SYMBOLCOMMON_NAMEaka. SYNONYMS
win.gozi (Back to overview)

Gozi

aka: CRM, Gozi CRM, Papras, Snifula, Ursnif
URLhaus      

2000 Ursnif aka Snifula
2006 Gozi v1.0, Gozi CRM, CRM, Papras
2010 Gozi v2.0, Gozi ISFB, ISFB, Pandemyia(*)
-> 2010 Gozi Prinimalka -> Vawtrak/Neverquest

In 2006, Gozi v1.0 ('Gozi CRM' aka 'CRM') aka Papras was first observed.
It was offered as a CaaS, known as 76Service. This first version of Gozi was developed by Nikita Kurmin, and he borrowed code from Ursnif aka Snifula, a spyware developed by Alexey Ivanov around 2000, and some other kits. Gozi v1.0 thus had a formgrabber module and often is classified as Ursnif aka Snifula.

In September 2010, the source code of a particular Gozi CRM dll version was leaked, which led to Vawtrak/Neverquest (in combination with Pony) via Gozi Prinimalka (a slightly modified Gozi v1.0) and Gozi v2.0 (aka 'Gozi ISFB' aka 'ISFB' aka Pandemyia). This version came with a webinject module.

References
2021-01-23Youtube (MalwareAnalysisForHedgehogs)Karsten Hahn
@online{hahn:20210123:malware:36b6878, author = {Karsten Hahn}, title = {{Malware Analysis - Fileless Gozi/Ursnif static analysis and unpacking}}, date = {2021-01-23}, organization = {Youtube (MalwareAnalysisForHedgehogs)}, url = {https://www.youtube.com/watch?v=BcFbkjUVc7o}, language = {English}, urldate = {2021-01-26} } Malware Analysis - Fileless Gozi/Ursnif static analysis and unpacking
Gozi
2020-12-21Cisco TalosJON MUNSHAW
@online{munshaw:20201221:2020:4a88f84, author = {JON MUNSHAW}, title = {{2020: The year in malware}}, date = {2020-12-21}, organization = {Cisco Talos}, url = {https://blog.talosintelligence.com/2020/12/2020-year-in-malware.html}, language = {English}, urldate = {2020-12-26} } 2020: The year in malware
WolfRAT Prometei Poet RAT Agent Tesla Astaroth Ave Maria CRAT Emotet Gozi IndigoDrop JhoneRAT Nanocore RAT NjRAT Oblique RAT SmokeLoader StrongPity WastedLocker Zloader
2020-05-07Github (mlodic)Matteo Lodi
@online{lodi:20200507:ursnif:5654de4, author = {Matteo Lodi}, title = {{Ursnif beacon decryptor}}, date = {2020-05-07}, organization = {Github (mlodic)}, url = {https://github.com/mlodic/ursnif_beacon_decryptor}, language = {English}, urldate = {2020-05-07} } Ursnif beacon decryptor
Gozi ISFB
2020-01-22Thomas Barabosch
@online{barabosch:20200122:malware:f805475, author = {Thomas Barabosch}, title = {{The malware analyst’s guide to PE timestamps}}, date = {2020-01-22}, url = {https://0xc0decafe.com/malware-analyst-guide-to-pe-timestamps/}, language = {English}, urldate = {2021-01-25} } The malware analyst’s guide to PE timestamps
Azorult Gozi IcedID ISFB LOLSnif SUNBURST TEARDROP
2020SecureworksSecureWorks
@online{secureworks:2020:gold:65fcc96, author = {SecureWorks}, title = {{GOLD SWATHMORE}}, date = {2020}, organization = {Secureworks}, url = {https://www.secureworks.com/research/threat-profiles/gold-swathmore}, language = {English}, urldate = {2020-05-23} } GOLD SWATHMORE
GlobeImposter Gozi IcedID TrickBot Lunar Spider
2017-05-29Lokalhost.plMaciej Kotowicz
@online{kotowicz:20170529:gozi:96e962d, author = {Maciej Kotowicz}, title = {{Gozi Tree}}, date = {2017-05-29}, organization = {Lokalhost.pl}, url = {https://lokalhost.pl/gozi_tree.txt}, language = {English}, urldate = {2020-01-08} } Gozi Tree
DreamBot Gozi ISFB Powersniff
2017-02-15Palo Alto Networks Unit 42Kaoru Hayashi
@online{hayashi:20170215:banking:c5e917c, author = {Kaoru Hayashi}, title = {{Banking Trojans: Ursnif Global Distribution Networks Identified}}, date = {2017-02-15}, organization = {Palo Alto Networks Unit 42}, url = {http://researchcenter.paloaltonetworks.com/2017/02/unit42-banking-trojans-ursnif-global-distribution-networks-identified/}, language = {English}, urldate = {2019-10-25} } Banking Trojans: Ursnif Global Distribution Networks Identified
Gozi
2016-11-23G DataG Data
@online{data:20161123:analysis:0bbfdb9, author = {G Data}, title = {{Analysis: Ursnif - spying on your data since 2007}}, date = {2016-11-23}, organization = {G Data}, url = {https://blog.gdatasoftware.com/2016/11/29325-analysis-ursnif-spying-on-your-data-since-2007}, language = {English}, urldate = {2020-01-10} } Analysis: Ursnif - spying on your data since 2007
Gozi
2013-02-03Malware Must Die!Malware Must Die!
@online{die:20130203:infection:ac33cd2, author = {Malware Must Die!}, title = {{The infection of Styx Exploit Kit (Landing page: painterinvoice.ru + Payload: PWS/Ursnif Variant)}}, date = {2013-02-03}, organization = {Malware Must Die!}, url = {http://blog.malwaremustdie.org/2013/02/the-infection-of-styx-exploit-kit.html}, language = {English}, urldate = {2019-07-11} } The infection of Styx Exploit Kit (Landing page: painterinvoice.ru + Payload: PWS/Ursnif Variant)
Gozi
2007-03-20SecureworksDon Jackson
@online{jackson:20070320:gozi:701fe90, author = {Don Jackson}, title = {{Gozi Trojan}}, date = {2007-03-20}, organization = {Secureworks}, url = {https://www.secureworks.com/research/gozi}, language = {English}, urldate = {2020-01-10} } Gozi Trojan
Gozi
Yara Rules
[TLP:WHITE] win_gozi_auto (20201023 | autogenerated rule brought to you by yara-signator)
rule win_gozi_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2020-12-22"
        version = "1"
        description = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.6.0"
        signator_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.gozi"
        malpedia_rule_date = "20201222"
        malpedia_hash = "30354d830a29f0fbd3714d93d94dea941d77a130"
        malpedia_version = "20201023"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using YARA-Signator.
     * The code and documentation is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { e8???????? 80bd7dfdffff01 0f851affffff 895db8 8d45b8 50 }
            // n = 6, score = 100
            //   e8????????           |                     
            //   80bd7dfdffff01       | cmp                 byte ptr [ebp - 0x283], 1
            //   0f851affffff         | jne                 0xffffff20
            //   895db8               | mov                 dword ptr [ebp - 0x48], ebx
            //   8d45b8               | lea                 eax, [ebp - 0x48]
            //   50                   | push                eax

        $sequence_1 = { ff750c 6a00 8d45f8 50 ff7508 8d871d050000 }
            // n = 6, score = 100
            //   ff750c               | push                dword ptr [ebp + 0xc]
            //   6a00                 | push                0
            //   8d45f8               | lea                 eax, [ebp - 8]
            //   50                   | push                eax
            //   ff7508               | push                dword ptr [ebp + 8]
            //   8d871d050000         | lea                 eax, [edi + 0x51d]

        $sequence_2 = { 3b4de4 7403 40 ebe3 3b85acfeffff 7519 83bdacfeffff40 }
            // n = 7, score = 100
            //   3b4de4               | cmp                 ecx, dword ptr [ebp - 0x1c]
            //   7403                 | je                  5
            //   40                   | inc                 eax
            //   ebe3                 | jmp                 0xffffffe5
            //   3b85acfeffff         | cmp                 eax, dword ptr [ebp - 0x154]
            //   7519                 | jne                 0x1b
            //   83bdacfeffff40       | cmp                 dword ptr [ebp - 0x154], 0x40

        $sequence_3 = { 8d87cf030000 ff10 0bc0 7454 8b45f4 e8???????? 8b750c }
            // n = 7, score = 100
            //   8d87cf030000         | lea                 eax, [edi + 0x3cf]
            //   ff10                 | call                dword ptr [eax]
            //   0bc0                 | or                  eax, eax
            //   7454                 | je                  0x56
            //   8b45f4               | mov                 eax, dword ptr [ebp - 0xc]
            //   e8????????           |                     
            //   8b750c               | mov                 esi, dword ptr [ebp + 0xc]

        $sequence_4 = { c785fcfbffff00000000 8d85fcfbffff 50 8d85f8fbffff }
            // n = 4, score = 100
            //   c785fcfbffff00000000     | mov    dword ptr [ebp - 0x404], 0
            //   8d85fcfbffff         | lea                 eax, [ebp - 0x404]
            //   50                   | push                eax
            //   8d85f8fbffff         | lea                 eax, [ebp - 0x408]

        $sequence_5 = { 85c0 752a ff7518 ff7514 8d45f8 50 }
            // n = 6, score = 100
            //   85c0                 | test                eax, eax
            //   752a                 | jne                 0x2c
            //   ff7518               | push                dword ptr [ebp + 0x18]
            //   ff7514               | push                dword ptr [ebp + 0x14]
            //   8d45f8               | lea                 eax, [ebp - 8]
            //   50                   | push                eax

        $sequence_6 = { 63743200 c808bf35 6963c03caff3da c9 50 0c73 0e }
            // n = 7, score = 100
            //   63743200             | arpl                word ptr [edx + esi], si
            //   c808bf35             | enter               -0x40f8, 0x35
            //   6963c03caff3da       | imul                esp, dword ptr [ebx - 0x40], 0xdaf3af3c
            //   c9                   | leave               
            //   50                   | push                eax
            //   0c73                 | or                  al, 0x73
            //   0e                   | push                cs

        $sequence_7 = { 33745571 de7e75 cd18 4a 51 d2b8c512294e 8c8873cd58c8 }
            // n = 7, score = 100
            //   33745571             | xor                 esi, dword ptr [ebp + edx*2 + 0x71]
            //   de7e75               | fidivr              word ptr [esi + 0x75]
            //   cd18                 | int                 0x18
            //   4a                   | dec                 edx
            //   51                   | push                ecx
            //   d2b8c512294e         | sar                 byte ptr [eax + 0x4e2912c5], cl
            //   8c8873cd58c8         | mov                 word ptr [eax - 0x37a7328d], cs

        $sequence_8 = { 10ba810b7f57 a4 8c6a38 55 f79bfe7ca80d }
            // n = 5, score = 100
            //   10ba810b7f57         | adc                 byte ptr [edx + 0x577f0b81], bh
            //   a4                   | movsb               byte ptr es:[edi], byte ptr [esi]
            //   8c6a38               | mov                 word ptr [edx + 0x38], gs
            //   55                   | push                ebp
            //   f79bfe7ca80d         | neg                 dword ptr [ebx + 0xda87cfe]

        $sequence_9 = { 398c85b0feffff 7403 40 ebea 3bc3 7512 }
            // n = 6, score = 100
            //   398c85b0feffff       | cmp                 dword ptr [ebp + eax*4 - 0x150], ecx
            //   7403                 | je                  5
            //   40                   | inc                 eax
            //   ebea                 | jmp                 0xffffffec
            //   3bc3                 | cmp                 eax, ebx
            //   7512                 | jne                 0x14

        $sequence_10 = { 2bc3 3dff000000 7228 c643ffff }
            // n = 4, score = 100
            //   2bc3                 | sub                 eax, ebx
            //   3dff000000           | cmp                 eax, 0xff
            //   7228                 | jb                  0x2a
            //   c643ffff             | mov                 byte ptr [ebx - 1], 0xff

        $sequence_11 = { 1da2c9dde2 f4 16 ee 7f7b }
            // n = 5, score = 100
            //   1da2c9dde2           | sbb                 eax, 0xe2ddc9a2
            //   f4                   | hlt                 
            //   16                   | push                ss
            //   ee                   | out                 dx, al
            //   7f7b                 | jg                  0x7d

        $sequence_12 = { 83f8ff 0f8448ffffff c745b801000000 8d45b8 50 }
            // n = 5, score = 100
            //   83f8ff               | cmp                 eax, -1
            //   0f8448ffffff         | je                  0xffffff4e
            //   c745b801000000       | mov                 dword ptr [ebp - 0x48], 1
            //   8d45b8               | lea                 eax, [ebp - 0x48]
            //   50                   | push                eax

        $sequence_13 = { 8d45bc 50 6800040000 ff75b8 ff750c ff520c }
            // n = 6, score = 100
            //   8d45bc               | lea                 eax, [ebp - 0x44]
            //   50                   | push                eax
            //   6800040000           | push                0x400
            //   ff75b8               | push                dword ptr [ebp - 0x48]
            //   ff750c               | push                dword ptr [ebp + 0xc]
            //   ff520c               | call                dword ptr [edx + 0xc]

        $sequence_14 = { 85c0 0f85aa000000 833d????????00 754d }
            // n = 4, score = 100
            //   85c0                 | test                eax, eax
            //   0f85aa000000         | jne                 0xb0
            //   833d????????00       |                     
            //   754d                 | jne                 0x4f

        $sequence_15 = { 036890 2b02 9a102a6715fb53 31db b0a6 }
            // n = 5, score = 100
            //   036890               | add                 ebp, dword ptr [eax - 0x70]
            //   2b02                 | sub                 eax, dword ptr [edx]
            //   9a102a6715fb53       | lcall               0x53fb:0x15672a10
            //   31db                 | xor                 ebx, ebx
            //   b0a6                 | mov                 al, 0xa6

        $sequence_16 = { 0c73 0e 96 3b5375 60 d3e0 }
            // n = 6, score = 100
            //   0c73                 | or                  al, 0x73
            //   0e                   | push                cs
            //   96                   | xchg                eax, esi
            //   3b5375               | cmp                 edx, dword ptr [ebx + 0x75]
            //   60                   | pushal              
            //   d3e0                 | shl                 eax, cl

        $sequence_17 = { 3975e4 7417 ff750c ff7508 6a03 }
            // n = 5, score = 100
            //   3975e4               | cmp                 dword ptr [ebp - 0x1c], esi
            //   7417                 | je                  0x19
            //   ff750c               | push                dword ptr [ebp + 0xc]
            //   ff7508               | push                dword ptr [ebp + 8]
            //   6a03                 | push                3

        $sequence_18 = { b0a6 46 312d???????? ca065b dc6f1b 95 }
            // n = 6, score = 100
            //   b0a6                 | mov                 al, 0xa6
            //   46                   | inc                 esi
            //   312d????????         |                     
            //   ca065b               | retf                0x5b06
            //   dc6f1b               | fsubr               qword ptr [edi + 0x1b]
            //   95                   | xchg                eax, ebp

        $sequence_19 = { 8d85f8fbffff 50 ff75fc e8???????? 8b550c 8b12 6a00 }
            // n = 7, score = 100
            //   8d85f8fbffff         | lea                 eax, [ebp - 0x408]
            //   50                   | push                eax
            //   ff75fc               | push                dword ptr [ebp - 4]
            //   e8????????           |                     
            //   8b550c               | mov                 edx, dword ptr [ebp + 0xc]
            //   8b12                 | mov                 edx, dword ptr [edx]
            //   6a00                 | push                0

        $sequence_20 = { 8b55f4 8be5 5d 52 c3 e8???????? 33c0 }
            // n = 7, score = 100
            //   8b55f4               | mov                 edx, dword ptr [ebp - 0xc]
            //   8be5                 | mov                 esp, ebp
            //   5d                   | pop                 ebp
            //   52                   | push                edx
            //   c3                   | ret                 
            //   e8????????           |                     
            //   33c0                 | xor                 eax, eax

        $sequence_21 = { 4e 128b42926614 12a502b346d1 41 b87e8da638 e022 }
            // n = 6, score = 100
            //   4e                   | dec                 esi
            //   128b42926614         | adc                 cl, byte ptr [ebx + 0x14669242]
            //   12a502b346d1         | adc                 ah, byte ptr [ebp - 0x2eb94cfe]
            //   41                   | inc                 ecx
            //   b87e8da638           | mov                 eax, 0x38a68d7e
            //   e022                 | loopne              0x24

        $sequence_22 = { 59 391d???????? 0f849b000000 33ff 89bda8fdffff e8???????? }
            // n = 6, score = 100
            //   59                   | pop                 ecx
            //   391d????????         |                     
            //   0f849b000000         | je                  0xa1
            //   33ff                 | xor                 edi, edi
            //   89bda8fdffff         | mov                 dword ptr [ebp - 0x258], edi
            //   e8????????           |                     

        $sequence_23 = { 50 e8???????? 56 57 ff75e0 e8???????? }
            // n = 6, score = 100
            //   50                   | push                eax
            //   e8????????           |                     
            //   56                   | push                esi
            //   57                   | push                edi
            //   ff75e0               | push                dword ptr [ebp - 0x20]
            //   e8????????           |                     

    condition:
        7 of them and filesize < 237568
}
Download all Yara Rules