SYMBOLCOMMON_NAMEaka. SYNONYMS
win.cloudeye (Back to overview)

CloudEyE

aka: GuLoader, vbdropper

CloudEyE (initially named GuLoader) is a small VB5/6 downloader. It typically downloads RATs/Stealers, such as Agent Tesla, Arkei/Vidar, Formbook, Lokibot, Netwire and Remcos, often but not always from Google Drive. The downloaded payload is xored.

References
2021-07-07YouTube ( DuMp-GuY TrIcKsTeR)Jiří Vinopal
@online{vinopal:20210707:2:85ce7e9, author = {Jiří Vinopal}, title = {{[2] Lokibot analyzing - spoofing GULoader and LokiBot C2 [part1] - Own implementation in Python}}, date = {2021-07-07}, organization = {YouTube ( DuMp-GuY TrIcKsTeR)}, url = {https://www.youtube.com/watch?v=-FxyzuRv6Wg}, language = {English}, urldate = {2021-07-20} } [2] Lokibot analyzing - spoofing GULoader and LokiBot C2 [part1] - Own implementation in Python
CloudEyE Loki Password Stealer (PWS)
2021-07-06YouTube ( DuMp-GuY TrIcKsTeR)Jiří Vinopal
@online{vinopal:20210706:1:be25f45, author = {Jiří Vinopal}, title = {{[1] Lokibot analyzing - defeating GuLoader with Windbg (Kernel debugging) and Live C2}}, date = {2021-07-06}, organization = {YouTube ( DuMp-GuY TrIcKsTeR)}, url = {https://www.youtube.com/watch?v=K3Yxu_9OUxU}, language = {English}, urldate = {2021-07-20} } [1] Lokibot analyzing - defeating GuLoader with Windbg (Kernel debugging) and Live C2
CloudEyE Loki Password Stealer (PWS)
2021-06-29Medium hidocohenHido Cohen
@online{cohen:20210629:guloaders:a569974, author = {Hido Cohen}, title = {{GuLoader’s Anti-Analysis Techniques}}, date = {2021-06-29}, organization = {Medium hidocohen}, url = {https://hidocohen.medium.com/guloaders-anti-analysis-techniques-e0d4b8437195}, language = {English}, urldate = {2021-07-20} } GuLoader’s Anti-Analysis Techniques
CloudEyE
2021-04-19Medium elis531989Eli Salem
@online{salem:20210419:dancing:7fbe743, author = {Eli Salem}, title = {{Dancing With Shellcodes: Cracking the latest version of Guloader}}, date = {2021-04-19}, organization = {Medium elis531989}, url = {https://elis531989.medium.com/dancing-with-shellcodes-cracking-the-latest-version-of-guloader-75083fb15cb4}, language = {English}, urldate = {2021-04-20} } Dancing With Shellcodes: Cracking the latest version of Guloader
CloudEyE
2021-04-13CERT Polska / NASKMichał Praszmo
@online{praszmo:20210413:keeping:a524af7, author = {Michał Praszmo}, title = {{Keeping an eye on CloudEyE (GuLoader) - Reverse engineering the loader}}, date = {2021-04-13}, organization = {CERT Polska / NASK}, url = {https://cert.pl/en/posts/2021/04/keeping-an-eye-on-guloader-reverse-engineering-the-loader/}, language = {English}, urldate = {2021-04-14} } Keeping an eye on CloudEyE (GuLoader) - Reverse engineering the loader
CloudEyE
2021-03-06Click All the Things! BlogJamie Arndt
@online{arndt:20210306:oleobject1bin:22436df, author = {Jamie Arndt}, title = {{oleObject1.bin – OLe10nATive – shellcode}}, date = {2021-03-06}, organization = {Click All the Things! Blog}, url = {https://clickallthethings.wordpress.com/2021/03/06/oleobject1-bin-ole10native-shellcode/}, language = {English}, urldate = {2021-03-11} } oleObject1.bin – OLe10nATive – shellcode
CloudEyE
2021-02-17K7 SecurityLokesh J
@online{j:20210217:guloader:c652eb6, author = {Lokesh J}, title = {{GuLoader Snowballs via MalSpam Campaigns}}, date = {2021-02-17}, organization = {K7 Security}, url = {https://labs.k7computing.com/?p=21725Lokesh}, language = {English}, urldate = {2021-03-31} } GuLoader Snowballs via MalSpam Campaigns
CloudEyE
2020-11-18VMRayVMRay Labs Team
@online{team:20201118:malware:2c9a122, author = {VMRay Labs Team}, title = {{Malware Analysis Spotlight: AZORult Delivered by GuLoader}}, date = {2020-11-18}, organization = {VMRay}, url = {https://www.vmray.com/cyber-security-blog/azorult-delivered-by-guloader-malware-analysis-spotlight/}, language = {English}, urldate = {2020-11-25} } Malware Analysis Spotlight: AZORult Delivered by GuLoader
Azorult CloudEyE
2020-09-17Joe Security's BlogJoe Security
@online{security:20200917:guloaders:fe9ed59, author = {Joe Security}, title = {{GuLoader's VM-Exit Instruction Hammering explained}}, date = {2020-09-17}, organization = {Joe Security's Blog}, url = {https://www.joesecurity.org/blog/3535317197858305930}, language = {English}, urldate = {2021-01-10} } GuLoader's VM-Exit Instruction Hammering explained
CloudEyE
2020-09-08MALWATIONmalwation
@online{malwation:20200908:malware:1814f92, author = {malwation}, title = {{Malware Config Extraction Diaries #1 – GuLoader}}, date = {2020-09-08}, organization = {MALWATION}, url = {https://malwation.com/malware-config-extraction-diaries-1-guloader/}, language = {English}, urldate = {2021-01-10} } Malware Config Extraction Diaries #1 – GuLoader
CloudEyE
2020-08-10MalwarebytesJérôme Segura
@online{segura:20200810:sba:afdfd32, author = {Jérôme Segura}, title = {{SBA phishing scams: from malware to advanced social engineering}}, date = {2020-08-10}, organization = {Malwarebytes}, url = {https://blog.malwarebytes.com/scams/2020/08/sba-phishing-scams-from-malware-to-advanced-social-engineering/}, language = {English}, urldate = {2020-08-12} } SBA phishing scams: from malware to advanced social engineering
CloudEyE
2020-08-05BluelivCarlos Rubio, Blueliv Labs Team
@online{rubio:20200805:playing:5b11606, author = {Carlos Rubio and Blueliv Labs Team}, title = {{Playing with GuLoader Anti-VM techniques}}, date = {2020-08-05}, organization = {Blueliv}, url = {https://www.blueliv.com/cyber-security-and-cyber-threat-intelligence-blog-blueliv/research/playing-with-guloader-anti-vm-techniques-malware/}, language = {English}, urldate = {2021-01-10} } Playing with GuLoader Anti-VM techniques
CloudEyE
2020-07-14SophosLabs UncutMarkel Picado, Sean Gallagher
@online{picado:20200714:raticate:85d260a, author = {Markel Picado and Sean Gallagher}, title = {{RATicate upgrades “RATs as a Service” attacks with commercial “crypter”}}, date = {2020-07-14}, organization = {SophosLabs Uncut}, url = {https://news.sophos.com/en-us/2020/07/14/raticate-rats-as-service-with-commercial-crypter/?cmp=30728}, language = {English}, urldate = {2020-07-15} } RATicate upgrades “RATs as a Service” attacks with commercial “crypter”
LokiBot BetaBot CloudEyE NetWire RC
2020-07-09VMRayPascal Brackmann
@online{brackmann:20200709:threat:dc4f44e, author = {Pascal Brackmann}, title = {{Threat Bulletin: Dissecting GuLoader’s Evasion Techniques}}, date = {2020-07-09}, organization = {VMRay}, url = {https://www.vmray.com/cyber-security-blog/guloader-evasion-techniques-threat-bulletin/}, language = {English}, urldate = {2021-01-10} } Threat Bulletin: Dissecting GuLoader’s Evasion Techniques
CloudEyE
2020-06-27kienmanowar Blogm4n0w4r
@online{m4n0w4r:20200627:quick:4b18a32, author = {m4n0w4r}, title = {{Quick analysis note about GuLoader (or CloudEyE)}}, date = {2020-06-27}, organization = {kienmanowar Blog}, url = {https://kienmanowar.wordpress.com/2020/06/27/quick-analysis-note-about-guloader-or-cloudeye/}, language = {English}, urldate = {2020-07-13} } Quick analysis note about GuLoader (or CloudEyE)
CloudEyE
2020-06-25CrowdStrikeUmesh Wanve
@online{wanve:20200625:guloader:acd7a79, author = {Umesh Wanve}, title = {{GuLoader: Peering Into a Shellcode-based Downloader}}, date = {2020-06-25}, organization = {CrowdStrike}, url = {https://www.crowdstrike.com/blog/guloader-malware-analysis/}, language = {English}, urldate = {2020-12-10} } GuLoader: Peering Into a Shellcode-based Downloader
CloudEyE
2020-06-22ProofpointSherrod DeGrippo, Proofpoint Threat Research Team
@online{degrippo:20200622:hakbit:4d8be82, author = {Sherrod DeGrippo and Proofpoint Threat Research Team}, title = {{Hakbit Ransomware Campaign Against Germany, Austria, Switzerland}}, date = {2020-06-22}, organization = {Proofpoint}, url = {https://www.proofpoint.com/us/blog/threat-insight/hakbit-ransomware-campaign-against-germany-austria-switzerland}, language = {English}, urldate = {2020-06-23} } Hakbit Ransomware Campaign Against Germany, Austria, Switzerland
CloudEyE Hakbit
2020-06-08Check Point ResearchCheck Point Research
@online{research:20200608:guloader:1f5e7ae, author = {Check Point Research}, title = {{GuLoader? No, CloudEyE.}}, date = {2020-06-08}, organization = {Check Point Research}, url = {https://research.checkpoint.com/2020/guloader-cloudeye/}, language = {English}, urldate = {2020-06-11} } GuLoader? No, CloudEyE.
CloudEyE
2020-05-20VIPREVIPRE Labs
@online{labs:20200520:unloading:ae230f0, author = {VIPRE Labs}, title = {{Unloading the GuLoader}}, date = {2020-05-20}, organization = {VIPRE}, url = {https://labs.vipre.com/unloading-the-guloader/}, language = {English}, urldate = {2021-01-10} } Unloading the GuLoader
CloudEyE
2020-05-08Twitter (@sysopfb)Jason Reaves
@online{reaves:20200508:guloader:e8262e4, author = {Jason Reaves}, title = {{Tweet on GuLoader anti analysis techniques}}, date = {2020-05-08}, organization = {Twitter (@sysopfb)}, url = {https://twitter.com/sysopfb/status/1258809373159305216}, language = {English}, urldate = {2021-01-05} } Tweet on GuLoader anti analysis techniques
CloudEyE
2020-05-05VinCSSm4n0w4r, Dang Dinh Phuong
@online{m4n0w4r:20200505:guloader:926315b, author = {m4n0w4r and Dang Dinh Phuong}, title = {{GuLoader AntiVM Techniques}}, date = {2020-05-05}, organization = {VinCSS}, url = {https://blog.vincss.net/2020/05/re014-guloader-antivm-techniques.html}, language = {Vietnamese}, urldate = {2020-07-13} } GuLoader AntiVM Techniques
CloudEyE
2020-05-04Twitter (@VK_intel)Vitali Kremez
@online{kremez:20200504:guloader:5d6f001, author = {Vitali Kremez}, title = {{GuLoader API Loader Algorithm}}, date = {2020-05-04}, organization = {Twitter (@VK_intel)}, url = {https://twitter.com/VK_Intel/status/1257206565146370050}, language = {English}, urldate = {2021-01-05} } GuLoader API Loader Algorithm
CloudEyE
2020-04-29Twitter (@VK_intel)Vitali Kremez
@online{kremez:20200429:some:2fb831b, author = {Vitali Kremez}, title = {{Some Insight into GuLoader family}}, date = {2020-04-29}, organization = {Twitter (@VK_intel)}, url = {https://twitter.com/VK_Intel/status/1255537954304524288}, language = {English}, urldate = {2021-01-05} } Some Insight into GuLoader family
CloudEyE
2020-04-21Twitter (@VK_intel)Vitali Kremez
@online{kremez:20200421:signed:0a546c1, author = {Vitali Kremez}, title = {{Tweet on Signed GuLoader}}, date = {2020-04-21}, organization = {Twitter (@VK_intel)}, url = {https://twitter.com/VK_Intel/status/1252678206852907011}, language = {English}, urldate = {2021-01-05} } Tweet on Signed GuLoader
CloudEyE
2020-04-13K7 SecurityLokesh J
@online{j:20200413:guloader:a8374ed, author = {Lokesh J}, title = {{GuLoader delivers RATs and Spies in Disguise}}, date = {2020-04-13}, organization = {K7 Security}, url = {https://labs.k7computing.com/?p=20156}, language = {English}, urldate = {2021-01-10} } GuLoader delivers RATs and Spies in Disguise
CloudEyE
2020-04-03Palo Alto Networks Unit 42Brad Duncan
@online{duncan:20200403:guloader:4b27e7a, author = {Brad Duncan}, title = {{GuLoader: Malspam Campaign Installing NetWire RAT}}, date = {2020-04-03}, organization = {Palo Alto Networks Unit 42}, url = {https://unit42.paloaltonetworks.com/guloader-installing-netwire-rat/}, language = {English}, urldate = {2021-01-10} } GuLoader: Malspam Campaign Installing NetWire RAT
CloudEyE NetWire RC
2020-04-02MorphisecArnold Osipov
@online{osipov:20200402:guloader:af464fe, author = {Arnold Osipov}, title = {{GuLoader: The RAT Downloader}}, date = {2020-04-02}, organization = {Morphisec}, url = {https://blog.morphisec.com/guloader-the-rat-downloader}, language = {English}, urldate = {2021-01-10} } GuLoader: The RAT Downloader
CloudEyE
2020-04-01CiscoShyam Sundar Ramaswami, Andrea Kaiser
@online{ramaswami:20200401:navigating:965952a, author = {Shyam Sundar Ramaswami and Andrea Kaiser}, title = {{Navigating Cybersecurity During a Pandemic: Latest Malware and Threat Actors}}, date = {2020-04-01}, organization = {Cisco}, url = {https://umbrella.cisco.com/blog/navigating-cybersecurity-during-a-pandemic-latest-malware-and-threat-actors}, language = {English}, urldate = {2020-08-19} } Navigating Cybersecurity During a Pandemic: Latest Malware and Threat Actors
Azorult CloudEyE Formbook KPOT Stealer Metamorfo Nanocore RAT NetWire RC TrickBot
2020-03-19Twitter (@TheEnergyStory)Dominik Reichel
@online{reichel:20200319:early:21fec54, author = {Dominik Reichel}, title = {{Tweet on early GuLoader samples dating back to October 2019}}, date = {2020-03-19}, organization = {Twitter (@TheEnergyStory)}, url = {https://twitter.com/TheEnergyStory/status/1240608893610459138}, language = {English}, urldate = {2021-01-05} } Tweet on early GuLoader samples dating back to October 2019
CloudEyE
2020-03-15Twitter (@TheEnergyStory)Dominik Reichel
@online{reichel:20200315:guloader:d3bc331, author = {Dominik Reichel}, title = {{GuLoader anti analysis/sandbox tricks}}, date = {2020-03-15}, organization = {Twitter (@TheEnergyStory)}, url = {https://twitter.com/TheEnergyStory/status/1239110192060608513}, language = {English}, urldate = {2021-01-05} } GuLoader anti analysis/sandbox tricks
CloudEyE
Yara Rules
[TLP:WHITE] win_cloudeye_auto (20210616 | Detects win.cloudeye.)
rule win_cloudeye_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2021-06-10"
        version = "1"
        description = "Detects win.cloudeye."
        info = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.6.0"
        signator_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.cloudeye"
        malpedia_rule_date = "20210604"
        malpedia_hash = "be09d5d71e77373c0f538068be31a2ad4c69cfbd"
        malpedia_version = "20210616"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using YARA-Signator.
     * The code and documentation is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { 6a00 6a02 6639c1 6800000040 }
            // n = 4, score = 100
            //   6a00                 | push                0
            //   6a02                 | push                2
            //   6639c1               | cmp                 cx, ax
            //   6800000040           | push                0x40000000

        $sequence_1 = { ffb704080000 ffb518010000 6685d8 e8???????? }
            // n = 4, score = 100
            //   ffb704080000         | push                dword ptr [edi + 0x804]
            //   ffb518010000         | push                dword ptr [ebp + 0x118]
            //   6685d8               | test                ax, bx
            //   e8????????           |                     

        $sequence_2 = { ff7610 8b5520 035614 52 8b8700080000 03460c }
            // n = 6, score = 100
            //   ff7610               | push                dword ptr [esi + 0x10]
            //   8b5520               | mov                 edx, dword ptr [ebp + 0x20]
            //   035614               | add                 edx, dword ptr [esi + 0x14]
            //   52                   | push                edx
            //   8b8700080000         | mov                 eax, dword ptr [edi + 0x800]
            //   03460c               | add                 eax, dword ptr [esi + 0xc]

        $sequence_3 = { 52 51 3d39050000 7545 66f7c14179 }
            // n = 5, score = 100
            //   52                   | push                edx
            //   51                   | push                ecx
            //   3d39050000           | cmp                 eax, 0x539
            //   7545                 | jne                 0x47
            //   66f7c14179           | test                cx, 0x7941

        $sequence_4 = { 59 5b 6685da 31c0 83c004 833c0400 }
            // n = 6, score = 100
            //   59                   | pop                 ecx
            //   5b                   | pop                 ebx
            //   6685da               | test                dx, bx
            //   31c0                 | xor                 eax, eax
            //   83c004               | add                 eax, 4
            //   833c0400             | cmp                 dword ptr [esp + eax], 0

        $sequence_5 = { 3b8f04080000 75d7 ffb70c080000 39c8 ff7520 6639d1 }
            // n = 6, score = 100
            //   3b8f04080000         | cmp                 ecx, dword ptr [edi + 0x804]
            //   75d7                 | jne                 0xffffffd9
            //   ffb70c080000         | push                dword ptr [edi + 0x80c]
            //   39c8                 | cmp                 eax, ecx
            //   ff7520               | push                dword ptr [ebp + 0x20]
            //   6639d1               | cmp                 cx, dx

        $sequence_6 = { 6200 7600 6d 0036 0030 }
            // n = 5, score = 100
            //   6200                 | bound               eax, qword ptr [eax]
            //   7600                 | jbe                 2
            //   6d                   | insd                dword ptr es:[edi], dx
            //   0036                 | add                 byte ptr [esi], dh
            //   0030                 | add                 byte ptr [eax], dh

        $sequence_7 = { 8b400c 8b4014 8b00 8b5810 84c2 }
            // n = 5, score = 100
            //   8b400c               | mov                 eax, dword ptr [eax + 0xc]
            //   8b4014               | mov                 eax, dword ptr [eax + 0x14]
            //   8b00                 | mov                 eax, dword ptr [eax]
            //   8b5810               | mov                 ebx, dword ptr [eax + 0x10]
            //   84c2                 | test                dl, al

        $sequence_8 = { 6685d8 e8???????? 6639d8 6685da }
            // n = 4, score = 100
            //   6685d8               | test                ax, bx
            //   e8????????           |                     
            //   6639d8               | cmp                 ax, bx
            //   6685da               | test                dx, bx

        $sequence_9 = { 31d2 48 ffc2 49 }
            // n = 4, score = 100
            //   31d2                 | xor                 edx, edx
            //   48                   | dec                 eax
            //   ffc2                 | inc                 edx
            //   49                   | dec                 ecx

    condition:
        7 of them and filesize < 90112
}
[TLP:WHITE] win_cloudeye_w0   (20200204 | Shellcode injector and downloader via RegAsm.exe payload)
rule win_cloudeye_w0 {
    meta:
        author = "ditekshen"
        description = "Shellcode injector and downloader via RegAsm.exe payload"
        source = "https://github.com/kevoreilly/CAPEv2/blob/master/data/yara/CAPE/SCInject.yar"
        malpedia_version = "20200204"
        malpedia_sharing = "TLP:WHITE"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.cloudeye"
        malpedia_license = ""
    strings:
        $s1 = "wininet.dll" fullword ascii
        $s2 = "ShellExecuteW" fullword ascii
        $s3 = "SHCreateDirectoryExW" fullword ascii
        $s4 = "Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce" fullword ascii
        $s5 = "Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko" fullword ascii

        $o1 = "msvbvm60.dll" fullword wide
        $o2 = "\\syswow64\\" fullword wide
        $o3 = "\\system32\\" fullword wide
        $o4 = "\\Microsoft.NET\\Framework\\" fullword wide
        $o5 = "USERPROFILE=" wide nocase
        $o6 = "windir=" fullword wide
        $o7 = "APPDATA=" nocase wide
        $o8 = "RegAsm.exe" fullword wide

        $url1 = "https://drive.google.com/uc?export=download&id=" ascii
        $url2 = "https://onedrive.live.com/download?cid=" ascii
        $url3 = "http://myurl/myfile.bin" fullword ascii
        $url4 = "http" ascii // fallback
    condition:
        all of ($s*) and 2 of ($o*) and 1 of ($url*)
}
Download all Yara Rules