AgfSpy (Malware Family)

AgfSpy

VTCollection

The agfSpy backdoor retrieves configuration and commands from its C&C server. These commands allow the backdoor to execute shell commands and send the execution results back to the server. It also enumerates directories and can list, upload, download, and execute files, among other functions. The capabilities of agfSpy are very similar to dneSpy, except each backdoor uses a different C&C server and various formats in message exchanges.

References

2020-10-28 ⋅ Trend Micro ⋅ Aliakbar Zahravi, Cedric Pernet, Daniel Lunghi, Elliot Cao, Jaromír Hořejší, John Zhang, Joseph C Chen, William Gamazo Sanchez
Operation Earth Kitsune: A Dance of Two New Backdoors
AgfSpy DneSpy SLUB Earth Kitsune

Yara Rules

[TLP:WHITE] win_agfspy_auto (20230808 | Detects win.agfspy.)

rule win_agfspy_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2023-12-06"
        version = "1"
        description = "Detects win.agfspy."
        info = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.6.0"
        signator_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.agfspy"
        malpedia_rule_date = "20231130"
        malpedia_hash = "fc8a0e9f343f6d6ded9e7df1a64dac0cc68d7351"
        malpedia_version = "20230808"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using YARA-Signator.
     * The code and documentation is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { 7527 83fefd 7431 8a4101 3a4201 751a 83fefe }
            // n = 7, score = 300
            //   7527                 | jne                 0x29
            //   83fefd               | cmp                 esi, -3
            //   7431                 | je                  0x33
            //   8a4101               | mov                 al, byte ptr [ecx + 1]
            //   3a4201               | cmp                 al, byte ptr [edx + 1]
            //   751a                 | jne                 0x1c
            //   83fefe               | cmp                 esi, -2

        $sequence_1 = { 85f6 7539 8d45c0 50 8d45d4 50 e8???????? }
            // n = 7, score = 300
            //   85f6                 | test                esi, esi
            //   7539                 | jne                 0x3b
            //   8d45c0               | lea                 eax, [ebp - 0x40]
            //   50                   | push                eax
            //   8d45d4               | lea                 eax, [ebp - 0x2c]
            //   50                   | push                eax
            //   e8????????           |                     

        $sequence_2 = { 731d 8d4101 83fe10 8945d0 8d45c0 0f4345c0 881408 }
            // n = 7, score = 300
            //   731d                 | jae                 0x1f
            //   8d4101               | lea                 eax, [ecx + 1]
            //   83fe10               | cmp                 esi, 0x10
            //   8945d0               | mov                 dword ptr [ebp - 0x30], eax
            //   8d45c0               | lea                 eax, [ebp - 0x40]
            //   0f4345c0             | cmovae              eax, dword ptr [ebp - 0x40]
            //   881408               | mov                 byte ptr [eax + ecx], dl

        $sequence_3 = { c645fc04 8d45b0 837dc408 51 0f4345b0 8d4d84 50 }
            // n = 7, score = 300
            //   c645fc04             | mov                 byte ptr [ebp - 4], 4
            //   8d45b0               | lea                 eax, [ebp - 0x50]
            //   837dc408             | cmp                 dword ptr [ebp - 0x3c], 8
            //   51                   | push                ecx
            //   0f4345b0             | cmovae              eax, dword ptr [ebp - 0x50]
            //   8d4d84               | lea                 ecx, [ebp - 0x7c]
            //   50                   | push                eax

        $sequence_4 = { e8???????? eb46 8b4720 85c0 741f 837e1410 8bce }
            // n = 7, score = 300
            //   e8????????           |                     
            //   eb46                 | jmp                 0x48
            //   8b4720               | mov                 eax, dword ptr [edi + 0x20]
            //   85c0                 | test                eax, eax
            //   741f                 | je                  0x21
            //   837e1410             | cmp                 dword ptr [esi + 0x14], 0x10
            //   8bce                 | mov                 ecx, esi

        $sequence_5 = { 2bc1 83c0fc 83f81f 7724 e9???????? 32c0 8b4df4 }
            // n = 7, score = 300
            //   2bc1                 | sub                 eax, ecx
            //   83c0fc               | add                 eax, -4
            //   83f81f               | cmp                 eax, 0x1f
            //   7724                 | ja                  0x26
            //   e9????????           |                     
            //   32c0                 | xor                 al, al
            //   8b4df4               | mov                 ecx, dword ptr [ebp - 0xc]

        $sequence_6 = { 837de808 0f4375d4 3b55cc 752f 85d2 7413 2bf0 }
            // n = 7, score = 300
            //   837de808             | cmp                 dword ptr [ebp - 0x18], 8
            //   0f4375d4             | cmovae              esi, dword ptr [ebp - 0x2c]
            //   3b55cc               | cmp                 edx, dword ptr [ebp - 0x34]
            //   752f                 | jne                 0x31
            //   85d2                 | test                edx, edx
            //   7413                 | je                  0x15
            //   2bf0                 | sub                 esi, eax

        $sequence_7 = { 50 e8???????? 8ac8 8b45b4 83f80c 74e7 }
            // n = 6, score = 300
            //   50                   | push                eax
            //   e8????????           |                     
            //   8ac8                 | mov                 cl, al
            //   8b45b4               | mov                 eax, dword ptr [ebp - 0x4c]
            //   83f80c               | cmp                 eax, 0xc
            //   74e7                 | je                  0xffffffe9

        $sequence_8 = { 0fb602 eb05 8b01 ff501c 83f8ff 742f 8b0e }
            // n = 7, score = 300
            //   0fb602               | movzx               eax, byte ptr [edx]
            //   eb05                 | jmp                 7
            //   8b01                 | mov                 eax, dword ptr [ecx]
            //   ff501c               | call                dword ptr [eax + 0x1c]
            //   83f8ff               | cmp                 eax, -1
            //   742f                 | je                  0x31
            //   8b0e                 | mov                 ecx, dword ptr [esi]

        $sequence_9 = { d1f8 51 8bcb 8d0442 50 52 }
            // n = 6, score = 300
            //   d1f8                 | sar                 eax, 1
            //   51                   | push                ecx
            //   8bcb                 | mov                 ecx, ebx
            //   8d0442               | lea                 eax, [edx + eax*2]
            //   50                   | push                eax
            //   52                   | push                edx

    condition:
        7 of them and filesize < 1482752
}

Download all Yara Rules

AgfSpy Propose Change

References

Yara Rules

AgfSpy