SYMBOLCOMMON_NAMEaka. SYNONYMS
win.gozi (Back to overview)

Gozi

aka: CRM, Gozi CRM, Papras, Snifula, Ursnif
URLhaus      

2000 Ursnif aka Snifula
2006 Gozi v1.0, Gozi CRM, CRM, Papras
2010 Gozi v2.0, Gozi ISFB, ISFB, Pandemyia(*)
-> 2010 Gozi Prinimalka -> Vawtrak/Neverquest

In 2006, Gozi v1.0 ('Gozi CRM' aka 'CRM') aka Papras was first observed.
It was offered as a CaaS, known as 76Service. This first version of Gozi was developed by Nikita Kurmin, and he borrowed code from Ursnif aka Snifula, a spyware developed by Alexey Ivanov around 2000, and some other kits. Gozi v1.0 thus had a formgrabber module and often is classified as Ursnif aka Snifula.

In September 2010, the source code of a particular Gozi CRM dll version was leaked, which led to Vawtrak/Neverquest (in combination with Pony) via Gozi Prinimalka (a slightly modified Gozi v1.0) and Gozi v2.0 (aka 'Gozi ISFB' aka 'ISFB' aka Pandemyia). This version came with a webinject module.

References
2020-05-07Github (mlodic)Matteo Lodi
@online{lodi:20200507:ursnif:5654de4, author = {Matteo Lodi}, title = {{Ursnif beacon decryptor}}, date = {2020-05-07}, organization = {Github (mlodic)}, url = {https://github.com/mlodic/ursnif_beacon_decryptor}, language = {English}, urldate = {2020-05-07} } Ursnif beacon decryptor
Gozi ISFB
2020SecureworksSecureWorks
@online{secureworks:2020:gold:65fcc96, author = {SecureWorks}, title = {{GOLD SWATHMORE}}, date = {2020}, organization = {Secureworks}, url = {https://www.secureworks.com/research/threat-profiles/gold-swathmore}, language = {English}, urldate = {2020-05-23} } GOLD SWATHMORE
GlobeImposter Gozi IcedID TrickBot Lunar Spider
2017-05-29Lokalhost.plMaciej Kotowicz
@online{kotowicz:20170529:gozi:96e962d, author = {Maciej Kotowicz}, title = {{Gozi Tree}}, date = {2017-05-29}, organization = {Lokalhost.pl}, url = {https://lokalhost.pl/gozi_tree.txt}, language = {English}, urldate = {2020-01-08} } Gozi Tree
DreamBot Gozi ISFB Powersniff
2017-02-15Palo Alto Networks Unit 42Kaoru Hayashi
@online{hayashi:20170215:banking:c5e917c, author = {Kaoru Hayashi}, title = {{Banking Trojans: Ursnif Global Distribution Networks Identified}}, date = {2017-02-15}, organization = {Palo Alto Networks Unit 42}, url = {http://researchcenter.paloaltonetworks.com/2017/02/unit42-banking-trojans-ursnif-global-distribution-networks-identified/}, language = {English}, urldate = {2019-10-25} } Banking Trojans: Ursnif Global Distribution Networks Identified
Gozi
2016-11-23G DataG Data
@online{data:20161123:analysis:0bbfdb9, author = {G Data}, title = {{Analysis: Ursnif - spying on your data since 2007}}, date = {2016-11-23}, organization = {G Data}, url = {https://blog.gdatasoftware.com/2016/11/29325-analysis-ursnif-spying-on-your-data-since-2007}, language = {English}, urldate = {2020-01-10} } Analysis: Ursnif - spying on your data since 2007
Gozi
2013-02-03Malware Must Die!Malware Must Die!
@online{die:20130203:infection:ac33cd2, author = {Malware Must Die!}, title = {{The infection of Styx Exploit Kit (Landing page: painterinvoice.ru + Payload: PWS/Ursnif Variant)}}, date = {2013-02-03}, organization = {Malware Must Die!}, url = {http://blog.malwaremustdie.org/2013/02/the-infection-of-styx-exploit-kit.html}, language = {English}, urldate = {2019-07-11} } The infection of Styx Exploit Kit (Landing page: painterinvoice.ru + Payload: PWS/Ursnif Variant)
Gozi
2007-03-20SecureworksDon Jackson
@online{jackson:20070320:gozi:701fe90, author = {Don Jackson}, title = {{Gozi Trojan}}, date = {2007-03-20}, organization = {Secureworks}, url = {https://www.secureworks.com/research/gozi}, language = {English}, urldate = {2020-01-10} } Gozi Trojan
Gozi
Yara Rules
[TLP:WHITE] win_gozi_auto (20201014 | autogenerated rule brought to you by yara-signator)
rule win_gozi_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2020-10-14"
        version = "1"
        description = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.5.0"
        tool_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.gozi"
        malpedia_rule_date = "20201014"
        malpedia_hash = "a7e3bd57eaf12bf3ea29a863c041091ba3af9ac9"
        malpedia_version = "20201014"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using YARA-Signator.
     * The code and documentation is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { 57 bf0400176b 8b3f 6800040000 }
            // n = 4, score = 100
            //   57                   | push                edi
            //   bf0400176b           | mov                 edi, 0x6b170004
            //   8b3f                 | mov                 edi, dword ptr [edi]
            //   6800040000           | push                0x400

        $sequence_1 = { 6a04 53 ffb5ccf4ffff ff15???????? 898530f4ffff 3bc3 7421 }
            // n = 7, score = 100
            //   6a04                 | push                4
            //   53                   | push                ebx
            //   ffb5ccf4ffff         | push                dword ptr [ebp - 0xb34]
            //   ff15????????         |                     
            //   898530f4ffff         | mov                 dword ptr [ebp - 0xbd0], eax
            //   3bc3                 | cmp                 eax, ebx
            //   7421                 | je                  0x23

        $sequence_2 = { 397dc4 7421 8d45c8 50 ff15???????? 40 }
            // n = 6, score = 100
            //   397dc4               | cmp                 dword ptr [ebp - 0x3c], edi
            //   7421                 | je                  0x23
            //   8d45c8               | lea                 eax, [ebp - 0x38]
            //   50                   | push                eax
            //   ff15????????         |                     
            //   40                   | inc                 eax

        $sequence_3 = { 56 53 8d87ed2e0000 50 8d8733040000 50 8d4704 }
            // n = 7, score = 100
            //   56                   | push                esi
            //   53                   | push                ebx
            //   8d87ed2e0000         | lea                 eax, [edi + 0x2eed]
            //   50                   | push                eax
            //   8d8733040000         | lea                 eax, [edi + 0x433]
            //   50                   | push                eax
            //   8d4704               | lea                 eax, [edi + 4]

        $sequence_4 = { 837dd803 7d17 ff7608 ff7604 }
            // n = 4, score = 100
            //   837dd803             | cmp                 dword ptr [ebp - 0x28], 3
            //   7d17                 | jge                 0x19
            //   ff7608               | push                dword ptr [esi + 8]
            //   ff7604               | push                dword ptr [esi + 4]

        $sequence_5 = { ff15???????? 8bf0 83feff 8975f8 74e1 53 8d45f4 }
            // n = 7, score = 100
            //   ff15????????         |                     
            //   8bf0                 | mov                 esi, eax
            //   83feff               | cmp                 esi, -1
            //   8975f8               | mov                 dword ptr [ebp - 8], esi
            //   74e1                 | je                  0xffffffe3
            //   53                   | push                ebx
            //   8d45f4               | lea                 eax, [ebp - 0xc]

        $sequence_6 = { ff75e0 6a0b ffd0 8945d4 }
            // n = 4, score = 100
            //   ff75e0               | push                dword ptr [ebp - 0x20]
            //   6a0b                 | push                0xb
            //   ffd0                 | call                eax
            //   8945d4               | mov                 dword ptr [ebp - 0x2c], eax

        $sequence_7 = { 55 f79bfe7ca80d a7 ad }
            // n = 4, score = 100
            //   55                   | push                ebp
            //   f79bfe7ca80d         | neg                 dword ptr [ebx + 0xda87cfe]
            //   a7                   | cmpsd               dword ptr [esi], dword ptr es:[edi]
            //   ad                   | lodsd               eax, dword ptr [esi]

        $sequence_8 = { 8d879e020000 ff10 8b4de8 0bc9 7548 ff7508 e8???????? }
            // n = 7, score = 100
            //   8d879e020000         | lea                 eax, [edi + 0x29e]
            //   ff10                 | call                dword ptr [eax]
            //   8b4de8               | mov                 ecx, dword ptr [ebp - 0x18]
            //   0bc9                 | or                  ecx, ecx
            //   7548                 | jne                 0x4a
            //   ff7508               | push                dword ptr [ebp + 8]
            //   e8????????           |                     

        $sequence_9 = { 8908 50 45 43 }
            // n = 4, score = 100
            //   8908                 | mov                 dword ptr [eax], ecx
            //   50                   | push                eax
            //   45                   | inc                 ebp
            //   43                   | inc                 ebx

        $sequence_10 = { be84f7c34f 10ba810b7f57 a4 8c6a38 55 }
            // n = 5, score = 100
            //   be84f7c34f           | mov                 esi, 0x4fc3f784
            //   10ba810b7f57         | adc                 byte ptr [edx + 0x577f0b81], bh
            //   a4                   | movsb               byte ptr es:[edi], byte ptr [esi]
            //   8c6a38               | mov                 word ptr [edx + 0x38], gs
            //   55                   | push                ebp

        $sequence_11 = { 7505 e9???????? 8d87d9060000 50 ff75d4 8d8786020000 }
            // n = 6, score = 100
            //   7505                 | jne                 7
            //   e9????????           |                     
            //   8d87d9060000         | lea                 eax, [edi + 0x6d9]
            //   50                   | push                eax
            //   ff75d4               | push                dword ptr [ebp - 0x2c]
            //   8d8786020000         | lea                 eax, [edi + 0x286]

        $sequence_12 = { 6d 7061 63743200 c808bf35 6963c03caff3da c9 }
            // n = 6, score = 100
            //   6d                   | insd                dword ptr es:[edi], dx
            //   7061                 | jo                  0x63
            //   63743200             | arpl                word ptr [edx + esi], si
            //   c808bf35             | enter               -0x40f8, 0x35
            //   6963c03caff3da       | imul                esp, dword ptr [ebx - 0x40], 0xdaf3af3c
            //   c9                   | leave               

        $sequence_13 = { c20400 6a00 6a00 e8???????? 0bc0 7401 c3 }
            // n = 7, score = 100
            //   c20400               | ret                 4
            //   6a00                 | push                0
            //   6a00                 | push                0
            //   e8????????           |                     
            //   0bc0                 | or                  eax, eax
            //   7401                 | je                  3
            //   c3                   | ret                 

        $sequence_14 = { b6c6 e8???????? 6af4 dbe9 68912b4384 2383e08985e4 }
            // n = 6, score = 100
            //   b6c6                 | mov                 dh, 0xc6
            //   e8????????           |                     
            //   6af4                 | push                -0xc
            //   dbe9                 | fucomi              st(1)
            //   68912b4384           | push                0x84432b91
            //   2383e08985e4         | and                 eax, dword ptr [ebx - 0x1b7a7620]

        $sequence_15 = { 31db b0a6 46 312d???????? ca065b dc6f1b 95 }
            // n = 7, score = 100
            //   31db                 | xor                 ebx, ebx
            //   b0a6                 | mov                 al, 0xa6
            //   46                   | inc                 esi
            //   312d????????         |                     
            //   ca065b               | retf                0x5b06
            //   dc6f1b               | fsubr               qword ptr [edi + 0x1b]
            //   95                   | xchg                eax, ebp

        $sequence_16 = { 0f85ec000000 ff75d8 6a40 ff15???????? 8945e0 }
            // n = 5, score = 100
            //   0f85ec000000         | jne                 0xf2
            //   ff75d8               | push                dword ptr [ebp - 0x28]
            //   6a40                 | push                0x40
            //   ff15????????         |                     
            //   8945e0               | mov                 dword ptr [ebp - 0x20], eax

        $sequence_17 = { 50 64ff3500000000 64892500000000 33c0 }
            // n = 4, score = 100
            //   50                   | push                eax
            //   64ff3500000000       | push                dword ptr fs:[0]
            //   64892500000000       | mov                 dword ptr fs:[0], esp
            //   33c0                 | xor                 eax, eax

        $sequence_18 = { 80f936 740f 80f93e 740a 80f964 }
            // n = 5, score = 100
            //   80f936               | cmp                 cl, 0x36
            //   740f                 | je                  0x11
            //   80f93e               | cmp                 cl, 0x3e
            //   740a                 | je                  0xc
            //   80f964               | cmp                 cl, 0x64

        $sequence_19 = { 5b 6a00 6a00 6a00 8d87a2020000 ff10 53 }
            // n = 7, score = 100
            //   5b                   | pop                 ebx
            //   6a00                 | push                0
            //   6a00                 | push                0
            //   6a00                 | push                0
            //   8d87a2020000         | lea                 eax, [edi + 0x2a2]
            //   ff10                 | call                dword ptr [eax]
            //   53                   | push                ebx

        $sequence_20 = { 16 ee 7f7b 36110b 33745571 }
            // n = 5, score = 100
            //   16                   | push                ss
            //   ee                   | out                 dx, al
            //   7f7b                 | jg                  0x7d
            //   36110b               | adc                 dword ptr ss:[ebx], ecx
            //   33745571             | xor                 esi, dword ptr [ebp + edx*2 + 0x71]

        $sequence_21 = { ff75e4 ffd0 894588 3bc6 7407 c745d801000000 }
            // n = 6, score = 100
            //   ff75e4               | push                dword ptr [ebp - 0x1c]
            //   ffd0                 | call                eax
            //   894588               | mov                 dword ptr [ebp - 0x78], eax
            //   3bc6                 | cmp                 eax, esi
            //   7407                 | je                  9
            //   c745d801000000       | mov                 dword ptr [ebp - 0x28], 1

        $sequence_22 = { ff75f4 e8???????? a3???????? ff75dc 6a00 }
            // n = 5, score = 100
            //   ff75f4               | push                dword ptr [ebp - 0xc]
            //   e8????????           |                     
            //   a3????????           |                     
            //   ff75dc               | push                dword ptr [ebp - 0x24]
            //   6a00                 | push                0

        $sequence_23 = { 83c8ff eb57 53 ff75f8 e8???????? 8bd8 }
            // n = 6, score = 100
            //   83c8ff               | or                  eax, 0xffffffff
            //   eb57                 | jmp                 0x59
            //   53                   | push                ebx
            //   ff75f8               | push                dword ptr [ebp - 8]
            //   e8????????           |                     
            //   8bd8                 | mov                 ebx, eax

    condition:
        7 of them and filesize < 237568
}
Download all Yara Rules