SYMBOLCOMMON_NAMEaka. SYNONYMS
win.gozi (Back to overview)

Gozi

aka: CRM, Gozi CRM, Papras, Snifula, Ursnif
VTCollection     URLhaus      

2000 Ursnif aka Snifula
2006 Gozi v1.0, Gozi CRM, CRM, Papras
2010 Gozi v2.0, Gozi ISFB, ISFB, Pandemyia(*)
-> 2010 Gozi Prinimalka -> Vawtrak/Neverquest

In 2006, Gozi v1.0 ('Gozi CRM' aka 'CRM') aka Papras was first observed.
It was offered as a CaaS, known as 76Service. This first version of Gozi was developed by Nikita Kurmin, and he borrowed code from Ursnif aka Snifula, a spyware developed by Alexey Ivanov around 2000, and some other kits. Gozi v1.0 thus had a formgrabber module and often is classified as Ursnif aka Snifula.

In September 2010, the source code of a particular Gozi CRM dll version was leaked, which led to Vawtrak/Neverquest (in combination with Pony) via Gozi Prinimalka (a slightly modified Gozi v1.0) and Gozi v2.0 (aka 'Gozi ISFB' aka 'ISFB' aka Pandemyia). This version came with a webinject module.

References
2024-07-02SekoiaQuentin Bourgue
Exposing FakeBat loader: distribution methods and adversary infrastructure
BlackCat Royal Ransom EugenLoader Carbanak Cobalt Strike DICELOADER Gozi IcedID Lumma Stealer NetSupportManager RAT Pikabot RedLine Stealer SectopRAT Sliver SmokeLoader Vidar
2023-12-20ViuleeenzAlessandro Strino
Applied Emulation - Decrypting Ursnif strings with Unicorn
Gozi
2023-11-21IBMCharlotte Hammond, Kat Metrick, Ole Villadsen
Stealthy WailingCrab Malware misuses MQTT Messaging Protocol
Gozi WikiLoader
2023-07-18Kostas TSKostas
Ursnif VS Italy: Il PDF del Destino
Gozi ISFB Snifula
2023-03-190xToxin Labs@0xToxin
Gozi - Italian ShellCode Dance
Gozi ISFB
2023-03-14ViuleeenzAlessandro Strino
Dynamic Binary Instrumentation for Malware Analysis
Gozi
2022-10-24Medium CSIS TechblogBenoît Ancel
Chapter 1 — From Gozi to ISFB: The history of a mythical malware family.
Gozi ISFB Snifula
2022-05-09Microsoft SecurityMicrosoft 365 Defender Threat Intelligence Team, Microsoft Threat Intelligence Center
Ransomware-as-a-service: Understanding the cybercrime gig economy and how to protect yourself
Griffon BazarBackdoor BlackCat BlackMatter Blister Gozi LockBit Pandora Rook SystemBC TrickBot
2022-05-09MicrosoftMicrosoft 365 Defender Threat Intelligence Team, Microsoft Threat Intelligence Center (MSTIC)
Ransomware-as-a-service: Understanding the cybercrime gig economy and how to protect yourself
AnchorDNS BlackCat BlackMatter Conti DarkSide HelloKitty Hive LockBit REvil FAKEUPDATES Griffon ATOMSILO BazarBackdoor BlackCat BlackMatter Blister Cobalt Strike Conti DarkSide Emotet FiveHands Gozi HelloKitty Hive IcedID ISFB JSSLoader LockBit LockFile Maze NightSky Pandora Phobos Phoenix Locker PhotoLoader QakBot REvil Rook Ryuk SystemBC TrickBot WastedLocker BRONZE STARLIGHT
2021-09-03Trend MicroMohamad Mokbel
The State of SSL/TLS Certificate Usage in Malware C&C Communications
AdWind ostap AsyncRAT BazarBackdoor BitRAT Buer Chthonic CloudEyE Cobalt Strike DCRat Dridex FindPOS GootKit Gozi IcedID ISFB Nanocore RAT Orcus RAT PandaBanker Qadars QakBot Quasar RAT Rockloader ServHelper Shifu SManager TorrentLocker TrickBot Vawtrak Zeus Zloader
2021-06-30The RecordCatalin Cimpanu
Gozi malware gang member arrested in Colombia
Gozi ISFB
2021-05-26DeepInstinctRon Ben Yizhak
A Deep Dive into Packing Software CryptOne
Cobalt Strike Dridex Emotet Gozi ISFB Mailto QakBot SmokeLoader WastedLocker Zloader
2021-03-31KasperskyKaspersky
Financial Cyberthreats in 2020
BetaBot DanaBot Emotet Gozi Ramnit RTM SpyEye TrickBot Zeus
2020-12-21Cisco TalosJON MUNSHAW
2020: The year in malware
WolfRAT Prometei Poet RAT Agent Tesla Astaroth Ave Maria CRAT Emotet Gozi IndigoDrop JhoneRAT Nanocore RAT NjRAT Oblique RAT SmokeLoader StrongPity WastedLocker Zloader
2020-08-09F5 LabsDebbie Walkowski, Remi Cohen
Banking Trojans: A Reference Guide to the Malware Family Tree
BackSwap Carberp Citadel DanaBot Dridex Dyre Emotet Gozi Kronos PandaBanker Ramnit Shylock SpyEye Tinba TrickBot Vawtrak Zeus
2020-05-07Github (mlodic)Matteo Lodi
Ursnif beacon decryptor
Gozi ISFB
2020-01-22Thomas Barabosch
The malware analyst’s guide to PE timestamps
Azorult Gozi IcedID ISFB LOLSnif SUNBURST TEARDROP
2020-01-01SecureworksSecureWorks
GOLD SWATHMORE
GlobeImposter Gozi IcedID TrickBot LUNAR SPIDER
2017-05-29Lokalhost.plMaciej Kotowicz
Gozi Tree
DreamBot Gozi ISFB Powersniff
2017-02-15Palo Alto Networks Unit 42Kaoru Hayashi
Banking Trojans: Ursnif Global Distribution Networks Identified
Gozi
2016-11-23G DataG Data
Analysis: Ursnif - spying on your data since 2007
Gozi
2013-02-03Malware Must Die!Malware Must Die!
The infection of Styx Exploit Kit (Landing page: painterinvoice.ru + Payload: PWS/Ursnif Variant)
Gozi
2007-03-20SecureworksDon Jackson
Gozi Trojan
Gozi
Yara Rules
[TLP:WHITE] win_gozi_auto (20241030 | Detects win.gozi.)
rule win_gozi_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2024-10-31"
        version = "1"
        description = "Detects win.gozi."
        info = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.6.0"
        signator_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.gozi"
        malpedia_rule_date = "20241030"
        malpedia_hash = "26e26953c49c8efafbf72a38076855d578e0a2e4"
        malpedia_version = "20241030"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using YARA-Signator.
     * The code and documentation is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { 3b4dfc 73df 33c0 5e c9 c21000 }
            // n = 6, score = 100
            //   3b4dfc               | cmp                 ecx, dword ptr [ebp - 4]
            //   73df                 | jae                 0xffffffe1
            //   33c0                 | xor                 eax, eax
            //   5e                   | pop                 esi
            //   c9                   | leave               
            //   c21000               | ret                 0x10

        $sequence_1 = { 0e 96 3b5375 60 }
            // n = 4, score = 100
            //   0e                   | push                cs
            //   96                   | xchg                eax, esi
            //   3b5375               | cmp                 edx, dword ptr [ebx + 0x75]
            //   60                   | pushal              

        $sequence_2 = { 48 fb 5c 3c32 7e02 }
            // n = 5, score = 100
            //   48                   | dec                 eax
            //   fb                   | sti                 
            //   5c                   | pop                 esp
            //   3c32                 | cmp                 al, 0x32
            //   7e02                 | jle                 4

        $sequence_3 = { 894508 eb03 897d08 bf???????? 57 }
            // n = 5, score = 100
            //   894508               | mov                 dword ptr [ebp + 8], eax
            //   eb03                 | jmp                 5
            //   897d08               | mov                 dword ptr [ebp + 8], edi
            //   bf????????           |                     
            //   57                   | push                edi

        $sequence_4 = { 0bc0 7408 60 50 e8???????? 61 }
            // n = 6, score = 100
            //   0bc0                 | or                  eax, eax
            //   7408                 | je                  0xa
            //   60                   | pushal              
            //   50                   | push                eax
            //   e8????????           |                     
            //   61                   | popal               

        $sequence_5 = { 7061 63743200 c808bf35 6963c03caff3da c9 50 0c73 }
            // n = 7, score = 100
            //   7061                 | jo                  0x63
            //   63743200             | arpl                word ptr [edx + esi], si
            //   c808bf35             | enter               -0x40f8, 0x35
            //   6963c03caff3da       | imul                esp, dword ptr [ebx - 0x40], 0xdaf3af3c
            //   c9                   | leave               
            //   50                   | push                eax
            //   0c73                 | or                  al, 0x73

        $sequence_6 = { 8b450c 03f0 8b4e0c 85c9 8975e8 0f8453010000 }
            // n = 6, score = 100
            //   8b450c               | mov                 eax, dword ptr [ebp + 0xc]
            //   03f0                 | add                 esi, eax
            //   8b4e0c               | mov                 ecx, dword ptr [esi + 0xc]
            //   85c9                 | test                ecx, ecx
            //   8975e8               | mov                 dword ptr [ebp - 0x18], esi
            //   0f8453010000         | je                  0x159

        $sequence_7 = { 0faff1 c7458804000000 a1???????? 8b0d???????? 6a00 68f80a0000 }
            // n = 6, score = 100
            //   0faff1               | imul                esi, ecx
            //   c7458804000000       | mov                 dword ptr [ebp - 0x78], 4
            //   a1????????           |                     
            //   8b0d????????         |                     
            //   6a00                 | push                0
            //   68f80a0000           | push                0xaf8

        $sequence_8 = { 7e02 19c1 a6 3327 72e7 3ebb4a68d947 }
            // n = 6, score = 100
            //   7e02                 | jle                 4
            //   19c1                 | sbb                 ecx, eax
            //   a6                   | cmpsb               byte ptr [esi], byte ptr es:[edi]
            //   3327                 | xor                 esp, dword ptr [edi]
            //   72e7                 | jb                  0xffffffe9
            //   3ebb4a68d947         | mov                 ebx, 0x47d9684a

        $sequence_9 = { e8???????? 8945fc 6805010000 6a40 }
            // n = 4, score = 100
            //   e8????????           |                     
            //   8945fc               | mov                 dword ptr [ebp - 4], eax
            //   6805010000           | push                0x105
            //   6a40                 | push                0x40

        $sequence_10 = { 8b45fc 8b08 6a00 50 ff91a4000000 33c9 85c0 }
            // n = 7, score = 100
            //   8b45fc               | mov                 eax, dword ptr [ebp - 4]
            //   8b08                 | mov                 ecx, dword ptr [eax]
            //   6a00                 | push                0
            //   50                   | push                eax
            //   ff91a4000000         | call                dword ptr [ecx + 0xa4]
            //   33c9                 | xor                 ecx, ecx
            //   85c0                 | test                eax, eax

        $sequence_11 = { 3a56b9 036890 2b02 9a102a6715fb53 }
            // n = 4, score = 100
            //   3a56b9               | cmp                 dl, byte ptr [esi - 0x47]
            //   036890               | add                 ebp, dword ptr [eax - 0x70]
            //   2b02                 | sub                 eax, dword ptr [edx]
            //   9a102a6715fb53       | lcall               0x53fb:0x15672a10

        $sequence_12 = { 0ad0 4a 0fca 8af4 0fbdf1 0fbaf6be }
            // n = 6, score = 100
            //   0ad0                 | or                  dl, al
            //   4a                   | dec                 edx
            //   0fca                 | bswap               edx
            //   8af4                 | mov                 dh, ah
            //   0fbdf1               | bsr                 esi, ecx
            //   0fbaf6be             | btr                 esi, 0xbe

        $sequence_13 = { ad b710 2dc7ce5bbb d6 b6c6 e8???????? 6af4 }
            // n = 7, score = 100
            //   ad                   | lodsd               eax, dword ptr [esi]
            //   b710                 | mov                 bh, 0x10
            //   2dc7ce5bbb           | sub                 eax, 0xbb5bcec7
            //   d6                   | salc                
            //   b6c6                 | mov                 dh, 0xc6
            //   e8????????           |                     
            //   6af4                 | push                -0xc

        $sequence_14 = { 33c0 ebf7 56 8b74240c 57 }
            // n = 5, score = 100
            //   33c0                 | xor                 eax, eax
            //   ebf7                 | jmp                 0xfffffff9
            //   56                   | push                esi
            //   8b74240c             | mov                 esi, dword ptr [esp + 0xc]
            //   57                   | push                edi

        $sequence_15 = { 7708 8b4df8 e8???????? 837d0c00 766f 8b4df8 }
            // n = 6, score = 100
            //   7708                 | ja                  0xa
            //   8b4df8               | mov                 ecx, dword ptr [ebp - 8]
            //   e8????????           |                     
            //   837d0c00             | cmp                 dword ptr [ebp + 0xc], 0
            //   766f                 | jbe                 0x71
            //   8b4df8               | mov                 ecx, dword ptr [ebp - 8]

        $sequence_16 = { 55 8bec 83c4fc 53 837d0c4a }
            // n = 5, score = 100
            //   55                   | push                ebp
            //   8bec                 | mov                 ebp, esp
            //   83c4fc               | add                 esp, -4
            //   53                   | push                ebx
            //   837d0c4a             | cmp                 dword ptr [ebp + 0xc], 0x4a

        $sequence_17 = { 50 0c73 0e 96 }
            // n = 4, score = 100
            //   50                   | push                eax
            //   0c73                 | or                  al, 0x73
            //   0e                   | push                cs
            //   96                   | xchg                eax, esi

        $sequence_18 = { e8???????? 8985b0feffff 8d8dbcfeffff 51 56 ffd0 85c0 }
            // n = 7, score = 100
            //   e8????????           |                     
            //   8985b0feffff         | mov                 dword ptr [ebp - 0x150], eax
            //   8d8dbcfeffff         | lea                 ecx, [ebp - 0x144]
            //   51                   | push                ecx
            //   56                   | push                esi
            //   ffd0                 | call                eax
            //   85c0                 | test                eax, eax

        $sequence_19 = { ffd0 8345e404 ebe6 c745e0d4814300 817de0d8814300 }
            // n = 5, score = 100
            //   ffd0                 | call                eax
            //   8345e404             | add                 dword ptr [ebp - 0x1c], 4
            //   ebe6                 | jmp                 0xffffffe8
            //   c745e0d4814300       | mov                 dword ptr [ebp - 0x20], 0x4381d4
            //   817de0d8814300       | cmp                 dword ptr [ebp - 0x20], 0x4381d8

        $sequence_20 = { 1da2c9dde2 f4 16 ee 7f7b 36110b 33745571 }
            // n = 7, score = 100
            //   1da2c9dde2           | sbb                 eax, 0xe2ddc9a2
            //   f4                   | hlt                 
            //   16                   | push                ss
            //   ee                   | out                 dx, al
            //   7f7b                 | jg                  0x7d
            //   36110b               | adc                 dword ptr ss:[ebx], ecx
            //   33745571             | xor                 esi, dword ptr [ebp + edx*2 + 0x71]

        $sequence_21 = { 8b45d0 833800 755d 6a18 e8???????? }
            // n = 5, score = 100
            //   8b45d0               | mov                 eax, dword ptr [ebp - 0x30]
            //   833800               | cmp                 dword ptr [eax], 0
            //   755d                 | jne                 0x5f
            //   6a18                 | push                0x18
            //   e8????????           |                     

        $sequence_22 = { eb15 c745f0ffffffff 6a04 8d45f0 50 }
            // n = 5, score = 100
            //   eb15                 | jmp                 0x17
            //   c745f0ffffffff       | mov                 dword ptr [ebp - 0x10], 0xffffffff
            //   6a04                 | push                4
            //   8d45f0               | lea                 eax, [ebp - 0x10]
            //   50                   | push                eax

        $sequence_23 = { 8b4dfc 8b09 85c9 0f84d7000000 }
            // n = 4, score = 100
            //   8b4dfc               | mov                 ecx, dword ptr [ebp - 4]
            //   8b09                 | mov                 ecx, dword ptr [ecx]
            //   85c9                 | test                ecx, ecx
            //   0f84d7000000         | je                  0xdd

        $sequence_24 = { ff45f0 48 8816 75ee }
            // n = 4, score = 100
            //   ff45f0               | inc                 dword ptr [ebp - 0x10]
            //   48                   | dec                 eax
            //   8816                 | mov                 byte ptr [esi], dl
            //   75ee                 | jne                 0xfffffff0

        $sequence_25 = { 0fadce d2ee 84e5 8af4 0fbdf1 }
            // n = 5, score = 100
            //   0fadce               | shrd                esi, ecx, cl
            //   d2ee                 | shr                 dh, cl
            //   84e5                 | test                ch, ah
            //   8af4                 | mov                 dh, ah
            //   0fbdf1               | bsr                 esi, ecx

        $sequence_26 = { 56 8d45fc 50 6a08 33f6 ff15???????? }
            // n = 6, score = 100
            //   56                   | push                esi
            //   8d45fc               | lea                 eax, [ebp - 4]
            //   50                   | push                eax
            //   6a08                 | push                8
            //   33f6                 | xor                 esi, esi
            //   ff15????????         |                     

        $sequence_27 = { b636 0fafd5 80cafa 69f1eef9d83b 8ad0 }
            // n = 5, score = 100
            //   b636                 | mov                 dh, 0x36
            //   0fafd5               | imul                edx, ebp
            //   80cafa               | or                  dl, 0xfa
            //   69f1eef9d83b         | imul                esi, ecx, 0x3bd8f9ee
            //   8ad0                 | mov                 dl, al

        $sequence_28 = { 0fbdf1 b67e d2ca f6de }
            // n = 4, score = 100
            //   0fbdf1               | bsr                 esi, ecx
            //   b67e                 | mov                 dh, 0x7e
            //   d2ca                 | ror                 dl, cl
            //   f6de                 | neg                 dh

        $sequence_29 = { 730d 898c85b0feffff ff85acfeffff 899da0feffff 33c0 8dbda4feffff ab }
            // n = 7, score = 100
            //   730d                 | jae                 0xf
            //   898c85b0feffff       | mov                 dword ptr [ebp + eax*4 - 0x150], ecx
            //   ff85acfeffff         | inc                 dword ptr [ebp - 0x154]
            //   899da0feffff         | mov                 dword ptr [ebp - 0x160], ebx
            //   33c0                 | xor                 eax, eax
            //   8dbda4feffff         | lea                 edi, [ebp - 0x15c]
            //   ab                   | stosd               dword ptr es:[edi], eax

        $sequence_30 = { ff15???????? 8bd8 3bde 895d64 }
            // n = 4, score = 100
            //   ff15????????         |                     
            //   8bd8                 | mov                 ebx, eax
            //   3bde                 | cmp                 ebx, esi
            //   895d64               | mov                 dword ptr [ebp + 0x64], ebx

        $sequence_31 = { 53 c705????????00000000 68???????? 6a01 }
            // n = 4, score = 100
            //   53                   | push                ebx
            //   c705????????00000000     |     
            //   68????????           |                     
            //   6a01                 | push                1

    condition:
        7 of them and filesize < 568320
}
Download all Yara Rules