SYMBOLCOMMON_NAMEaka. SYNONYMS
win.gozi (Back to overview)

Gozi

aka: CRM, Gozi CRM, Papras, Snifula, Ursnif
URLhaus      

2000 Ursnif aka Snifula
2006 Gozi v1.0, Gozi CRM, CRM, Papras
2010 Gozi v2.0, Gozi ISFB, ISFB, Pandemyia(*)
-> 2010 Gozi Prinimalka -> Vawtrak/Neverquest

In 2006, Gozi v1.0 ('Gozi CRM' aka 'CRM') aka Papras was first observed.
It was offered as a CaaS, known as 76Service. This first version of Gozi was developed by Nikita Kurmin, and he borrowed code from Ursnif aka Snifula, a spyware developed by Alexey Ivanov around 2000, and some other kits. Gozi v1.0 thus had a formgrabber module and often is classified as Ursnif aka Snifula.

In September 2010, the source code of a particular Gozi CRM dll version was leaked, which led to Vawtrak/Neverquest (in combination with Pony) via Gozi Prinimalka (a slightly modified Gozi v1.0) and Gozi v2.0 (aka 'Gozi ISFB' aka 'ISFB' aka Pandemyia). This version came with a webinject module.

References
2020-05-07Github (mlodic)Matteo Lodi
@online{lodi:20200507:ursnif:5654de4, author = {Matteo Lodi}, title = {{Ursnif beacon decryptor}}, date = {2020-05-07}, organization = {Github (mlodic)}, url = {https://github.com/mlodic/ursnif_beacon_decryptor}, language = {English}, urldate = {2020-05-07} } Ursnif beacon decryptor
Gozi ISFB
2020SecureworksSecureWorks
@online{secureworks:2020:gold:65fcc96, author = {SecureWorks}, title = {{GOLD SWATHMORE}}, date = {2020}, organization = {Secureworks}, url = {https://www.secureworks.com/research/threat-profiles/gold-swathmore}, language = {English}, urldate = {2020-05-23} } GOLD SWATHMORE
GlobeImposter Gozi IcedID TrickBot Lunar Spider
2017-05-29Lokalhost.plMaciej Kotowicz
@online{kotowicz:20170529:gozi:96e962d, author = {Maciej Kotowicz}, title = {{Gozi Tree}}, date = {2017-05-29}, organization = {Lokalhost.pl}, url = {https://lokalhost.pl/gozi_tree.txt}, language = {English}, urldate = {2020-01-08} } Gozi Tree
DreamBot Gozi ISFB Powersniff
2017-02-15Palo Alto Networks Unit 42Kaoru Hayashi
@online{hayashi:20170215:banking:c5e917c, author = {Kaoru Hayashi}, title = {{Banking Trojans: Ursnif Global Distribution Networks Identified}}, date = {2017-02-15}, organization = {Palo Alto Networks Unit 42}, url = {http://researchcenter.paloaltonetworks.com/2017/02/unit42-banking-trojans-ursnif-global-distribution-networks-identified/}, language = {English}, urldate = {2019-10-25} } Banking Trojans: Ursnif Global Distribution Networks Identified
Gozi
2016-11-23G DataG Data
@online{data:20161123:analysis:0bbfdb9, author = {G Data}, title = {{Analysis: Ursnif - spying on your data since 2007}}, date = {2016-11-23}, organization = {G Data}, url = {https://blog.gdatasoftware.com/2016/11/29325-analysis-ursnif-spying-on-your-data-since-2007}, language = {English}, urldate = {2020-01-10} } Analysis: Ursnif - spying on your data since 2007
Gozi
2013-02-03Malware Must Die!Malware Must Die!
@online{die:20130203:infection:ac33cd2, author = {Malware Must Die!}, title = {{The infection of Styx Exploit Kit (Landing page: painterinvoice.ru + Payload: PWS/Ursnif Variant)}}, date = {2013-02-03}, organization = {Malware Must Die!}, url = {http://blog.malwaremustdie.org/2013/02/the-infection-of-styx-exploit-kit.html}, language = {English}, urldate = {2019-07-11} } The infection of Styx Exploit Kit (Landing page: painterinvoice.ru + Payload: PWS/Ursnif Variant)
Gozi
2007-03-20SecureworksDon Jackson
@online{jackson:20070320:gozi:701fe90, author = {Don Jackson}, title = {{Gozi Trojan}}, date = {2007-03-20}, organization = {Secureworks}, url = {https://www.secureworks.com/research/gozi}, language = {English}, urldate = {2020-01-10} } Gozi Trojan
Gozi
Yara Rules
[TLP:WHITE] win_gozi_auto (20200817 | autogenerated rule brought to you by yara-signator)
rule win_gozi_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2020-08-17"
        version = "1"
        description = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.4.0"
        tool_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.gozi"
        malpedia_rule_date = "20200817"
        malpedia_hash = "8c895fd01eccb47a6225bcb1a3ba53cbb98644c5"
        malpedia_version = "20200817"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using yara-signator.
     * The code and documentation / approach is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { ee 7f7b 36110b 33745571 de7e75 }
            // n = 5, score = 100
            //   ee                   | out                 dx, al
            //   7f7b                 | jg                  0x7d
            //   36110b               | adc                 dword ptr ss:[ebx], ecx
            //   33745571             | xor                 esi, dword ptr [ebp + edx*2 + 0x71]
            //   de7e75               | fidivr              word ptr [esi + 0x75]

        $sequence_1 = { e8???????? 0faff0 33ff 897dfc 56 }
            // n = 5, score = 100
            //   e8????????           |                     
            //   0faff0               | imul                esi, eax
            //   33ff                 | xor                 edi, edi
            //   897dfc               | mov                 dword ptr [ebp - 4], edi
            //   56                   | push                esi

        $sequence_2 = { 8b442404 85c0 7427 8a08 }
            // n = 4, score = 100
            //   8b442404             | mov                 eax, dword ptr [esp + 4]
            //   85c0                 | test                eax, eax
            //   7427                 | je                  0x29
            //   8a08                 | mov                 cl, byte ptr [eax]

        $sequence_3 = { 55 f79bfe7ca80d a7 ad b710 2dc7ce5bbb d6 }
            // n = 7, score = 100
            //   55                   | push                ebp
            //   f79bfe7ca80d         | neg                 dword ptr [ebx + 0xda87cfe]
            //   a7                   | cmpsd               dword ptr [esi], dword ptr es:[edi]
            //   ad                   | lodsd               eax, dword ptr [esi]
            //   b710                 | mov                 bh, 0x10
            //   2dc7ce5bbb           | sub                 eax, 0xbb5bcec7
            //   d6                   | salc                

        $sequence_4 = { 50 68???????? ffb5acfeffff e8???????? 83c414 }
            // n = 5, score = 100
            //   50                   | push                eax
            //   68????????           |                     
            //   ffb5acfeffff         | push                dword ptr [ebp - 0x154]
            //   e8????????           |                     
            //   83c414               | add                 esp, 0x14

        $sequence_5 = { 50 e8???????? 6a04 6a00 68???????? 8d45f8 }
            // n = 6, score = 100
            //   50                   | push                eax
            //   e8????????           |                     
            //   6a04                 | push                4
            //   6a00                 | push                0
            //   68????????           |                     
            //   8d45f8               | lea                 eax, [ebp - 8]

        $sequence_6 = { ff7510 e8???????? 8d879e020000 ff10 c9 c20c00 }
            // n = 6, score = 100
            //   ff7510               | push                dword ptr [ebp + 0x10]
            //   e8????????           |                     
            //   8d879e020000         | lea                 eax, [edi + 0x29e]
            //   ff10                 | call                dword ptr [eax]
            //   c9                   | leave               
            //   c20c00               | ret                 0xc

        $sequence_7 = { 0f843f010000 8b16 03c8 03d0 03f8 }
            // n = 5, score = 100
            //   0f843f010000         | je                  0x145
            //   8b16                 | mov                 edx, dword ptr [esi]
            //   03c8                 | add                 ecx, eax
            //   03d0                 | add                 edx, eax
            //   03f8                 | add                 edi, eax

        $sequence_8 = { ff15???????? 397dd8 7409 ff75d8 ff15???????? c3 56 }
            // n = 7, score = 100
            //   ff15????????         |                     
            //   397dd8               | cmp                 dword ptr [ebp - 0x28], edi
            //   7409                 | je                  0xb
            //   ff75d8               | push                dword ptr [ebp - 0x28]
            //   ff15????????         |                     
            //   c3                   | ret                 
            //   56                   | push                esi

        $sequence_9 = { 83c40c 8b07 01460c 8b4610 8985c8f2ffff }
            // n = 5, score = 100
            //   83c40c               | add                 esp, 0xc
            //   8b07                 | mov                 eax, dword ptr [edi]
            //   01460c               | add                 dword ptr [esi + 0xc], eax
            //   8b4610               | mov                 eax, dword ptr [esi + 0x10]
            //   8985c8f2ffff         | mov                 dword ptr [ebp - 0xd38], eax

        $sequence_10 = { ff75a4 e8???????? 8b55a4 8b12 6a00 ff75a8 }
            // n = 6, score = 100
            //   ff75a4               | push                dword ptr [ebp - 0x5c]
            //   e8????????           |                     
            //   8b55a4               | mov                 edx, dword ptr [ebp - 0x5c]
            //   8b12                 | mov                 edx, dword ptr [edx]
            //   6a00                 | push                0
            //   ff75a8               | push                dword ptr [ebp - 0x58]

        $sequence_11 = { 02738f 1da2c9dde2 f4 16 ee }
            // n = 5, score = 100
            //   02738f               | add                 dh, byte ptr [ebx - 0x71]
            //   1da2c9dde2           | sbb                 eax, 0xe2ddc9a2
            //   f4                   | hlt                 
            //   16                   | push                ss
            //   ee                   | out                 dx, al

        $sequence_12 = { 8908 50 45 43 6f 6d 7061 }
            // n = 7, score = 100
            //   8908                 | mov                 dword ptr [eax], ecx
            //   50                   | push                eax
            //   45                   | inc                 ebp
            //   43                   | inc                 ebx
            //   6f                   | outsd               dx, dword ptr [esi]
            //   6d                   | insd                dword ptr es:[edi], dx
            //   7061                 | jo                  0x63

        $sequence_13 = { 50 ffd6 83c418 8d45a0 }
            // n = 4, score = 100
            //   50                   | push                eax
            //   ffd6                 | call                esi
            //   83c418               | add                 esp, 0x18
            //   8d45a0               | lea                 eax, [ebp - 0x60]

        $sequence_14 = { ff75e0 8d8786020000 ff10 0bc0 750c ff75d4 }
            // n = 6, score = 100
            //   ff75e0               | push                dword ptr [ebp - 0x20]
            //   8d8786020000         | lea                 eax, [edi + 0x286]
            //   ff10                 | call                dword ptr [eax]
            //   0bc0                 | or                  eax, eax
            //   750c                 | jne                 0xe
            //   ff75d4               | push                dword ptr [ebp - 0x2c]

        $sequence_15 = { be84f7c34f 10ba810b7f57 a4 8c6a38 }
            // n = 4, score = 100
            //   be84f7c34f           | mov                 esi, 0x4fc3f784
            //   10ba810b7f57         | adc                 byte ptr [edx + 0x577f0b81], bh
            //   a4                   | movsb               byte ptr es:[edi], byte ptr [esi]
            //   8c6a38               | mov                 word ptr [edx + 0x38], gs

        $sequence_16 = { ca065b dc6f1b 95 bf633629a8 02738f }
            // n = 5, score = 100
            //   ca065b               | retf                0x5b06
            //   dc6f1b               | fsubr               qword ptr [edi + 0x1b]
            //   95                   | xchg                eax, ebp
            //   bf633629a8           | mov                 edi, 0xa8293663
            //   02738f               | add                 dh, byte ptr [ebx - 0x71]

        $sequence_17 = { ff15???????? 8945dc 895dfc 68???????? 50 8b35???????? }
            // n = 6, score = 100
            //   ff15????????         |                     
            //   8945dc               | mov                 dword ptr [ebp - 0x24], eax
            //   895dfc               | mov                 dword ptr [ebp - 4], ebx
            //   68????????           |                     
            //   50                   | push                eax
            //   8b35????????         |                     

        $sequence_18 = { 8d4560 50 ff756c 8d85f0fbffff }
            // n = 4, score = 100
            //   8d4560               | lea                 eax, [ebp + 0x60]
            //   50                   | push                eax
            //   ff756c               | push                dword ptr [ebp + 0x6c]
            //   8d85f0fbffff         | lea                 eax, [ebp - 0x410]

        $sequence_19 = { 8d347f c1e602 e8???????? 8b4050 ff3430 }
            // n = 5, score = 100
            //   8d347f               | lea                 esi, [edi + edi*2]
            //   c1e602               | shl                 esi, 2
            //   e8????????           |                     
            //   8b4050               | mov                 eax, dword ptr [eax + 0x50]
            //   ff3430               | push                dword ptr [eax + esi]

        $sequence_20 = { e8???????? 83c410 8937 5f 5e 5b }
            // n = 6, score = 100
            //   e8????????           |                     
            //   83c410               | add                 esp, 0x10
            //   8937                 | mov                 dword ptr [edi], esi
            //   5f                   | pop                 edi
            //   5e                   | pop                 esi
            //   5b                   | pop                 ebx

        $sequence_21 = { e8???????? 8945fc ff7508 50 e8???????? 0bc0 740e }
            // n = 7, score = 100
            //   e8????????           |                     
            //   8945fc               | mov                 dword ptr [ebp - 4], eax
            //   ff7508               | push                dword ptr [ebp + 8]
            //   50                   | push                eax
            //   e8????????           |                     
            //   0bc0                 | or                  eax, eax
            //   740e                 | je                  0x10

        $sequence_22 = { 036890 2b02 9a102a6715fb53 31db b0a6 }
            // n = 5, score = 100
            //   036890               | add                 ebp, dword ptr [eax - 0x70]
            //   2b02                 | sub                 eax, dword ptr [edx]
            //   9a102a6715fb53       | lcall               0x53fb:0x15672a10
            //   31db                 | xor                 ebx, ebx
            //   b0a6                 | mov                 al, 0xa6

        $sequence_23 = { 6d 7061 63743200 c808bf35 6963c03caff3da c9 }
            // n = 6, score = 100
            //   6d                   | insd                dword ptr es:[edi], dx
            //   7061                 | jo                  0x63
            //   63743200             | arpl                word ptr [edx + esi], si
            //   c808bf35             | enter               -0x40f8, 0x35
            //   6963c03caff3da       | imul                esp, dword ptr [ebx - 0x40], 0xdaf3af3c
            //   c9                   | leave               

    condition:
        7 of them and filesize < 237568
}
Download all Yara Rules