A quick summary to improve your detection capabilities:
- Dropped files use the pattern %UserProfile%govXXXX.exe (X's are 4 lowercase letters)
- C&C IP addresses include 220.127.116.11 and 18.104.22.168
- C&C uri request includes /system/prinimalka.py/
- Opens up SOCKS proxy to relay traffic
Now that this gozi variant has been reverse engineered well in advance of the attack, I suspect new variants will show up with altered configurations.
This is a trojan used in cyber espionage, originally targeting Iran. It appears to have been around since 2010 (and maybe as early as 2008) and is touted as one of the most complex trojans and C&C infrastructures created to date.