SYMBOLCOMMON_NAMEaka. SYNONYMS
win.agfspy (Back to overview)

AgfSpy

VTCollection    

The agfSpy backdoor retrieves configuration and commands from its C&C server. These commands allow the backdoor to execute shell commands and send the execution results back to the server. It also enumerates directories and can list, upload, download, and execute files, among other functions. The capabilities of agfSpy are very similar to dneSpy, except each backdoor uses a different C&C server and various formats in message exchanges.

References
2020-10-28Trend MicroAliakbar Zahravi, Cedric Pernet, Daniel Lunghi, Elliot Cao, Jaromír Hořejší, John Zhang, Joseph C Chen, William Gamazo Sanchez
Operation Earth Kitsune: A Dance of Two New Backdoors
AgfSpy DneSpy SLUB Earth Kitsune
Yara Rules
[TLP:WHITE] win_agfspy_auto (20260504 | Detects win.agfspy.)
rule win_agfspy_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2026-05-04"
        version = "1"
        description = "Detects win.agfspy."
        info = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.6.0"
        signator_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.agfspy"
        malpedia_rule_date = "20260422"
        malpedia_hash = "a182e35da64e6d71cb55f125c4d4225196523f14"
        malpedia_version = "20260504"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using YARA-Signator.
     * The code and documentation is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { 7527 83fefd 7431 8a4101 3a4201 751a 83fefe }
            // n = 7, score = 400
            //   7527                 | jne                 0x29
            //   83fefd               | cmp                 esi, -3
            //   7431                 | je                  0x33
            //   8a4101               | mov                 al, byte ptr [ecx + 1]
            //   3a4201               | cmp                 al, byte ptr [edx + 1]
            //   751a                 | jne                 0x1c
            //   83fefe               | cmp                 esi, -2

        $sequence_1 = { 8b7d08 33c9 8b4510 8b5d0c 897de4 c745f000000000 c7471000000000 }
            // n = 7, score = 400
            //   8b7d08               | mov                 edi, dword ptr [ebp + 8]
            //   33c9                 | xor                 ecx, ecx
            //   8b4510               | mov                 eax, dword ptr [ebp + 0x10]
            //   8b5d0c               | mov                 ebx, dword ptr [ebp + 0xc]
            //   897de4               | mov                 dword ptr [ebp - 0x1c], edi
            //   c745f000000000       | mov                 dword ptr [ebp - 0x10], 0
            //   c7471000000000       | mov                 dword ptr [edi + 0x10], 0

        $sequence_2 = { 83c404 8bce ff5204 8935???????? 8d4dd0 e8???????? 8bc6 }
            // n = 7, score = 400
            //   83c404               | add                 esp, 4
            //   8bce                 | mov                 ecx, esi
            //   ff5204               | call                dword ptr [edx + 4]
            //   8935????????         |                     
            //   8d4dd0               | lea                 ecx, [ebp - 0x30]
            //   e8????????           |                     
            //   8bc6                 | mov                 eax, esi

        $sequence_3 = { 33f6 8b9564ffffff 83fa10 722b 8b8d50ffffff 42 8bc1 }
            // n = 7, score = 400
            //   33f6                 | xor                 esi, esi
            //   8b9564ffffff         | mov                 edx, dword ptr [ebp - 0x9c]
            //   83fa10               | cmp                 edx, 0x10
            //   722b                 | jb                  0x2d
            //   8b8d50ffffff         | mov                 ecx, dword ptr [ebp - 0xb0]
            //   42                   | inc                 edx
            //   8bc1                 | mov                 eax, ecx

        $sequence_4 = { 833800 7469 8b512c 8b02 85c0 7e60 48 }
            // n = 7, score = 400
            //   833800               | cmp                 dword ptr [eax], 0
            //   7469                 | je                  0x6b
            //   8b512c               | mov                 edx, dword ptr [ecx + 0x2c]
            //   8b02                 | mov                 eax, dword ptr [edx]
            //   85c0                 | test                eax, eax
            //   7e60                 | jle                 0x62
            //   48                   | dec                 eax

        $sequence_5 = { c7464c00000000 5e c3 f7465000000004 74c2 8b4e28 }
            // n = 6, score = 400
            //   c7464c00000000       | mov                 dword ptr [esi + 0x4c], 0
            //   5e                   | pop                 esi
            //   c3                   | ret                 
            //   f7465000000004       | test                dword ptr [esi + 0x50], 0x4000000
            //   74c2                 | je                  0xffffffc4
            //   8b4e28               | mov                 ecx, dword ptr [esi + 0x28]

        $sequence_6 = { 8a461c 88421c 5e 8917 5f 5d c3 }
            // n = 7, score = 400
            //   8a461c               | mov                 al, byte ptr [esi + 0x1c]
            //   88421c               | mov                 byte ptr [edx + 0x1c], al
            //   5e                   | pop                 esi
            //   8917                 | mov                 dword ptr [edi], edx
            //   5f                   | pop                 edi
            //   5d                   | pop                 ebp
            //   c3                   | ret                 

        $sequence_7 = { 0fabd0 8801 8bce e9???????? 52 8d4e24 e8???????? }
            // n = 7, score = 400
            //   0fabd0               | bts                 eax, edx
            //   8801                 | mov                 byte ptr [ecx], al
            //   8bce                 | mov                 ecx, esi
            //   e9????????           |                     
            //   52                   | push                edx
            //   8d4e24               | lea                 ecx, [esi + 0x24]
            //   e8????????           |                     

        $sequence_8 = { c745fc00000000 c745f001000000 8b07 6a00 8b4004 c70407???????? }
            // n = 6, score = 400
            //   c745fc00000000       | mov                 dword ptr [ebp - 4], 0
            //   c745f001000000       | mov                 dword ptr [ebp - 0x10], 1
            //   8b07                 | mov                 eax, dword ptr [edi]
            //   6a00                 | push                0
            //   8b4004               | mov                 eax, dword ptr [eax + 4]
            //   c70407????????       |                     

        $sequence_9 = { c20800 83ec08 c6432c01 51 8bcb e8???????? 8ac8 }
            // n = 7, score = 400
            //   c20800               | ret                 8
            //   83ec08               | sub                 esp, 8
            //   c6432c01             | mov                 byte ptr [ebx + 0x2c], 1
            //   51                   | push                ecx
            //   8bcb                 | mov                 ecx, ebx
            //   e8????????           |                     
            //   8ac8                 | mov                 cl, al

    condition:
        7 of them and filesize < 1482752
}
Download all Yara Rules