SYMBOLCOMMON_NAMEaka. SYNONYMS
win.gozi (Back to overview)

Gozi

aka: CRM, Gozi CRM, Papras, Snifula, Ursnif
URLhaus      

2000 Ursnif aka Snifula
2006 Gozi v1.0, Gozi CRM, CRM, Papras
2010 Gozi v2.0, Gozi ISFB, ISFB, Pandemyia(*)
-> 2010 Gozi Prinimalka -> Vawtrak/Neverquest

In 2006, Gozi v1.0 ('Gozi CRM' aka 'CRM') aka Papras was first observed.
It was offered as a CaaS, known as 76Service. This first version of Gozi was developed by Nikita Kurmin, and he borrowed code from Ursnif aka Snifula, a spyware developed by Alexey Ivanov around 2000, and some other kits. Gozi v1.0 thus had a formgrabber module and often is classified as Ursnif aka Snifula.

In September 2010, the source code of a particular Gozi CRM dll version was leaked, which led to Vawtrak/Neverquest (in combination with Pony) via Gozi Prinimalka (a slightly modified Gozi v1.0) and Gozi v2.0 (aka 'Gozi ISFB' aka 'ISFB' aka Pandemyia). This version came with a webinject module.

References
2021-06-30The RecordCatalin Cimpanu
@online{cimpanu:20210630:gozi:8760ba7, author = {Catalin Cimpanu}, title = {{Gozi malware gang member arrested in Colombia}}, date = {2021-06-30}, organization = {The Record}, url = {https://therecord.media/gozi-malware-gang-member-arrested-in-colombia/}, language = {English}, urldate = {2021-07-02} } Gozi malware gang member arrested in Colombia
Gozi ISFB
2021-05-26DeepInstinctRon Ben Yizhak
@online{yizhak:20210526:deep:c123a19, author = {Ron Ben Yizhak}, title = {{A Deep Dive into Packing Software CryptOne}}, date = {2021-05-26}, organization = {DeepInstinct}, url = {https://www.deepinstinct.com/2021/05/26/deep-dive-packing-software-cryptone/}, language = {English}, urldate = {2021-06-22} } A Deep Dive into Packing Software CryptOne
Cobalt Strike Dridex Emotet Gozi ISFB Mailto QakBot SmokeLoader WastedLocker Zloader
2021-03-31KasperskyKaspersky
@online{kaspersky:20210331:financial:3371aa0, author = {Kaspersky}, title = {{Financial Cyberthreats in 2020}}, date = {2021-03-31}, organization = {Kaspersky}, url = {https://securelist.com/financial-cyberthreats-in-2020/101638/}, language = {English}, urldate = {2021-04-06} } Financial Cyberthreats in 2020
BetaBot DanaBot Emotet Gozi Ramnit RTM SpyEye TrickBot Zeus
2020-12-21Cisco TalosJON MUNSHAW
@online{munshaw:20201221:2020:4a88f84, author = {JON MUNSHAW}, title = {{2020: The year in malware}}, date = {2020-12-21}, organization = {Cisco Talos}, url = {https://blog.talosintelligence.com/2020/12/2020-year-in-malware.html}, language = {English}, urldate = {2020-12-26} } 2020: The year in malware
WolfRAT Prometei Poet RAT Agent Tesla Astaroth Ave Maria CRAT Emotet Gozi IndigoDrop JhoneRAT Nanocore RAT NjRAT Oblique RAT SmokeLoader StrongPity WastedLocker Zloader
2020-08-09F5 LabsRemi Cohen, Debbie Walkowski
@online{cohen:20200809:banking:8718999, author = {Remi Cohen and Debbie Walkowski}, title = {{Banking Trojans: A Reference Guide to the Malware Family Tree}}, date = {2020-08-09}, organization = {F5 Labs}, url = {https://www.f5.com/labs/articles/education/banking-trojans-a-reference-guide-to-the-malware-family-tree}, language = {English}, urldate = {2021-06-29} } Banking Trojans: A Reference Guide to the Malware Family Tree
BackSwap Carberp Citadel DanaBot Dridex Dyre Emotet Gozi Kronos PandaBanker Ramnit Shylock SpyEye Tinba TrickBot Vawtrak Zeus
2020-05-07Github (mlodic)Matteo Lodi
@online{lodi:20200507:ursnif:5654de4, author = {Matteo Lodi}, title = {{Ursnif beacon decryptor}}, date = {2020-05-07}, organization = {Github (mlodic)}, url = {https://github.com/mlodic/ursnif_beacon_decryptor}, language = {English}, urldate = {2020-05-07} } Ursnif beacon decryptor
Gozi ISFB
2020-01-22Thomas Barabosch
@online{barabosch:20200122:malware:f805475, author = {Thomas Barabosch}, title = {{The malware analyst’s guide to PE timestamps}}, date = {2020-01-22}, url = {https://0xc0decafe.com/malware-analyst-guide-to-pe-timestamps/}, language = {English}, urldate = {2021-01-25} } The malware analyst’s guide to PE timestamps
Azorult Gozi IcedID ISFB LOLSnif SUNBURST TEARDROP
2020SecureworksSecureWorks
@online{secureworks:2020:gold:65fcc96, author = {SecureWorks}, title = {{GOLD SWATHMORE}}, date = {2020}, organization = {Secureworks}, url = {https://www.secureworks.com/research/threat-profiles/gold-swathmore}, language = {English}, urldate = {2020-05-23} } GOLD SWATHMORE
GlobeImposter Gozi IcedID TrickBot LUNAR SPIDER
2017-05-29Lokalhost.plMaciej Kotowicz
@online{kotowicz:20170529:gozi:96e962d, author = {Maciej Kotowicz}, title = {{Gozi Tree}}, date = {2017-05-29}, organization = {Lokalhost.pl}, url = {https://lokalhost.pl/gozi_tree.txt}, language = {English}, urldate = {2020-01-08} } Gozi Tree
DreamBot Gozi ISFB Powersniff
2017-02-15Palo Alto Networks Unit 42Kaoru Hayashi
@online{hayashi:20170215:banking:c5e917c, author = {Kaoru Hayashi}, title = {{Banking Trojans: Ursnif Global Distribution Networks Identified}}, date = {2017-02-15}, organization = {Palo Alto Networks Unit 42}, url = {http://researchcenter.paloaltonetworks.com/2017/02/unit42-banking-trojans-ursnif-global-distribution-networks-identified/}, language = {English}, urldate = {2019-10-25} } Banking Trojans: Ursnif Global Distribution Networks Identified
Gozi
2016-11-23G DataG Data
@online{data:20161123:analysis:0bbfdb9, author = {G Data}, title = {{Analysis: Ursnif - spying on your data since 2007}}, date = {2016-11-23}, organization = {G Data}, url = {https://blog.gdatasoftware.com/2016/11/29325-analysis-ursnif-spying-on-your-data-since-2007}, language = {English}, urldate = {2020-01-10} } Analysis: Ursnif - spying on your data since 2007
Gozi
2013-02-03Malware Must Die!Malware Must Die!
@online{die:20130203:infection:ac33cd2, author = {Malware Must Die!}, title = {{The infection of Styx Exploit Kit (Landing page: painterinvoice.ru + Payload: PWS/Ursnif Variant)}}, date = {2013-02-03}, organization = {Malware Must Die!}, url = {http://blog.malwaremustdie.org/2013/02/the-infection-of-styx-exploit-kit.html}, language = {English}, urldate = {2019-07-11} } The infection of Styx Exploit Kit (Landing page: painterinvoice.ru + Payload: PWS/Ursnif Variant)
Gozi
2007-03-20SecureworksDon Jackson
@online{jackson:20070320:gozi:701fe90, author = {Don Jackson}, title = {{Gozi Trojan}}, date = {2007-03-20}, organization = {Secureworks}, url = {https://www.secureworks.com/research/gozi}, language = {English}, urldate = {2020-01-10} } Gozi Trojan
Gozi
Yara Rules
[TLP:WHITE] win_gozi_auto (20210616 | Detects win.gozi.)
rule win_gozi_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2021-06-10"
        version = "1"
        description = "Detects win.gozi."
        info = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.6.0"
        signator_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.gozi"
        malpedia_rule_date = "20210604"
        malpedia_hash = "be09d5d71e77373c0f538068be31a2ad4c69cfbd"
        malpedia_version = "20210616"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using YARA-Signator.
     * The code and documentation is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { ffd6 8945d8 83f8ff 0f8448ffffff c745b801000000 }
            // n = 5, score = 100
            //   ffd6                 | call                esi
            //   8945d8               | mov                 dword ptr [ebp - 0x28], eax
            //   83f8ff               | cmp                 eax, -1
            //   0f8448ffffff         | je                  0xffffff4e
            //   c745b801000000       | mov                 dword ptr [ebp - 0x48], 1

        $sequence_1 = { ff75f4 e8???????? ff75e0 e8???????? ff75f4 }
            // n = 5, score = 100
            //   ff75f4               | push                dword ptr [ebp - 0xc]
            //   e8????????           |                     
            //   ff75e0               | push                dword ptr [ebp - 0x20]
            //   e8????????           |                     
            //   ff75f4               | push                dword ptr [ebp - 0xc]

        $sequence_2 = { 96 3b5375 60 d3e0 90 48 9e }
            // n = 7, score = 100
            //   96                   | xchg                eax, esi
            //   3b5375               | cmp                 edx, dword ptr [ebx + 0x75]
            //   60                   | pushal              
            //   d3e0                 | shl                 eax, cl
            //   90                   | nop                 
            //   48                   | dec                 eax
            //   9e                   | sahf                

        $sequence_3 = { f4 16 ee 7f7b }
            // n = 4, score = 100
            //   f4                   | hlt                 
            //   16                   | push                ss
            //   ee                   | out                 dx, al
            //   7f7b                 | jg                  0x7d

        $sequence_4 = { 92 6a00 8d45ec 50 52 68???????? }
            // n = 6, score = 100
            //   92                   | xchg                eax, edx
            //   6a00                 | push                0
            //   8d45ec               | lea                 eax, dword ptr [ebp - 0x14]
            //   50                   | push                eax
            //   52                   | push                edx
            //   68????????           |                     

        $sequence_5 = { e022 3a56b9 036890 2b02 9a102a6715fb53 31db b0a6 }
            // n = 7, score = 100
            //   e022                 | loopne              0x24
            //   3a56b9               | cmp                 dl, byte ptr [esi - 0x47]
            //   036890               | add                 ebp, dword ptr [eax - 0x70]
            //   2b02                 | sub                 eax, dword ptr [edx]
            //   9a102a6715fb53       | lcall               0x53fb:0x15672a10
            //   31db                 | xor                 ebx, ebx
            //   b0a6                 | mov                 al, 0xa6

        $sequence_6 = { 53 8d9f42050000 8903 5b e8???????? }
            // n = 5, score = 100
            //   53                   | push                ebx
            //   8d9f42050000         | lea                 ebx, dword ptr [edi + 0x542]
            //   8903                 | mov                 dword ptr [ebx], eax
            //   5b                   | pop                 ebx
            //   e8????????           |                     

        $sequence_7 = { d6 b6c6 e8???????? 6af4 dbe9 68912b4384 }
            // n = 6, score = 100
            //   d6                   | salc                
            //   b6c6                 | mov                 dh, 0xc6
            //   e8????????           |                     
            //   6af4                 | push                -0xc
            //   dbe9                 | fucomi              st(1)
            //   68912b4384           | push                0x84432b91

        $sequence_8 = { 68912b4384 2383e08985e4 0572b6e2f4 fd 4e 128b42926614 }
            // n = 6, score = 100
            //   68912b4384           | push                0x84432b91
            //   2383e08985e4         | and                 eax, dword ptr [ebx - 0x1b7a7620]
            //   0572b6e2f4           | add                 eax, 0xf4e2b672
            //   fd                   | std                 
            //   4e                   | dec                 esi
            //   128b42926614         | adc                 cl, byte ptr [ebx + 0x14669242]

        $sequence_9 = { 751d 399d40f4ffff 750d ff15???????? 3de5030000 74a8 }
            // n = 6, score = 100
            //   751d                 | jne                 0x1f
            //   399d40f4ffff         | cmp                 dword ptr [ebp - 0xbc0], ebx
            //   750d                 | jne                 0xf
            //   ff15????????         |                     
            //   3de5030000           | cmp                 eax, 0x3e5
            //   74a8                 | je                  0xffffffaa

        $sequence_10 = { 7415 57 57 53 8b7dfc e8???????? }
            // n = 6, score = 100
            //   7415                 | je                  0x17
            //   57                   | push                edi
            //   57                   | push                edi
            //   53                   | push                ebx
            //   8b7dfc               | mov                 edi, dword ptr [ebp - 4]
            //   e8????????           |                     

        $sequence_11 = { 74f5 55 68???????? e8???????? }
            // n = 4, score = 100
            //   74f5                 | je                  0xfffffff7
            //   55                   | push                ebp
            //   68????????           |                     
            //   e8????????           |                     

        $sequence_12 = { ff7508 e8???????? c745f400100000 8d45f4 50 }
            // n = 5, score = 100
            //   ff7508               | push                dword ptr [ebp + 8]
            //   e8????????           |                     
            //   c745f400100000       | mov                 dword ptr [ebp - 0xc], 0x1000
            //   8d45f4               | lea                 eax, dword ptr [ebp - 0xc]
            //   50                   | push                eax

        $sequence_13 = { 83c4f4 8d45fc 50 6a01 6a00 }
            // n = 5, score = 100
            //   83c4f4               | add                 esp, -0xc
            //   8d45fc               | lea                 eax, dword ptr [ebp - 4]
            //   50                   | push                eax
            //   6a01                 | push                1
            //   6a00                 | push                0

        $sequence_14 = { 8d8570ffffff 50 e8???????? 898574ffffff 57 8bbd70ffffff 57 }
            // n = 7, score = 100
            //   8d8570ffffff         | lea                 eax, dword ptr [ebp - 0x90]
            //   50                   | push                eax
            //   e8????????           |                     
            //   898574ffffff         | mov                 dword ptr [ebp - 0x8c], eax
            //   57                   | push                edi
            //   8bbd70ffffff         | mov                 edi, dword ptr [ebp - 0x90]
            //   57                   | push                edi

        $sequence_15 = { 741e 8d85b8fcffff 50 e8???????? }
            // n = 4, score = 100
            //   741e                 | je                  0x20
            //   8d85b8fcffff         | lea                 eax, dword ptr [ebp - 0x348]
            //   50                   | push                eax
            //   e8????????           |                     

        $sequence_16 = { 0c73 0e 96 3b5375 }
            // n = 4, score = 100
            //   0c73                 | or                  al, 0x73
            //   0e                   | push                cs
            //   96                   | xchg                eax, esi
            //   3b5375               | cmp                 edx, dword ptr [ebx + 0x75]

        $sequence_17 = { 57 8911 7e25 8b7508 8a06 3c0a 7414 }
            // n = 7, score = 100
            //   57                   | push                edi
            //   8911                 | mov                 dword ptr [ecx], edx
            //   7e25                 | jle                 0x27
            //   8b7508               | mov                 esi, dword ptr [ebp + 8]
            //   8a06                 | mov                 al, byte ptr [esi]
            //   3c0a                 | cmp                 al, 0xa
            //   7414                 | je                  0x16

        $sequence_18 = { 57 e8???????? c70728000000 56 e8???????? }
            // n = 5, score = 100
            //   57                   | push                edi
            //   e8????????           |                     
            //   c70728000000         | mov                 dword ptr [edi], 0x28
            //   56                   | push                esi
            //   e8????????           |                     

        $sequence_19 = { e8???????? 83c40c 8975fc 8d85bcfdffff 50 }
            // n = 5, score = 100
            //   e8????????           |                     
            //   83c40c               | add                 esp, 0xc
            //   8975fc               | mov                 dword ptr [ebp - 4], esi
            //   8d85bcfdffff         | lea                 eax, dword ptr [ebp - 0x244]
            //   50                   | push                eax

        $sequence_20 = { 6878330000 6a00 ff33 8d8746020000 }
            // n = 4, score = 100
            //   6878330000           | push                0x3378
            //   6a00                 | push                0
            //   ff33                 | push                dword ptr [ebx]
            //   8d8746020000         | lea                 eax, dword ptr [edi + 0x246]

        $sequence_21 = { 4a 51 d2b8c512294e 8c8873cd58c8 17 }
            // n = 5, score = 100
            //   4a                   | dec                 edx
            //   51                   | push                ecx
            //   d2b8c512294e         | sar                 byte ptr [eax + 0x4e2912c5], cl
            //   8c8873cd58c8         | mov                 word ptr [eax - 0x37a7328d], cs
            //   17                   | pop                 ss

        $sequence_22 = { 7524 ff7518 ff7514 8d45f8 50 6a00 }
            // n = 6, score = 100
            //   7524                 | jne                 0x26
            //   ff7518               | push                dword ptr [ebp + 0x18]
            //   ff7514               | push                dword ptr [ebp + 0x14]
            //   8d45f8               | lea                 eax, dword ptr [ebp - 8]
            //   50                   | push                eax
            //   6a00                 | push                0

        $sequence_23 = { f79bfe7ca80d a7 ad b710 2dc7ce5bbb d6 }
            // n = 6, score = 100
            //   f79bfe7ca80d         | neg                 dword ptr [ebx + 0xda87cfe]
            //   a7                   | cmpsd               dword ptr [esi], dword ptr es:[edi]
            //   ad                   | lodsd               eax, dword ptr [esi]
            //   b710                 | mov                 bh, 0x10
            //   2dc7ce5bbb           | sub                 eax, 0xbb5bcec7
            //   d6                   | salc                

    condition:
        7 of them and filesize < 237568
}
Download all Yara Rules