SYMBOLCOMMON_NAMEaka. SYNONYMS
win.gozi (Back to overview)

Gozi

aka: CRM, Gozi CRM, Papras, Snifula, Ursnif
URLhaus      

2000 Ursnif aka Snifula
2006 Gozi v1.0, Gozi CRM, CRM, Papras
2010 Gozi v2.0, Gozi ISFB, ISFB, Pandemyia(*)
-> 2010 Gozi Prinimalka -> Vawtrak/Neverquest

In 2006, Gozi v1.0 ('Gozi CRM' aka 'CRM') aka Papras was first observed.
It was offered as a CaaS, known as 76Service. This first version of Gozi was developed by Nikita Kurmin, and he borrowed code from Ursnif aka Snifula, a spyware developed by Alexey Ivanov around 2000, and some other kits. Gozi v1.0 thus had a formgrabber module and often is classified as Ursnif aka Snifula.

In September 2010, the source code of a particular Gozi CRM dll version was leaked, which led to Vawtrak/Neverquest (in combination with Pony) via Gozi Prinimalka (a slightly modified Gozi v1.0) and Gozi v2.0 (aka 'Gozi ISFB' aka 'ISFB' aka Pandemyia). This version came with a webinject module.

References
2021-09-03Trend MicroMohamad Mokbel
@techreport{mokbel:20210903:state:df86499, author = {Mohamad Mokbel}, title = {{The State of SSL/TLS Certificate Usage in Malware C&C Communications}}, date = {2021-09-03}, institution = {Trend Micro}, url = {https://www.trendmicro.com/content/dam/trendmicro/global/en/research/21/i/ssl-tls-technical-brief/ssl-tls-technical-brief.pdf}, language = {English}, urldate = {2021-09-19} } The State of SSL/TLS Certificate Usage in Malware C&C Communications
AdWind ostap AsyncRAT BazarBackdoor BitRAT Buer Chthonic CloudEyE Cobalt Strike DCRat Dridex FindPOS GootKit Gozi IcedID ISFB Nanocore RAT Orcus RAT PandaBanker Qadars QakBot Quasar RAT Rockloader ServHelper Shifu SManager TorrentLocker TrickBot Vawtrak Zeus Zloader
2021-06-30The RecordCatalin Cimpanu
@online{cimpanu:20210630:gozi:8760ba7, author = {Catalin Cimpanu}, title = {{Gozi malware gang member arrested in Colombia}}, date = {2021-06-30}, organization = {The Record}, url = {https://therecord.media/gozi-malware-gang-member-arrested-in-colombia/}, language = {English}, urldate = {2021-07-02} } Gozi malware gang member arrested in Colombia
Gozi ISFB
2021-05-26DeepInstinctRon Ben Yizhak
@online{yizhak:20210526:deep:c123a19, author = {Ron Ben Yizhak}, title = {{A Deep Dive into Packing Software CryptOne}}, date = {2021-05-26}, organization = {DeepInstinct}, url = {https://www.deepinstinct.com/2021/05/26/deep-dive-packing-software-cryptone/}, language = {English}, urldate = {2021-06-22} } A Deep Dive into Packing Software CryptOne
Cobalt Strike Dridex Emotet Gozi ISFB Mailto QakBot SmokeLoader WastedLocker Zloader
2021-03-31KasperskyKaspersky
@online{kaspersky:20210331:financial:3371aa0, author = {Kaspersky}, title = {{Financial Cyberthreats in 2020}}, date = {2021-03-31}, organization = {Kaspersky}, url = {https://securelist.com/financial-cyberthreats-in-2020/101638/}, language = {English}, urldate = {2021-04-06} } Financial Cyberthreats in 2020
BetaBot DanaBot Emotet Gozi Ramnit RTM SpyEye TrickBot Zeus
2020-12-21Cisco TalosJON MUNSHAW
@online{munshaw:20201221:2020:4a88f84, author = {JON MUNSHAW}, title = {{2020: The year in malware}}, date = {2020-12-21}, organization = {Cisco Talos}, url = {https://blog.talosintelligence.com/2020/12/2020-year-in-malware.html}, language = {English}, urldate = {2020-12-26} } 2020: The year in malware
WolfRAT Prometei Poet RAT Agent Tesla Astaroth Ave Maria CRAT Emotet Gozi IndigoDrop JhoneRAT Nanocore RAT NjRAT Oblique RAT SmokeLoader StrongPity WastedLocker Zloader
2020-08-09F5 LabsRemi Cohen, Debbie Walkowski
@online{cohen:20200809:banking:8718999, author = {Remi Cohen and Debbie Walkowski}, title = {{Banking Trojans: A Reference Guide to the Malware Family Tree}}, date = {2020-08-09}, organization = {F5 Labs}, url = {https://www.f5.com/labs/articles/education/banking-trojans-a-reference-guide-to-the-malware-family-tree}, language = {English}, urldate = {2021-06-29} } Banking Trojans: A Reference Guide to the Malware Family Tree
BackSwap Carberp Citadel DanaBot Dridex Dyre Emotet Gozi Kronos PandaBanker Ramnit Shylock SpyEye Tinba TrickBot Vawtrak Zeus
2020-05-07Github (mlodic)Matteo Lodi
@online{lodi:20200507:ursnif:5654de4, author = {Matteo Lodi}, title = {{Ursnif beacon decryptor}}, date = {2020-05-07}, organization = {Github (mlodic)}, url = {https://github.com/mlodic/ursnif_beacon_decryptor}, language = {English}, urldate = {2020-05-07} } Ursnif beacon decryptor
Gozi ISFB
2020-01-22Thomas Barabosch
@online{barabosch:20200122:malware:f805475, author = {Thomas Barabosch}, title = {{The malware analyst’s guide to PE timestamps}}, date = {2020-01-22}, url = {https://0xc0decafe.com/malware-analyst-guide-to-pe-timestamps/}, language = {English}, urldate = {2021-01-25} } The malware analyst’s guide to PE timestamps
Azorult Gozi IcedID ISFB LOLSnif SUNBURST TEARDROP
2020SecureworksSecureWorks
@online{secureworks:2020:gold:65fcc96, author = {SecureWorks}, title = {{GOLD SWATHMORE}}, date = {2020}, organization = {Secureworks}, url = {https://www.secureworks.com/research/threat-profiles/gold-swathmore}, language = {English}, urldate = {2020-05-23} } GOLD SWATHMORE
GlobeImposter Gozi IcedID TrickBot LUNAR SPIDER
2017-05-29Lokalhost.plMaciej Kotowicz
@online{kotowicz:20170529:gozi:96e962d, author = {Maciej Kotowicz}, title = {{Gozi Tree}}, date = {2017-05-29}, organization = {Lokalhost.pl}, url = {https://lokalhost.pl/gozi_tree.txt}, language = {English}, urldate = {2020-01-08} } Gozi Tree
DreamBot Gozi ISFB Powersniff
2017-02-15Palo Alto Networks Unit 42Kaoru Hayashi
@online{hayashi:20170215:banking:c5e917c, author = {Kaoru Hayashi}, title = {{Banking Trojans: Ursnif Global Distribution Networks Identified}}, date = {2017-02-15}, organization = {Palo Alto Networks Unit 42}, url = {http://researchcenter.paloaltonetworks.com/2017/02/unit42-banking-trojans-ursnif-global-distribution-networks-identified/}, language = {English}, urldate = {2019-10-25} } Banking Trojans: Ursnif Global Distribution Networks Identified
Gozi
2016-11-23G DataG Data
@online{data:20161123:analysis:0bbfdb9, author = {G Data}, title = {{Analysis: Ursnif - spying on your data since 2007}}, date = {2016-11-23}, organization = {G Data}, url = {https://blog.gdatasoftware.com/2016/11/29325-analysis-ursnif-spying-on-your-data-since-2007}, language = {English}, urldate = {2020-01-10} } Analysis: Ursnif - spying on your data since 2007
Gozi
2013-02-03Malware Must Die!Malware Must Die!
@online{die:20130203:infection:ac33cd2, author = {Malware Must Die!}, title = {{The infection of Styx Exploit Kit (Landing page: painterinvoice.ru + Payload: PWS/Ursnif Variant)}}, date = {2013-02-03}, organization = {Malware Must Die!}, url = {http://blog.malwaremustdie.org/2013/02/the-infection-of-styx-exploit-kit.html}, language = {English}, urldate = {2019-07-11} } The infection of Styx Exploit Kit (Landing page: painterinvoice.ru + Payload: PWS/Ursnif Variant)
Gozi
2007-03-20SecureworksDon Jackson
@online{jackson:20070320:gozi:701fe90, author = {Don Jackson}, title = {{Gozi Trojan}}, date = {2007-03-20}, organization = {Secureworks}, url = {https://www.secureworks.com/research/gozi}, language = {English}, urldate = {2020-01-10} } Gozi Trojan
Gozi
Yara Rules
[TLP:WHITE] win_gozi_auto (20211008 | Detects win.gozi.)
rule win_gozi_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2021-10-07"
        version = "1"
        description = "Detects win.gozi."
        info = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.6.0"
        signator_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.gozi"
        malpedia_rule_date = "20211007"
        malpedia_hash = "e5b790e0f888f252d49063a1251ca60ec2832535"
        malpedia_version = "20211008"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using YARA-Signator.
     * The code and documentation is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { e8???????? 83c414 85c0 751d 53 }
            // n = 5, score = 100
            //   e8????????           |                     
            //   83c414               | add                 esp, 0x14
            //   85c0                 | test                eax, eax
            //   751d                 | jne                 0x1f
            //   53                   | push                ebx

        $sequence_1 = { dc6f1b 95 bf633629a8 02738f 1da2c9dde2 }
            // n = 5, score = 100
            //   dc6f1b               | fsubr               qword ptr [edi + 0x1b]
            //   95                   | xchg                eax, ebp
            //   bf633629a8           | mov                 edi, 0xa8293663
            //   02738f               | add                 dh, byte ptr [ebx - 0x71]
            //   1da2c9dde2           | sbb                 eax, 0xe2ddc9a2

        $sequence_2 = { 50 e8???????? 898574ffffff 57 }
            // n = 4, score = 100
            //   50                   | push                eax
            //   e8????????           |                     
            //   898574ffffff         | mov                 dword ptr [ebp - 0x8c], eax
            //   57                   | push                edi

        $sequence_3 = { 56 56 6a50 ff7570 53 ff15???????? }
            // n = 6, score = 100
            //   56                   | push                esi
            //   56                   | push                esi
            //   6a50                 | push                0x50
            //   ff7570               | push                dword ptr [ebp + 0x70]
            //   53                   | push                ebx
            //   ff15????????         |                     

        $sequence_4 = { 68???????? 8d8500ffffff 50 e8???????? ff7508 8d8500ffffff }
            // n = 6, score = 100
            //   68????????           |                     
            //   8d8500ffffff         | lea                 eax, dword ptr [ebp - 0x100]
            //   50                   | push                eax
            //   e8????????           |                     
            //   ff7508               | push                dword ptr [ebp + 8]
            //   8d8500ffffff         | lea                 eax, dword ptr [ebp - 0x100]

        $sequence_5 = { 740a 53 8d9ff9040000 8903 5b }
            // n = 5, score = 100
            //   740a                 | je                  0xc
            //   53                   | push                ebx
            //   8d9ff9040000         | lea                 ebx, dword ptr [edi + 0x4f9]
            //   8903                 | mov                 dword ptr [ebx], eax
            //   5b                   | pop                 ebx

        $sequence_6 = { 8d8775030000 50 e8???????? 0bc0 7504 c9 }
            // n = 6, score = 100
            //   8d8775030000         | lea                 eax, dword ptr [edi + 0x375]
            //   50                   | push                eax
            //   e8????????           |                     
            //   0bc0                 | or                  eax, eax
            //   7504                 | jne                 6
            //   c9                   | leave               

        $sequence_7 = { ff5208 8b45f8 8b4df4 c9 c20400 }
            // n = 5, score = 100
            //   ff5208               | call                dword ptr [edx + 8]
            //   8b45f8               | mov                 eax, dword ptr [ebp - 8]
            //   8b4df4               | mov                 ecx, dword ptr [ebp - 0xc]
            //   c9                   | leave               
            //   c20400               | ret                 4

        $sequence_8 = { eb93 e8???????? 894654 ffb574ffffff }
            // n = 4, score = 100
            //   eb93                 | jmp                 0xffffff95
            //   e8????????           |                     
            //   894654               | mov                 dword ptr [esi + 0x54], eax
            //   ffb574ffffff         | push                dword ptr [ebp - 0x8c]

        $sequence_9 = { fd 4e 128b42926614 12a502b346d1 41 b87e8da638 e022 }
            // n = 7, score = 100
            //   fd                   | std                 
            //   4e                   | dec                 esi
            //   128b42926614         | adc                 cl, byte ptr [ebx + 0x14669242]
            //   12a502b346d1         | adc                 ah, byte ptr [ebp - 0x2eb94cfe]
            //   41                   | inc                 ecx
            //   b87e8da638           | mov                 eax, 0x38a68d7e
            //   e022                 | loopne              0x24

        $sequence_10 = { eb07 8b0485fa124100 833c85fa12410000 75ef }
            // n = 4, score = 100
            //   eb07                 | jmp                 9
            //   8b0485fa124100       | mov                 eax, dword ptr [eax*4 + 0x4112fa]
            //   833c85fa12410000     | cmp                 dword ptr [eax*4 + 0x4112fa], 0
            //   75ef                 | jne                 0xfffffff1

        $sequence_11 = { 10ba810b7f57 a4 8c6a38 55 }
            // n = 4, score = 100
            //   10ba810b7f57         | adc                 byte ptr [edx + 0x577f0b81], bh
            //   a4                   | movsb               byte ptr es:[edi], byte ptr [esi]
            //   8c6a38               | mov                 word ptr [edx + 0x38], gs
            //   55                   | push                ebp

        $sequence_12 = { 0e 96 3b5375 60 }
            // n = 4, score = 100
            //   0e                   | push                cs
            //   96                   | xchg                eax, esi
            //   3b5375               | cmp                 edx, dword ptr [ebx + 0x75]
            //   60                   | pushal              

        $sequence_13 = { c808bf35 6963c03caff3da c9 50 0c73 0e }
            // n = 6, score = 100
            //   c808bf35             | enter               -0x40f8, 0x35
            //   6963c03caff3da       | imul                esp, dword ptr [ebx - 0x40], 0xdaf3af3c
            //   c9                   | leave               
            //   50                   | push                eax
            //   0c73                 | or                  al, 0x73
            //   0e                   | push                cs

        $sequence_14 = { 8b5c2408 56 8bf1 57 8d7e0c 832700 }
            // n = 6, score = 100
            //   8b5c2408             | mov                 ebx, dword ptr [esp + 8]
            //   56                   | push                esi
            //   8bf1                 | mov                 esi, ecx
            //   57                   | push                edi
            //   8d7e0c               | lea                 edi, dword ptr [esi + 0xc]
            //   832700               | and                 dword ptr [edi], 0

        $sequence_15 = { 57 56 e8???????? 83c40c 56 ff7508 e8???????? }
            // n = 7, score = 100
            //   57                   | push                edi
            //   56                   | push                esi
            //   e8????????           |                     
            //   83c40c               | add                 esp, 0xc
            //   56                   | push                esi
            //   ff7508               | push                dword ptr [ebp + 8]
            //   e8????????           |                     

        $sequence_16 = { b8???????? 50 64ff3500000000 64892500000000 33c0 8908 }
            // n = 6, score = 100
            //   b8????????           |                     
            //   50                   | push                eax
            //   64ff3500000000       | push                dword ptr fs:[0]
            //   64892500000000       | mov                 dword ptr fs:[0], esp
            //   33c0                 | xor                 eax, eax
            //   8908                 | mov                 dword ptr [eax], ecx

        $sequence_17 = { 93 8b7d08 8b750c fc 33c0 }
            // n = 5, score = 100
            //   93                   | xchg                eax, ebx
            //   8b7d08               | mov                 edi, dword ptr [ebp + 8]
            //   8b750c               | mov                 esi, dword ptr [ebp + 0xc]
            //   fc                   | cld                 
            //   33c0                 | xor                 eax, eax

        $sequence_18 = { e8???????? eb06 33c0 eb02 eb50 8bf8 }
            // n = 6, score = 100
            //   e8????????           |                     
            //   eb06                 | jmp                 8
            //   33c0                 | xor                 eax, eax
            //   eb02                 | jmp                 4
            //   eb50                 | jmp                 0x52
            //   8bf8                 | mov                 edi, eax

        $sequence_19 = { f79bfe7ca80d a7 ad b710 2dc7ce5bbb }
            // n = 5, score = 100
            //   f79bfe7ca80d         | neg                 dword ptr [ebx + 0xda87cfe]
            //   a7                   | cmpsd               dword ptr [esi], dword ptr es:[edi]
            //   ad                   | lodsd               eax, dword ptr [esi]
            //   b710                 | mov                 bh, 0x10
            //   2dc7ce5bbb           | sub                 eax, 0xbb5bcec7

        $sequence_20 = { ff15???????? 03c6 034508 50 e8???????? 8945e0 83f8ff }
            // n = 7, score = 100
            //   ff15????????         |                     
            //   03c6                 | add                 eax, esi
            //   034508               | add                 eax, dword ptr [ebp + 8]
            //   50                   | push                eax
            //   e8????????           |                     
            //   8945e0               | mov                 dword ptr [ebp - 0x20], eax
            //   83f8ff               | cmp                 eax, -1

        $sequence_21 = { 895de0 c745fc01000000 8365dc00 8b7508 }
            // n = 4, score = 100
            //   895de0               | mov                 dword ptr [ebp - 0x20], ebx
            //   c745fc01000000       | mov                 dword ptr [ebp - 4], 1
            //   8365dc00             | and                 dword ptr [ebp - 0x24], 0
            //   8b7508               | mov                 esi, dword ptr [ebp + 8]

        $sequence_22 = { ff75e0 ff15???????? ff7508 ff15???????? 85c0 7510 }
            // n = 6, score = 100
            //   ff75e0               | push                dword ptr [ebp - 0x20]
            //   ff15????????         |                     
            //   ff7508               | push                dword ptr [ebp + 8]
            //   ff15????????         |                     
            //   85c0                 | test                eax, eax
            //   7510                 | jne                 0x12

        $sequence_23 = { 9a102a6715fb53 31db b0a6 46 312d???????? ca065b }
            // n = 6, score = 100
            //   9a102a6715fb53       | lcall               0x53fb:0x15672a10
            //   31db                 | xor                 ebx, ebx
            //   b0a6                 | mov                 al, 0xa6
            //   46                   | inc                 esi
            //   312d????????         |                     
            //   ca065b               | retf                0x5b06

    condition:
        7 of them and filesize < 237568
}
Download all Yara Rules