1a3199d35e84df4598becf234b4ec39f3a30aabb7b6e1002f2016072554961b4
00000000 9e b6 06 0a b0 04 00 00 20 00 00 00 00 00 00 00 |........ .......|
00000010 00 00 00 00 00 00 00 00 68 74 74 70 3a 2f 2f 36 |........http://6|
00000020 34 2e 32 32 37 2e 31 32 34 2e 32 34 32 2f 6d 69 |4.227.124.242/mi|
00000030 72 72 6f 72 2f 00 00 00 00 00 00 00 00 00 00 00 |rror/...........|
00000040 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |................|
00000050 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |................|
00000060 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |................|
00000070 00 00 00 00 00 00 00 00 |........|
FaceFish Rootkit: C:\samples\libs.so_, 31048, 58c49dc1dc8c6bdb85985ae0918e9717045b9e80db5f4b1758ac5b20ad3230c7
00000000 00 00 00 00 0f 00 00 00 20 00 00 00 01 bb 00 00 |........ .......|
00000010 00 00 00 00 00 00 00 00 6c 69 62 2e 72 70 6d 2d |........lib.rpm-|
00000020 62 69 6e 2e 6c 69 6e 6b 00 00 00 00 00 00 00 00 |bin.link........|
00000030 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |................|
00000040 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |................|
00000050 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |................|
00000060 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |................|
00000070 00 00 00 00 00 00 00 00 |........|