SYMBOLCOMMON_NAMEaka. SYNONYMS
win.gozi (Back to overview)

Gozi

aka: CRM, Gozi CRM, Papras, Snifula, Ursnif
URLhaus      

2000 Ursnif aka Snifula
2006 Gozi v1.0, Gozi CRM, CRM, Papras
2010 Gozi v2.0, Gozi ISFB, ISFB, Pandemyia(*)
-> 2010 Gozi Prinimalka -> Vawtrak/Neverquest

In 2006, Gozi v1.0 ('Gozi CRM' aka 'CRM') aka Papras was first observed.
It was offered as a CaaS, known as 76Service. This first version of Gozi was developed by Nikita Kurmin, and he borrowed code from Ursnif aka Snifula, a spyware developed by Alexey Ivanov around 2000, and some other kits. Gozi v1.0 thus had a formgrabber module and often is classified as Ursnif aka Snifula.

In September 2010, the source code of a particular Gozi CRM dll version was leaked, which led to Vawtrak/Neverquest (in combination with Pony) via Gozi Prinimalka (a slightly modified Gozi v1.0) and Gozi v2.0 (aka 'Gozi ISFB' aka 'ISFB' aka Pandemyia). This version came with a webinject module.

References
2022-05-09Microsoft SecurityMicrosoft Threat Intelligence Center, Microsoft 365 Defender Threat Intelligence Team
@online{center:20220509:ransomwareasaservice:3dac44d, author = {Microsoft Threat Intelligence Center and Microsoft 365 Defender Threat Intelligence Team}, title = {{Ransomware-as-a-service: Understanding the cybercrime gig economy and how to protect yourself}}, date = {2022-05-09}, organization = {Microsoft Security}, url = {https://www.microsoft.com/security/blog/2022/05/09/ransomware-as-a-service-understanding-the-cybercrime-gig-economy-and-how-to-protect-yourself/}, language = {English}, urldate = {2022-06-02} } Ransomware-as-a-service: Understanding the cybercrime gig economy and how to protect yourself
Griffon BazarBackdoor BlackCat BlackMatter Blister Gozi LockBit Pandora Rook SystemBC TrickBot
2022-05-09MicrosoftMicrosoft 365 Defender Threat Intelligence Team, Microsoft Threat Intelligence Center (MSTIC)
@online{team:20220509:ransomwareasaservice:13ec472, author = {Microsoft 365 Defender Threat Intelligence Team and Microsoft Threat Intelligence Center (MSTIC)}, title = {{Ransomware-as-a-service: Understanding the cybercrime gig economy and how to protect yourself}}, date = {2022-05-09}, organization = {Microsoft}, url = {https://www.microsoft.com/security/blog/2022/05/09/ransomware-as-a-service-understanding-the-cybercrime-gig-economy-and-how-to-protect-yourself}, language = {English}, urldate = {2022-05-17} } Ransomware-as-a-service: Understanding the cybercrime gig economy and how to protect yourself
AnchorDNS BlackCat BlackMatter Conti DarkSide HelloKitty Hive LockBit REvil FAKEUPDATES Griffon ATOMSILO BazarBackdoor BlackCat BlackMatter Blister Cobalt Strike Conti DarkSide Emotet FiveHands Gozi HelloKitty Hive IcedID ISFB JSSLoader LockBit LockFile Maze NightSky Pandora Phobos Phoenix Locker PhotoLoader QakBot REvil Rook Ryuk SystemBC TrickBot WastedLocker BRONZE STARLIGHT
2021-09-03Trend MicroMohamad Mokbel
@techreport{mokbel:20210903:state:df86499, author = {Mohamad Mokbel}, title = {{The State of SSL/TLS Certificate Usage in Malware C&C Communications}}, date = {2021-09-03}, institution = {Trend Micro}, url = {https://www.trendmicro.com/content/dam/trendmicro/global/en/research/21/i/ssl-tls-technical-brief/ssl-tls-technical-brief.pdf}, language = {English}, urldate = {2021-09-19} } The State of SSL/TLS Certificate Usage in Malware C&C Communications
AdWind ostap AsyncRAT BazarBackdoor BitRAT Buer Chthonic CloudEyE Cobalt Strike DCRat Dridex FindPOS GootKit Gozi IcedID ISFB Nanocore RAT Orcus RAT PandaBanker Qadars QakBot Quasar RAT Rockloader ServHelper Shifu SManager TorrentLocker TrickBot Vawtrak Zeus Zloader
2021-06-30The RecordCatalin Cimpanu
@online{cimpanu:20210630:gozi:8760ba7, author = {Catalin Cimpanu}, title = {{Gozi malware gang member arrested in Colombia}}, date = {2021-06-30}, organization = {The Record}, url = {https://therecord.media/gozi-malware-gang-member-arrested-in-colombia/}, language = {English}, urldate = {2021-07-02} } Gozi malware gang member arrested in Colombia
Gozi ISFB
2021-05-26DeepInstinctRon Ben Yizhak
@online{yizhak:20210526:deep:c123a19, author = {Ron Ben Yizhak}, title = {{A Deep Dive into Packing Software CryptOne}}, date = {2021-05-26}, organization = {DeepInstinct}, url = {https://www.deepinstinct.com/2021/05/26/deep-dive-packing-software-cryptone/}, language = {English}, urldate = {2021-06-22} } A Deep Dive into Packing Software CryptOne
Cobalt Strike Dridex Emotet Gozi ISFB Mailto QakBot SmokeLoader WastedLocker Zloader
2021-03-31KasperskyKaspersky
@online{kaspersky:20210331:financial:3371aa0, author = {Kaspersky}, title = {{Financial Cyberthreats in 2020}}, date = {2021-03-31}, organization = {Kaspersky}, url = {https://securelist.com/financial-cyberthreats-in-2020/101638/}, language = {English}, urldate = {2021-04-06} } Financial Cyberthreats in 2020
BetaBot DanaBot Emotet Gozi Ramnit RTM SpyEye TrickBot Zeus
2020-12-21Cisco TalosJON MUNSHAW
@online{munshaw:20201221:2020:4a88f84, author = {JON MUNSHAW}, title = {{2020: The year in malware}}, date = {2020-12-21}, organization = {Cisco Talos}, url = {https://blog.talosintelligence.com/2020/12/2020-year-in-malware.html}, language = {English}, urldate = {2020-12-26} } 2020: The year in malware
WolfRAT Prometei Poet RAT Agent Tesla Astaroth Ave Maria CRAT Emotet Gozi IndigoDrop JhoneRAT Nanocore RAT NjRAT Oblique RAT SmokeLoader StrongPity WastedLocker Zloader
2020-08-09F5 LabsRemi Cohen, Debbie Walkowski
@online{cohen:20200809:banking:8718999, author = {Remi Cohen and Debbie Walkowski}, title = {{Banking Trojans: A Reference Guide to the Malware Family Tree}}, date = {2020-08-09}, organization = {F5 Labs}, url = {https://www.f5.com/labs/articles/education/banking-trojans-a-reference-guide-to-the-malware-family-tree}, language = {English}, urldate = {2021-06-29} } Banking Trojans: A Reference Guide to the Malware Family Tree
BackSwap Carberp Citadel DanaBot Dridex Dyre Emotet Gozi Kronos PandaBanker Ramnit Shylock SpyEye Tinba TrickBot Vawtrak Zeus
2020-05-07Github (mlodic)Matteo Lodi
@online{lodi:20200507:ursnif:5654de4, author = {Matteo Lodi}, title = {{Ursnif beacon decryptor}}, date = {2020-05-07}, organization = {Github (mlodic)}, url = {https://github.com/mlodic/ursnif_beacon_decryptor}, language = {English}, urldate = {2020-05-07} } Ursnif beacon decryptor
Gozi ISFB
2020-01-22Thomas Barabosch
@online{barabosch:20200122:malware:f805475, author = {Thomas Barabosch}, title = {{The malware analyst’s guide to PE timestamps}}, date = {2020-01-22}, url = {https://0xc0decafe.com/malware-analyst-guide-to-pe-timestamps/}, language = {English}, urldate = {2021-01-25} } The malware analyst’s guide to PE timestamps
Azorult Gozi IcedID ISFB LOLSnif SUNBURST TEARDROP
2020SecureworksSecureWorks
@online{secureworks:2020:gold:65fcc96, author = {SecureWorks}, title = {{GOLD SWATHMORE}}, date = {2020}, organization = {Secureworks}, url = {https://www.secureworks.com/research/threat-profiles/gold-swathmore}, language = {English}, urldate = {2020-05-23} } GOLD SWATHMORE
GlobeImposter Gozi IcedID TrickBot LUNAR SPIDER
2017-05-29Lokalhost.plMaciej Kotowicz
@online{kotowicz:20170529:gozi:96e962d, author = {Maciej Kotowicz}, title = {{Gozi Tree}}, date = {2017-05-29}, organization = {Lokalhost.pl}, url = {https://lokalhost.pl/gozi_tree.txt}, language = {English}, urldate = {2020-01-08} } Gozi Tree
DreamBot Gozi ISFB Powersniff
2017-02-15Palo Alto Networks Unit 42Kaoru Hayashi
@online{hayashi:20170215:banking:c5e917c, author = {Kaoru Hayashi}, title = {{Banking Trojans: Ursnif Global Distribution Networks Identified}}, date = {2017-02-15}, organization = {Palo Alto Networks Unit 42}, url = {http://researchcenter.paloaltonetworks.com/2017/02/unit42-banking-trojans-ursnif-global-distribution-networks-identified/}, language = {English}, urldate = {2019-10-25} } Banking Trojans: Ursnif Global Distribution Networks Identified
Gozi
2016-11-23G DataG Data
@online{data:20161123:analysis:0bbfdb9, author = {G Data}, title = {{Analysis: Ursnif - spying on your data since 2007}}, date = {2016-11-23}, organization = {G Data}, url = {https://blog.gdatasoftware.com/2016/11/29325-analysis-ursnif-spying-on-your-data-since-2007}, language = {English}, urldate = {2020-01-10} } Analysis: Ursnif - spying on your data since 2007
Gozi
2013-02-03Malware Must Die!Malware Must Die!
@online{die:20130203:infection:ac33cd2, author = {Malware Must Die!}, title = {{The infection of Styx Exploit Kit (Landing page: painterinvoice.ru + Payload: PWS/Ursnif Variant)}}, date = {2013-02-03}, organization = {Malware Must Die!}, url = {http://blog.malwaremustdie.org/2013/02/the-infection-of-styx-exploit-kit.html}, language = {English}, urldate = {2019-07-11} } The infection of Styx Exploit Kit (Landing page: painterinvoice.ru + Payload: PWS/Ursnif Variant)
Gozi
2007-03-20SecureworksDon Jackson
@online{jackson:20070320:gozi:701fe90, author = {Don Jackson}, title = {{Gozi Trojan}}, date = {2007-03-20}, organization = {Secureworks}, url = {https://www.secureworks.com/research/gozi}, language = {English}, urldate = {2020-01-10} } Gozi Trojan
Gozi
Yara Rules
[TLP:WHITE] win_gozi_auto (20230125 | Detects win.gozi.)
rule win_gozi_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2023-01-25"
        version = "1"
        description = "Detects win.gozi."
        info = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.6.0"
        signator_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.gozi"
        malpedia_rule_date = "20230124"
        malpedia_hash = "2ee0eebba83dce3d019a90519f2f972c0fcf9686"
        malpedia_version = "20230125"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using YARA-Signator.
     * The code and documentation is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { 294510 837d1000 75d1 837d1000 7507 b801000000 }
            // n = 6, score = 100
            //   294510               | sub                 dword ptr [ebp + 0x10], eax
            //   837d1000             | cmp                 dword ptr [ebp + 0x10], 0
            //   75d1                 | jne                 0xffffffd3
            //   837d1000             | cmp                 dword ptr [ebp + 0x10], 0
            //   7507                 | jne                 9
            //   b801000000           | mov                 eax, 1

        $sequence_1 = { 85c0 74de 8b4df0 2b4d08 8b55f0 8a09 ff45f0 }
            // n = 7, score = 100
            //   85c0                 | test                eax, eax
            //   74de                 | je                  0xffffffe0
            //   8b4df0               | mov                 ecx, dword ptr [ebp - 0x10]
            //   2b4d08               | sub                 ecx, dword ptr [ebp + 8]
            //   8b55f0               | mov                 edx, dword ptr [ebp - 0x10]
            //   8a09                 | mov                 cl, byte ptr [ecx]
            //   ff45f0               | inc                 dword ptr [ebp - 0x10]

        $sequence_2 = { 0fb703 ebee 8b5568 8b7e1c 8d0487 8b0408 03c1 }
            // n = 7, score = 100
            //   0fb703               | movzx               eax, word ptr [ebx]
            //   ebee                 | jmp                 0xfffffff0
            //   8b5568               | mov                 edx, dword ptr [ebp + 0x68]
            //   8b7e1c               | mov                 edi, dword ptr [esi + 0x1c]
            //   8d0487               | lea                 eax, [edi + eax*4]
            //   8b0408               | mov                 eax, dword ptr [eax + ecx]
            //   03c1                 | add                 eax, ecx

        $sequence_3 = { 85c0 740a 53 8d9f05050000 8903 5b }
            // n = 6, score = 100
            //   85c0                 | test                eax, eax
            //   740a                 | je                  0xc
            //   53                   | push                ebx
            //   8d9f05050000         | lea                 ebx, [edi + 0x505]
            //   8903                 | mov                 dword ptr [ebx], eax
            //   5b                   | pop                 ebx

        $sequence_4 = { a1???????? 33c5 8945fc 56 894d88 }
            // n = 5, score = 100
            //   a1????????           |                     
            //   33c5                 | xor                 eax, ebp
            //   8945fc               | mov                 dword ptr [ebp - 4], eax
            //   56                   | push                esi
            //   894d88               | mov                 dword ptr [ebp - 0x78], ecx

        $sequence_5 = { 8b9554ffffff 0fbe4415ec 8b8d4cffffff 038d58ffffff 0fbe11 33d0 }
            // n = 6, score = 100
            //   8b9554ffffff         | mov                 edx, dword ptr [ebp - 0xac]
            //   0fbe4415ec           | movsx               eax, byte ptr [ebp + edx - 0x14]
            //   8b8d4cffffff         | mov                 ecx, dword ptr [ebp - 0xb4]
            //   038d58ffffff         | add                 ecx, dword ptr [ebp - 0xa8]
            //   0fbe11               | movsx               edx, byte ptr [ecx]
            //   33d0                 | xor                 edx, eax

        $sequence_6 = { 33c0 40 e9???????? 53 8b1d???????? 6a08 }
            // n = 6, score = 100
            //   33c0                 | xor                 eax, eax
            //   40                   | inc                 eax
            //   e9????????           |                     
            //   53                   | push                ebx
            //   8b1d????????         |                     
            //   6a08                 | push                8

        $sequence_7 = { 0fbaf252 4e 8af4 c0eef6 }
            // n = 4, score = 100
            //   0fbaf252             | btr                 edx, 0x52
            //   4e                   | dec                 esi
            //   8af4                 | mov                 dh, ah
            //   c0eef6               | shr                 dh, 0xf6

        $sequence_8 = { 742f 395de8 740e 6a01 }
            // n = 4, score = 100
            //   742f                 | je                  0x31
            //   395de8               | cmp                 dword ptr [ebp - 0x18], ebx
            //   740e                 | je                  0x10
            //   6a01                 | push                1

        $sequence_9 = { 8945e8 8955ec 8b55e8 0b55ec 7422 }
            // n = 5, score = 100
            //   8945e8               | mov                 dword ptr [ebp - 0x18], eax
            //   8955ec               | mov                 dword ptr [ebp - 0x14], edx
            //   8b55e8               | mov                 edx, dword ptr [ebp - 0x18]
            //   0b55ec               | or                  edx, dword ptr [ebp - 0x14]
            //   7422                 | je                  0x24

        $sequence_10 = { 4e b27a 8af4 d2ee 0faceab2 0fb3ce }
            // n = 6, score = 100
            //   4e                   | dec                 esi
            //   b27a                 | mov                 dl, 0x7a
            //   8af4                 | mov                 dh, ah
            //   d2ee                 | shr                 dh, cl
            //   0faceab2             | shrd                edx, ebp, 0xb2
            //   0fb3ce               | btr                 esi, ecx

        $sequence_11 = { c7430400001000 eb06 5b 5f }
            // n = 4, score = 100
            //   c7430400001000       | mov                 dword ptr [ebx + 4], 0x100000
            //   eb06                 | jmp                 8
            //   5b                   | pop                 ebx
            //   5f                   | pop                 edi

        $sequence_12 = { e8???????? 53 8d8564feffff 56 }
            // n = 4, score = 100
            //   e8????????           |                     
            //   53                   | push                ebx
            //   8d8564feffff         | lea                 eax, [ebp - 0x19c]
            //   56                   | push                esi

        $sequence_13 = { eb10 ff75bc 8d879e020000 ff10 }
            // n = 4, score = 100
            //   eb10                 | jmp                 0x12
            //   ff75bc               | push                dword ptr [ebp - 0x44]
            //   8d879e020000         | lea                 eax, [edi + 0x29e]
            //   ff10                 | call                dword ptr [eax]

        $sequence_14 = { d2ee 6a14 68???????? b9???????? }
            // n = 4, score = 100
            //   d2ee                 | shr                 dh, cl
            //   6a14                 | push                0x14
            //   68????????           |                     
            //   b9????????           |                     

        $sequence_15 = { 8365dc00 8365e000 c745a802000000 c745ac01000000 8365b000 }
            // n = 5, score = 100
            //   8365dc00             | and                 dword ptr [ebp - 0x24], 0
            //   8365e000             | and                 dword ptr [ebp - 0x20], 0
            //   c745a802000000       | mov                 dword ptr [ebp - 0x58], 2
            //   c745ac01000000       | mov                 dword ptr [ebp - 0x54], 1
            //   8365b000             | and                 dword ptr [ebp - 0x50], 0

        $sequence_16 = { ff7038 ff15???????? 33f6 46 3bc6 }
            // n = 5, score = 100
            //   ff7038               | push                dword ptr [eax + 0x38]
            //   ff15????????         |                     
            //   33f6                 | xor                 esi, esi
            //   46                   | inc                 esi
            //   3bc6                 | cmp                 eax, esi

        $sequence_17 = { e8???????? 397854 7e26 33f6 e8???????? 8b4058 ff3430 }
            // n = 7, score = 100
            //   e8????????           |                     
            //   397854               | cmp                 dword ptr [eax + 0x54], edi
            //   7e26                 | jle                 0x28
            //   33f6                 | xor                 esi, esi
            //   e8????????           |                     
            //   8b4058               | mov                 eax, dword ptr [eax + 0x58]
            //   ff3430               | push                dword ptr [eax + esi]

        $sequence_18 = { 56 57 33f6 bf???????? 833cf524eb430001 751d }
            // n = 6, score = 100
            //   56                   | push                esi
            //   57                   | push                edi
            //   33f6                 | xor                 esi, esi
            //   bf????????           |                     
            //   833cf524eb430001     | cmp                 dword ptr [esi*8 + 0x43eb24], 1
            //   751d                 | jne                 0x1f

        $sequence_19 = { 50 52 ff750c ff7508 e8???????? 894508 }
            // n = 6, score = 100
            //   50                   | push                eax
            //   52                   | push                edx
            //   ff750c               | push                dword ptr [ebp + 0xc]
            //   ff7508               | push                dword ptr [ebp + 8]
            //   e8????????           |                     
            //   894508               | mov                 dword ptr [ebp + 8], eax

        $sequence_20 = { 8b95d0feffff 0b95d4feffff 7424 0fbed0 8ad0 }
            // n = 5, score = 100
            //   8b95d0feffff         | mov                 edx, dword ptr [ebp - 0x130]
            //   0b95d4feffff         | or                  edx, dword ptr [ebp - 0x12c]
            //   7424                 | je                  0x26
            //   0fbed0               | movsx               edx, al
            //   8ad0                 | mov                 dl, al

        $sequence_21 = { ff75f8 68???????? e8???????? 8d45f4 50 68???????? }
            // n = 6, score = 100
            //   ff75f8               | push                dword ptr [ebp - 8]
            //   68????????           |                     
            //   e8????????           |                     
            //   8d45f4               | lea                 eax, [ebp - 0xc]
            //   50                   | push                eax
            //   68????????           |                     

        $sequence_22 = { 40 eb02 33c0 c21000 55 8bec 83ec10 }
            // n = 7, score = 100
            //   40                   | inc                 eax
            //   eb02                 | jmp                 4
            //   33c0                 | xor                 eax, eax
            //   c21000               | ret                 0x10
            //   55                   | push                ebp
            //   8bec                 | mov                 ebp, esp
            //   83ec10               | sub                 esp, 0x10

        $sequence_23 = { b6c6 b27a 69f16e7958bb 0ad0 69d5b2adbc8f }
            // n = 5, score = 100
            //   b6c6                 | mov                 dh, 0xc6
            //   b27a                 | mov                 dl, 0x7a
            //   69f16e7958bb         | imul                esi, ecx, 0xbb58796e
            //   0ad0                 | or                  dl, al
            //   69d5b2adbc8f         | imul                edx, ebp, 0x8fbcadb2

    condition:
        7 of them and filesize < 568320
}
Download all Yara Rules