SYMBOLCOMMON_NAMEaka. SYNONYMS
win.gozi (Back to overview)

Gozi

aka: CRM, Gozi CRM, Papras, Snifula, Ursnif
URLhaus      

2000 Ursnif aka Snifula
2006 Gozi v1.0, Gozi CRM, CRM, Papras
2010 Gozi v2.0, Gozi ISFB, ISFB, Pandemyia(*)
-> 2010 Gozi Prinimalka -> Vawtrak/Neverquest

In 2006, Gozi v1.0 ('Gozi CRM' aka 'CRM') aka Papras was first observed.
It was offered as a CaaS, known as 76Service. This first version of Gozi was developed by Nikita Kurmin, and he borrowed code from Ursnif aka Snifula, a spyware developed by Alexey Ivanov around 2000, and some other kits. Gozi v1.0 thus had a formgrabber module and often is classified as Ursnif aka Snifula.

In September 2010, the source code of a particular Gozi CRM dll version was leaked, which led to Vawtrak/Neverquest (in combination with Pony) via Gozi Prinimalka (a slightly modified Gozi v1.0) and Gozi v2.0 (aka 'Gozi ISFB' aka 'ISFB' aka Pandemyia). This version came with a webinject module.

References
2020-05-07Github (mlodic)Matteo Lodi
@online{lodi:20200507:ursnif:5654de4, author = {Matteo Lodi}, title = {{Ursnif beacon decryptor}}, date = {2020-05-07}, organization = {Github (mlodic)}, url = {https://github.com/mlodic/ursnif_beacon_decryptor}, language = {English}, urldate = {2020-05-07} } Ursnif beacon decryptor
Gozi ISFB
2020SecureworksSecureWorks
@online{secureworks:2020:gold:65fcc96, author = {SecureWorks}, title = {{GOLD SWATHMORE}}, date = {2020}, organization = {Secureworks}, url = {https://www.secureworks.com/research/threat-profiles/gold-swathmore}, language = {English}, urldate = {2020-05-23} } GOLD SWATHMORE
GlobeImposter Gozi IcedID TrickBot Lunar Spider
2017-05-29Lokalhost.plMaciej Kotowicz
@online{kotowicz:20170529:gozi:96e962d, author = {Maciej Kotowicz}, title = {{Gozi Tree}}, date = {2017-05-29}, organization = {Lokalhost.pl}, url = {https://lokalhost.pl/gozi_tree.txt}, language = {English}, urldate = {2020-01-08} } Gozi Tree
DreamBot Gozi ISFB Powersniff
2017-02-15Palo Alto Networks Unit 42Kaoru Hayashi
@online{hayashi:20170215:banking:c5e917c, author = {Kaoru Hayashi}, title = {{Banking Trojans: Ursnif Global Distribution Networks Identified}}, date = {2017-02-15}, organization = {Palo Alto Networks Unit 42}, url = {http://researchcenter.paloaltonetworks.com/2017/02/unit42-banking-trojans-ursnif-global-distribution-networks-identified/}, language = {English}, urldate = {2019-10-25} } Banking Trojans: Ursnif Global Distribution Networks Identified
Gozi
2016-11-23G DataG Data
@online{data:20161123:analysis:0bbfdb9, author = {G Data}, title = {{Analysis: Ursnif - spying on your data since 2007}}, date = {2016-11-23}, organization = {G Data}, url = {https://blog.gdatasoftware.com/2016/11/29325-analysis-ursnif-spying-on-your-data-since-2007}, language = {English}, urldate = {2020-01-10} } Analysis: Ursnif - spying on your data since 2007
Gozi
2013-02-03Malware Must Die!Malware Must Die!
@online{die:20130203:infection:ac33cd2, author = {Malware Must Die!}, title = {{The infection of Styx Exploit Kit (Landing page: painterinvoice.ru + Payload: PWS/Ursnif Variant)}}, date = {2013-02-03}, organization = {Malware Must Die!}, url = {http://blog.malwaremustdie.org/2013/02/the-infection-of-styx-exploit-kit.html}, language = {English}, urldate = {2019-07-11} } The infection of Styx Exploit Kit (Landing page: painterinvoice.ru + Payload: PWS/Ursnif Variant)
Gozi
2007-03-20SecureworksDon Jackson
@online{jackson:20070320:gozi:701fe90, author = {Don Jackson}, title = {{Gozi Trojan}}, date = {2007-03-20}, organization = {Secureworks}, url = {https://www.secureworks.com/research/gozi}, language = {English}, urldate = {2020-01-10} } Gozi Trojan
Gozi
Yara Rules
[TLP:WHITE] win_gozi_auto (20200529 | autogenerated rule brought to you by yara-signator)
rule win_gozi_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2020-05-30"
        version = "1"
        description = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.4.0"
        tool_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.gozi"
        malpedia_rule_date = "20200529"
        malpedia_hash = "92c362319514e5a6da26204961446caa3a8b32a8"
        malpedia_version = "20200529"
        malpedia_license = "CC BY-NC-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using yara-signator.
     * The code and documentation / approach is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { 3b5375 60 d3e0 90 48 9e }
            // n = 6, score = 100
            //   3b5375               | cmp                 edx, dword ptr [ebx + 0x75]
            //   60                   | pushal              
            //   d3e0                 | shl                 eax, cl
            //   90                   | nop                 
            //   48                   | dec                 eax
            //   9e                   | sahf                

        $sequence_1 = { ff750c ff750c 68???????? 53 e8???????? 83c414 }
            // n = 6, score = 100
            //   ff750c               | push                dword ptr [ebp + 0xc]
            //   ff750c               | push                dword ptr [ebp + 0xc]
            //   68????????           |                     
            //   53                   | push                ebx
            //   e8????????           |                     
            //   83c414               | add                 esp, 0x14

        $sequence_2 = { c9 c20c00 8bf0 037508 ad ad }
            // n = 6, score = 100
            //   c9                   | leave               
            //   c20c00               | ret                 0xc
            //   8bf0                 | mov                 esi, eax
            //   037508               | add                 esi, dword ptr [ebp + 8]
            //   ad                   | lodsd               eax, dword ptr [esi]
            //   ad                   | lodsd               eax, dword ptr [esi]

        $sequence_3 = { 8bec 81c478ffffff 6a00 6a00 6a02 }
            // n = 5, score = 100
            //   8bec                 | mov                 ebp, esp
            //   81c478ffffff         | add                 esp, 0xffffff78
            //   6a00                 | push                0
            //   6a00                 | push                0
            //   6a02                 | push                2

        $sequence_4 = { c9 c20400 8a16 8815???????? 8ac2 }
            // n = 5, score = 100
            //   c9                   | leave               
            //   c20400               | ret                 4
            //   8a16                 | mov                 dl, byte ptr [esi]
            //   8815????????         |                     
            //   8ac2                 | mov                 al, dl

        $sequence_5 = { b710 2dc7ce5bbb d6 b6c6 e8???????? }
            // n = 5, score = 100
            //   b710                 | mov                 bh, 0x10
            //   2dc7ce5bbb           | sub                 eax, 0xbb5bcec7
            //   d6                   | salc                
            //   b6c6                 | mov                 dh, 0xc6
            //   e8????????           |                     

        $sequence_6 = { c20800 55 8bec 83c4d0 53 c745f800200000 ff75f8 }
            // n = 7, score = 100
            //   c20800               | ret                 8
            //   55                   | push                ebp
            //   8bec                 | mov                 ebp, esp
            //   83c4d0               | add                 esp, -0x30
            //   53                   | push                ebx
            //   c745f800200000       | mov                 dword ptr [ebp - 8], 0x2000
            //   ff75f8               | push                dword ptr [ebp - 8]

        $sequence_7 = { ff15???????? e8???????? c21400 56 }
            // n = 4, score = 100
            //   ff15????????         |                     
            //   e8????????           |                     
            //   c21400               | ret                 0x14
            //   56                   | push                esi

        $sequence_8 = { ff7508 e8???????? 8b5508 8b12 8d45f8 50 }
            // n = 6, score = 100
            //   ff7508               | push                dword ptr [ebp + 8]
            //   e8????????           |                     
            //   8b5508               | mov                 edx, dword ptr [ebp + 8]
            //   8b12                 | mov                 edx, dword ptr [edx]
            //   8d45f8               | lea                 eax, [ebp - 8]
            //   50                   | push                eax

        $sequence_9 = { 55 f79bfe7ca80d a7 ad b710 2dc7ce5bbb }
            // n = 6, score = 100
            //   55                   | push                ebp
            //   f79bfe7ca80d         | neg                 dword ptr [ebx + 0xda87cfe]
            //   a7                   | cmpsd               dword ptr [esi], dword ptr es:[edi]
            //   ad                   | lodsd               eax, dword ptr [esi]
            //   b710                 | mov                 bh, 0x10
            //   2dc7ce5bbb           | sub                 eax, 0xbb5bcec7

        $sequence_10 = { 8d5df8 ff7508 8f03 ff750c }
            // n = 4, score = 100
            //   8d5df8               | lea                 ebx, [ebp - 8]
            //   ff7508               | push                dword ptr [ebp + 8]
            //   8f03                 | pop                 dword ptr [ebx]
            //   ff750c               | push                dword ptr [ebp + 0xc]

        $sequence_11 = { 89454e 8b4568 56 6800000040 }
            // n = 4, score = 100
            //   89454e               | mov                 dword ptr [ebp + 0x4e], eax
            //   8b4568               | mov                 eax, dword ptr [ebp + 0x68]
            //   56                   | push                esi
            //   6800000040           | push                0x40000000

        $sequence_12 = { dbe9 68912b4384 2383e08985e4 0572b6e2f4 fd }
            // n = 5, score = 100
            //   dbe9                 | fucomi              st(1)
            //   68912b4384           | push                0x84432b91
            //   2383e08985e4         | and                 eax, dword ptr [ebx - 0x1b7a7620]
            //   0572b6e2f4           | add                 eax, 0xf4e2b672
            //   fd                   | std                 

        $sequence_13 = { 7f7b 36110b 33745571 de7e75 cd18 4a }
            // n = 6, score = 100
            //   7f7b                 | jg                  0x7d
            //   36110b               | adc                 dword ptr ss:[ebx], ecx
            //   33745571             | xor                 esi, dword ptr [ebp + edx*2 + 0x71]
            //   de7e75               | fidivr              word ptr [esi + 0x75]
            //   cd18                 | int                 0x18
            //   4a                   | dec                 edx

        $sequence_14 = { ff45f0 48 880a 75ed ebc9 }
            // n = 5, score = 100
            //   ff45f0               | inc                 dword ptr [ebp - 0x10]
            //   48                   | dec                 eax
            //   880a                 | mov                 byte ptr [edx], cl
            //   75ed                 | jne                 0xffffffef
            //   ebc9                 | jmp                 0xffffffcb

        $sequence_15 = { 33f6 8975fc ff75e4 56 57 e8???????? }
            // n = 6, score = 100
            //   33f6                 | xor                 esi, esi
            //   8975fc               | mov                 dword ptr [ebp - 4], esi
            //   ff75e4               | push                dword ptr [ebp - 0x1c]
            //   56                   | push                esi
            //   57                   | push                edi
            //   e8????????           |                     

        $sequence_16 = { 43 6f 6d 7061 63743200 c808bf35 }
            // n = 6, score = 100
            //   43                   | inc                 ebx
            //   6f                   | outsd               dx, dword ptr [esi]
            //   6d                   | insd                dword ptr es:[edi], dx
            //   7061                 | jo                  0x63
            //   63743200             | arpl                word ptr [edx + esi], si
            //   c808bf35             | enter               -0x40f8, 0x35

        $sequence_17 = { 33db ff15???????? 8b442410 8b30 }
            // n = 4, score = 100
            //   33db                 | xor                 ebx, ebx
            //   ff15????????         |                     
            //   8b442410             | mov                 eax, dword ptr [esp + 0x10]
            //   8b30                 | mov                 esi, dword ptr [eax]

        $sequence_18 = { 8f45f0 8b45f0 0500040000 50 }
            // n = 4, score = 100
            //   8f45f0               | pop                 dword ptr [ebp - 0x10]
            //   8b45f0               | mov                 eax, dword ptr [ebp - 0x10]
            //   0500040000           | add                 eax, 0x400
            //   50                   | push                eax

        $sequence_19 = { 80fa2f 7e15 80fa3a 7d10 0fbed2 83ea30 }
            // n = 6, score = 100
            //   80fa2f               | cmp                 dl, 0x2f
            //   7e15                 | jle                 0x17
            //   80fa3a               | cmp                 dl, 0x3a
            //   7d10                 | jge                 0x12
            //   0fbed2               | movsx               edx, dl
            //   83ea30               | sub                 edx, 0x30

        $sequence_20 = { ff75e4 ffd7 8945cc 53 ff75e4 e8???????? 80bd7dfdffff01 }
            // n = 7, score = 100
            //   ff75e4               | push                dword ptr [ebp - 0x1c]
            //   ffd7                 | call                edi
            //   8945cc               | mov                 dword ptr [ebp - 0x34], eax
            //   53                   | push                ebx
            //   ff75e4               | push                dword ptr [ebp - 0x1c]
            //   e8????????           |                     
            //   80bd7dfdffff01       | cmp                 byte ptr [ebp - 0x283], 1

        $sequence_21 = { 2b02 9a102a6715fb53 31db b0a6 46 312d???????? }
            // n = 6, score = 100
            //   2b02                 | sub                 eax, dword ptr [edx]
            //   9a102a6715fb53       | lcall               0x53fb:0x15672a10
            //   31db                 | xor                 ebx, ebx
            //   b0a6                 | mov                 al, 0xa6
            //   46                   | inc                 esi
            //   312d????????         |                     

        $sequence_22 = { 8d4601 50 e8???????? 59 8bd8 57 53 }
            // n = 7, score = 100
            //   8d4601               | lea                 eax, [esi + 1]
            //   50                   | push                eax
            //   e8????????           |                     
            //   59                   | pop                 ecx
            //   8bd8                 | mov                 ebx, eax
            //   57                   | push                edi
            //   53                   | push                ebx

        $sequence_23 = { bf633629a8 02738f 1da2c9dde2 f4 16 ee 7f7b }
            // n = 7, score = 100
            //   bf633629a8           | mov                 edi, 0xa8293663
            //   02738f               | add                 dh, byte ptr [ebx - 0x71]
            //   1da2c9dde2           | sbb                 eax, 0xe2ddc9a2
            //   f4                   | hlt                 
            //   16                   | push                ss
            //   ee                   | out                 dx, al
            //   7f7b                 | jg                  0x7d

    condition:
        7 of them and filesize < 237568
}
Download all Yara Rules