Gozi (Malware Family)

Gozi
aka: CRM, Gozi CRM, Papras, Snifula, Ursnif
VTCollection URLhaus
2000 Ursnif aka Snifula
2006 Gozi v1.0, Gozi CRM, CRM, Papras
2010 Gozi v2.0, Gozi ISFB, ISFB, Pandemyia(*)
-> 2010 Gozi Prinimalka -> Vawtrak/Neverquest
In 2006, Gozi v1.0 ('Gozi CRM' aka 'CRM') aka Papras was first observed.
It was offered as a CaaS, known as 76Service. This first version of Gozi was developed by Nikita Kurmin, and he borrowed code from Ursnif aka Snifula, a spyware developed by Alexey Ivanov around 2000, and some other kits. Gozi v1.0 thus had a formgrabber module and often is classified as Ursnif aka Snifula.
In September 2010, the source code of a particular Gozi CRM dll version was leaked, which led to Vawtrak/Neverquest (in combination with Pony) via Gozi Prinimalka (a slightly modified Gozi v1.0) and Gozi v2.0 (aka 'Gozi ISFB' aka 'ISFB' aka Pandemyia). This version came with a webinject module.
References
2022-05-09 ⋅ Microsoft ⋅ Microsoft 365 Defender Threat Intelligence Team, Microsoft Threat Intelligence Center (MSTIC)
Ransomware-as-a-service: Understanding the cybercrime gig economy and how to protect yourself
AnchorDNS BlackCat BlackMatter Conti DarkSide HelloKitty Hive LockBit REvil FAKEUPDATES Griffon ATOMSILO BazarBackdoor BlackCat BlackMatter Blister Cobalt Strike Conti DarkSide Emotet FiveHands Gozi HelloKitty Hive IcedID ISFB JSSLoader LockBit LockFile Maze NightSky Pandora Phobos Phoenix Locker PhotoLoader QakBot REvil Rook Ryuk SystemBC TrickBot WastedLocker BRONZE STARLIGHT
Yara Rules
[TLP:WHITE] win_gozi_auto (20260504 | Detects win.gozi.)
rule win_gozi_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2026-05-04"
        version = "1"
        description = "Detects win.gozi."
        info = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.6.0"
        signator_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.gozi"
        malpedia_rule_date = "20260422"
        malpedia_hash = "a182e35da64e6d71cb55f125c4d4225196523f14"
        malpedia_version = "20260504"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using YARA-Signator.
     * The code and documentation is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { 45 43 6f 6d 7061 63743200 c808bf35 }
            // n = 7, score = 100
            //   45                   | inc                 ebp
            //   43                   | inc                 ebx
            //   6f                   | outsd               dx, dword ptr [esi]
            //   6d                   | insd                dword ptr es:[edi], dx
            //   7061                 | jo                  0x63
            //   63743200             | arpl                word ptr [edx + esi], si
            //   c808bf35             | enter               -0x40f8, 0x35

        $sequence_1 = { 6a00 6a00 8b4d18 e8???????? 8b45e0 50 }
            // n = 6, score = 100
            //   6a00                 | push                0
            //   6a00                 | push                0
            //   8b4d18               | mov                 ecx, dword ptr [ebp + 0x18]
            //   e8????????           |                     
            //   8b45e0               | mov                 eax, dword ptr [ebp - 0x20]
            //   50                   | push                eax

        $sequence_2 = { 94 6e 8ee1 54 257c693a5c 48 fb }
            // n = 7, score = 100
            //   94                   | xchg                eax, esp
            //   6e                   | outsb               dx, byte ptr [esi]
            //   8ee1                 | mov                 fs, ecx
            //   54                   | push                esp
            //   257c693a5c           | and                 eax, 0x5c3a697c
            //   48                   | dec                 eax
            //   fb                   | sti                 

        $sequence_3 = { c7400402000000 e9???????? 817df800001000 7607 c745f800001000 }
            // n = 5, score = 100
            //   c7400402000000       | mov                 dword ptr [eax + 4], 2
            //   e9????????           |                     
            //   817df800001000       | cmp                 dword ptr [ebp - 8], 0x100000
            //   7607                 | jbe                 9
            //   c745f800001000       | mov                 dword ptr [ebp - 8], 0x100000

        $sequence_4 = { 8bf0 8b450c 8b4010 83660c00 894604 }
            // n = 5, score = 100
            //   8bf0                 | mov                 esi, eax
            //   8b450c               | mov                 eax, dword ptr [ebp + 0xc]
            //   8b4010               | mov                 eax, dword ptr [eax + 0x10]
            //   83660c00             | and                 dword ptr [esi + 0xc], 0
            //   894604               | mov                 dword ptr [esi + 4], eax

        $sequence_5 = { ff7514 ff7510 ff750c ff7508 8d8715050000 ff10 }
            // n = 6, score = 100
            //   ff7514               | push                dword ptr [ebp + 0x14]
            //   ff7510               | push                dword ptr [ebp + 0x10]
            //   ff750c               | push                dword ptr [ebp + 0xc]
            //   ff7508               | push                dword ptr [ebp + 8]
            //   8d8715050000         | lea                 eax, [edi + 0x515]
            //   ff10                 | call                dword ptr [eax]

        $sequence_6 = { 7447 56 53 ff15???????? 8945d8 56 }
            // n = 6, score = 100
            //   7447                 | je                  0x49
            //   56                   | push                esi
            //   53                   | push                ebx
            //   ff15????????         |                     
            //   8945d8               | mov                 dword ptr [ebp - 0x28], eax
            //   56                   | push                esi

        $sequence_7 = { e8???????? 6af4 dbe9 68912b4384 2383e08985e4 0572b6e2f4 fd }
            // n = 7, score = 100
            //   e8????????           |                     
            //   6af4                 | push                -0xc
            //   dbe9                 | fucomi              st(1)
            //   68912b4384           | push                0x84432b91
            //   2383e08985e4         | and                 eax, dword ptr [ebx - 0x1b7a7620]
            //   0572b6e2f4           | add                 eax, 0xf4e2b672
            //   fd                   | std                 

        $sequence_8 = { f6c5fe 0fbed0 4a d2ca 86f2 }
            // n = 5, score = 100
            //   f6c5fe               | test                ch, 0xfe
            //   0fbed0               | movsx               edx, al
            //   4a                   | dec                 edx
            //   d2ca                 | ror                 dl, cl
            //   86f2                 | xchg                dl, dh

        $sequence_9 = { e8???????? 6a00 8d879a040000 50 ff750c e8???????? }
            // n = 6, score = 100
            //   e8????????           |                     
            //   6a00                 | push                0
            //   8d879a040000         | lea                 eax, [edi + 0x49a]
            //   50                   | push                eax
            //   ff750c               | push                dword ptr [ebp + 0xc]
            //   e8????????           |                     

        $sequence_10 = { 36110b 33745571 de7e75 cd18 4a 51 d2b8c512294e }
            // n = 7, score = 100
            //   36110b               | adc                 dword ptr ss:[ebx], ecx
            //   33745571             | xor                 esi, dword ptr [ebp + edx*2 + 0x71]
            //   de7e75               | fidivr              word ptr [esi + 0x75]
            //   cd18                 | int                 0x18
            //   4a                   | dec                 edx
            //   51                   | push                ecx
            //   d2b8c512294e         | sar                 byte ptr [eax + 0x4e2912c5], cl

        $sequence_11 = { 85c0 7417 8b55f0 8b75f0 2bd1 }
            // n = 5, score = 100
            //   85c0                 | test                eax, eax
            //   7417                 | je                  0x19
            //   8b55f0               | mov                 edx, dword ptr [ebp - 0x10]
            //   8b75f0               | mov                 esi, dword ptr [ebp - 0x10]
            //   2bd1                 | sub                 edx, ecx

        $sequence_12 = { 86f2 84c1 0fadea 86f2 0fafd5 }
            // n = 5, score = 100
            //   86f2                 | xchg                dl, dh
            //   84c1                 | test                cl, al
            //   0fadea               | shrd                edx, ebp, cl
            //   86f2                 | xchg                dl, dh
            //   0fafd5               | imul                edx, ebp

        $sequence_13 = { 8a11 3a140e 750e 47 41 }
            // n = 5, score = 100
            //   8a11                 | mov                 dl, byte ptr [ecx]
            //   3a140e               | cmp                 dl, byte ptr [esi + ecx]
            //   750e                 | jne                 0x10
            //   47                   | inc                 edi
            //   41                   | inc                 ecx

        $sequence_14 = { b606 d2ca 0fafd5 8af4 a1???????? }
            // n = 5, score = 100
            //   b606                 | mov                 dh, 6
            //   d2ca                 | ror                 dl, cl
            //   0fafd5               | imul                edx, ebp
            //   8af4                 | mov                 dh, ah
            //   a1????????           |                     

        $sequence_15 = { 7502 eb20 8d458c 50 }
            // n = 4, score = 100
            //   7502                 | jne                 4
            //   eb20                 | jmp                 0x22
            //   8d458c               | lea                 eax, [ebp - 0x74]
            //   50                   | push                eax

        $sequence_16 = { 741f 0faccef6 0fbdd5 0fc0d6 }
            // n = 4, score = 100
            //   741f                 | je                  0x21
            //   0faccef6             | shrd                esi, ecx, 0xf6
            //   0fbdd5               | bsr                 edx, ebp
            //   0fc0d6               | xadd                dh, dl

        $sequence_17 = { ff15???????? 8945e4 57 68???????? e8???????? }
            // n = 5, score = 100
            //   ff15????????         |                     
            //   8945e4               | mov                 dword ptr [ebp - 0x1c], eax
            //   57                   | push                edi
            //   68????????           |                     
            //   e8????????           |                     

        $sequence_18 = { ff15???????? 85c0 7454 83a5d0fdffff00 6800040000 e8???????? 59 }
            // n = 7, score = 100
            //   ff15????????         |                     
            //   85c0                 | test                eax, eax
            //   7454                 | je                  0x56
            //   83a5d0fdffff00       | and                 dword ptr [ebp - 0x230], 0
            //   6800040000           | push                0x400
            //   e8????????           |                     
            //   59                   | pop                 ecx

        $sequence_19 = { c22800 55 8bec 56 8b752c 57 }
            // n = 6, score = 100
            //   c22800               | ret                 0x28
            //   55                   | push                ebp
            //   8bec                 | mov                 ebp, esp
            //   56                   | push                esi
            //   8b752c               | mov                 esi, dword ptr [ebp + 0x2c]
            //   57                   | push                edi

        $sequence_20 = { e9???????? 395dec 0f8415010000 c745fc02000000 c745f801000000 e9???????? }
            // n = 6, score = 100
            //   e9????????           |                     
            //   395dec               | cmp                 dword ptr [ebp - 0x14], ebx
            //   0f8415010000         | je                  0x11b
            //   c745fc02000000       | mov                 dword ptr [ebp - 4], 2
            //   c745f801000000       | mov                 dword ptr [ebp - 8], 1
            //   e9????????           |                     

        $sequence_21 = { 743b 0fc0d6 80ca72 b6e6 }
            // n = 4, score = 100
            //   743b                 | je                  0x3d
            //   0fc0d6               | xadd                dh, dl
            //   80ca72               | or                  dl, 0x72
            //   b6e6                 | mov                 dh, 0xe6

        $sequence_22 = { 0fbdd5 0ad0 bef48d351e b6f6 c0caaa }
            // n = 5, score = 100
            //   0fbdd5               | bsr                 edx, ebp
            //   0ad0                 | or                  dl, al
            //   bef48d351e           | mov                 esi, 0x1e358df4
            //   b6f6                 | mov                 dh, 0xf6
            //   c0caaa               | ror                 dl, 0xaa

        $sequence_23 = { 41 b87e8da638 e022 3a56b9 }
            // n = 4, score = 100
            //   41                   | inc                 ecx
            //   b87e8da638           | mov                 eax, 0x38a68d7e
            //   e022                 | loopne              0x24
            //   3a56b9               | cmp                 dl, byte ptr [esi - 0x47]

        $sequence_24 = { 8d45e0 50 68???????? 6802000080 ff15???????? 85c0 7517 }
            // n = 7, score = 100
            //   8d45e0               | lea                 eax, [ebp - 0x20]
            //   50                   | push                eax
            //   68????????           |                     
            //   6802000080           | push                0x80000002
            //   ff15????????         |                     
            //   85c0                 | test                eax, eax
            //   7517                 | jne                 0x19

        $sequence_25 = { 036890 2b02 9a102a6715fb53 31db b0a6 46 }
            // n = 6, score = 100
            //   036890               | add                 ebp, dword ptr [eax - 0x70]
            //   2b02                 | sub                 eax, dword ptr [edx]
            //   9a102a6715fb53       | lcall               0x53fb:0x15672a10
            //   31db                 | xor                 ebx, ebx
            //   b0a6                 | mov                 al, 0xa6
            //   46                   | inc                 esi

        $sequence_26 = { 8c6a38 55 f79bfe7ca80d a7 ad b710 }
            // n = 6, score = 100
            //   8c6a38               | mov                 word ptr [edx + 0x38], gs
            //   55                   | push                ebp
            //   f79bfe7ca80d         | neg                 dword ptr [ebx + 0xda87cfe]
            //   a7                   | cmpsd               dword ptr [esi], dword ptr es:[edi]
            //   ad                   | lodsd               eax, dword ptr [esi]
            //   b710                 | mov                 bh, 0x10

        $sequence_27 = { e9???????? ff75d8 ff7514 8d87f2030000 ff10 0bc0 }
            // n = 6, score = 100
            //   e9????????           |                     
            //   ff75d8               | push                dword ptr [ebp - 0x28]
            //   ff7514               | push                dword ptr [ebp + 0x14]
            //   8d87f2030000         | lea                 eax, [edi + 0x3f2]
            //   ff10                 | call                dword ptr [eax]
            //   0bc0                 | or                  eax, eax

        $sequence_28 = { fb 5c 3c32 7e02 19c1 a6 3327 }
            // n = 7, score = 100
            //   fb                   | sti                 
            //   5c                   | pop                 esp
            //   3c32                 | cmp                 al, 0x32
            //   7e02                 | jle                 4
            //   19c1                 | sbb                 ecx, eax
            //   a6                   | cmpsb               byte ptr [esi], byte ptr es:[edi]
            //   3327                 | xor                 esp, dword ptr [edi]

        $sequence_29 = { 83c40c c20400 6a0c 68???????? e8???????? }
            // n = 5, score = 100
            //   83c40c               | add                 esp, 0xc
            //   c20400               | ret                 4
            //   6a0c                 | push                0xc
            //   68????????           |                     
            //   e8????????           |                     

        $sequence_30 = { ff7618 8f461c 8b13 8b12 }
            // n = 4, score = 100
            //   ff7618               | push                dword ptr [esi + 0x18]
            //   8f461c               | pop                 dword ptr [esi + 0x1c]
            //   8b13                 | mov                 edx, dword ptr [ebx]
            //   8b12                 | mov                 edx, dword ptr [edx]

        $sequence_31 = { 0fbdf1 4e d2ee b6d6 }
            // n = 4, score = 100
            //   0fbdf1               | bsr                 esi, ecx
            //   4e                   | dec                 esi
            //   d2ee                 | shr                 dh, cl
            //   b6d6                 | mov                 dh, 0xd6

    condition:
        7 of them and filesize < 568320
}
Download all Yara Rules
Gozi Propose Change

References

Yara Rules

Gozi
