{
	"id": "55ff940f-450b-4026-8d3f-152f2eab8b1e",
	"created_at": "2026-05-05T02:46:00.180039Z",
	"updated_at": "2026-05-05T02:46:37.021074Z",
	"deleted_at": null,
	"sha1_hash": "18eaffe6d9240060101888ca851fc3c1723549de",
	"title": "We see you, Gozi",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 123556,
	"plain_text": "We see you, Gozi\r\nArchived: 2026-05-05 02:36:08 UTC\r\nThe ISFB Trojan also known as Gozi ISFB first appeared in 2014. It is based on Gozi, which was released in 2006 and\r\ndeveloped by Russian threat actors. Gozi was designed to collect network traffic and steal credentials from browsers\r\nand email clients. It has screen grabbing and keylogging functionalities.\r\nThe ISFB banking Trojan is a modified version of Gozi. The malware was identified in 2014 and it is also known as Gozi2\r\nand Ursnif. It collects credentials and is mainly used for attacks on the client side of online banking (ATS attacks) and fraud.\r\nGiven that the source code for Gozi ISFB is available online, there are now various forks based on ISFB such as GozNym or\r\nDreambot.\r\nNew Gozi TTPs\r\nGroup-IB has been tracking the Gozi banking Trojan since its early days. During recent threat hunting operations, we\r\ndetected a new sample of the Trojan in the wild, on June 14. As soon as we conducted an in-depth investigation, we\r\nrealized that the methods and techniques used had no relationship with those seen so far.\r\nWe are aware that reading articles on reverse engineering is often tedious and even difficult, which is why we will look at\r\nthe latest version at a high level.\r\nThe kill chain resembles a matryoshka doll. All the stages are executed in memory by downloading, uncompressing and\r\nunpacking different stages, without directly dropping files to disk.\r\nKill chain\r\n1. Initial .EXE self-decompress in memory and executes .NET downloader.\r\n2. .NET downloader performs GET request to Discord resource using a shortener (tiny[.]one) to download the next-stage payload, which is a .NET packer.\r\n3. The .NET packer gets executed. It decrypts and unpacks the packer of the Gozi downloader.\r\n4. The packer of the Gozi downloader unpacks the DLL, which is the real Gozi downloader module.\r\n5. The Gozi downloader behaves as usual by trying to contact the Command \u0026 Control server found in its configuration\r\nin order to download the main module and continue executing it.\r\nhttps://blog.group-ib.com/gozi-latest-ttps\r\nPage 1 of 4\n\nGozi analysis\r\nThe first file we found was the executable “traktor.exe”, which self-decompresses itself in memory into the file\r\n“SEB6A8~1.EXE” and executes it. The new file then acts as a .NET downloader for the next-stage payload. Once executed,\r\nthe downloader performs a GET request, passing through a shortener to try to hide the final URL of the resource. Shortener\r\nrequest: hXXps://tiny[.]one/yt52rdce → points to:\r\ncdn[.]discordapp[.]com/attachments/977479165555146754/984345564407812106/wiztree_4_08_setup_4_Qfmhjhgh.bmp\r\nAfter being downloaded, it reverses the bytes (usually in order to interfere with detection mechanisms) and executes it. The\r\nnew executed file is an obfuscated .NET DLL that serves as a packer.\r\nOnce launched in memory, the .NET packer decrypts and unpacks the next-stage payload in memory, which is the packed\r\nGozi downloader. The DLL is obfuscated with various namespaces, classes and methods to throw analysts and reverse\r\nengineers off track.\r\nhttps://blog.group-ib.com/gozi-latest-ttps\r\nPage 2 of 4\n\nAs in all typical Gozi kill chains, the packed downloader unpacks itself into a DLL (the real payload) and executes it.\r\nGiven that Gozi downloader is run in memory, it will behave as usual and try to contact the Command \u0026 Control server in\r\norder to download the main module and perform further actions.\r\nBesides the research was finished really quick we were unable to obtain the main module to investigate further. We also\r\ncould not obtain web injects and the target list because the contacted Command \u0026 Control server from the downloader was\r\nalready down.\r\nGozi downloader configuration\r\n{ \"server_key\": \"guVZ8lGzorgMS7cj\", \"group\": \"7776\", \"timer\": \"1\", \"server\": \"50\", \"0x54432e74\": \"/drew/\",\r\n\"0x48295783\": \"20\", \"0x73d11ee\": \".bmp\", \"0x41cae66d\": \"0\", \"cnc\": [ \"update[.]zonealarm[.]com\", \"iiso[.]in\" ],\r\n\"0xbbb5c71d\": \".jlk\", \"0x584e5925\": \"0\" }\r\nIOCs\r\nNetwork\r\ncdn[.]discordapp[.]com/attachments/977479165555146754/984345564407812106/wiztree_4_08_setup_4_Qfmhjhgh.bmp\r\ntiny[.]one/yt52rdce\r\nupdate[.]zonealarm[.]com\r\niiso[.]in\r\nFiles\r\nName: traktor.exe\r\nClassification: Cabinet Self-Extractor\r\nMD5: A0BB2D133B174436A9D4CCE527FB78D7\r\nhttps://blog.group-ib.com/gozi-latest-ttps\r\nPage 3 of 4\n\nSHA1: 8E72E0115E01F32A2F72D1F31C3E641C6B66AB45\r\nSHA256: 904CA32CB62DC94B61092F80FA78C5BC97D0A5394FA03438AEEC85ED87AB763E\r\nSigner: Sectigo RSA\r\nCompiler stamp: Tue Jul 25 08:18:00 2062\r\nVT First submission: 2022-06-14 23:34:20 UTC\r\nName: SEB6A8~1.EXE\r\nClassification: .NET downloaderMD5: 63fdefb66fd14dc92a7d1f773d6f619b\r\nSHA-1: 0a96e7edc7a7e4b805f29691a0d39e21453f9eb0\r\nSHA-256: 360703b2b2c324dde72dcd0651251c9e882e245c22d6b7e8c3163ed34ddb62b9\r\nSigner: Sectigo RSA\r\nCompiler stamp: Fri Mar 09 00:13:06 2074\r\nVT First submission: 2022-06-14 23:41:06 UTC\r\nClassification: .NET Packer\r\nOriginal filename: Deocqpqvayitfaqvcfovoryc.dll\r\nMD5: 2B348E0106F20C14615212D7EFF0DB88\r\nSHA1: 4DCD93A1CFD7F630C5FE71F5B31B298582B8BD39\r\nSHA256: 90660936CB65E0F929F32615EF400E0D0F80232F7F2003778C27E28B84468666\r\nCompiler stamp: Thu Jun 09 08:37:18 2022\r\nVT First submission: None (at the day of research)\r\nClassification: Packed GOZI downloader\r\nMD5: 1C847FED91BA95A65FF0160757C5B187\r\nSHA1: 17CA3FA3BEC22507798B5B21906559134F4CD3AA\r\nSHA256: 3EF96CFB78CB553943CE591C985FDC793D2ACF342A536B90D0F9EF72BDB15ECD\r\nCompiler stamp: Tue Apr 26 21:11:45 2022\r\nVT First submission: VT First submission: None (at the day of research)\r\nClassification: GOZI downloader\r\nMD5: D3D4B79106465363155A3F4F6C1A5E05\r\nSHA1: 9E978AD8C58FBBE59B470E26709687023161A5B8\r\nSHA256: 011F6F038B1398C03AE15D3CB81412D32AD0AD554DFBB5D38FAE78577FB2B777\r\nCompiler stamp: Tue Apr 26 21:11:39 2022\r\nVT First submission: VT First submission: None (at the day of research)\r\nSource: https://blog.group-ib.com/gozi-latest-ttps\r\nhttps://blog.group-ib.com/gozi-latest-ttps\r\nPage 4 of 4",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"origins": [
		"web"
	],
	"references": [
		"https://blog.group-ib.com/gozi-latest-ttps"
	],
	"report_names": [
		"gozi-latest-ttps"
	],
	"threat_actors": [],
	"ts_created_at": 1777949160,
	"ts_updated_at": 1777949197,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/18eaffe6d9240060101888ca851fc3c1723549de.pdf",
		"text": "https://archive.orkl.eu/18eaffe6d9240060101888ca851fc3c1723549de.txt",
		"img": "https://archive.orkl.eu/18eaffe6d9240060101888ca851fc3c1723549de.jpg"
	}
}