SYMBOLCOMMON_NAMEaka. SYNONYMS
win.cloudeye (Back to overview)

CloudEyE

aka: GuLoader, vbdropper

CloudEyE (initially named GuLoader) is a small VB5/6 downloader. It typically downloads RATs/Stealers, such as Agent Tesla, Arkei/Vidar, Formbook, Lokibot, Netwire and Remcos, often but not always from Google Drive. The downloaded payload is xored.

References
2022-09-12VMRayPascal Brackmann
@online{brackmann:20220912:evolution:df38f6a, author = {Pascal Brackmann}, title = {{The evolution of GuLoader}}, date = {2022-09-12}, organization = {VMRay}, url = {https://www.vmray.com/cyber-security-blog/malware-analysis-spotlight-guloader}, language = {English}, urldate = {2022-09-19} } The evolution of GuLoader
CloudEyE
2022-08-29InQuestDavid Ledbetter
@online{ledbetter:20220829:office:efe24cb, author = {David Ledbetter}, title = {{Office Files, RTF files, Shellcode and more shenanigans}}, date = {2022-08-29}, organization = {InQuest}, url = {https://inquest.net/blog/2022/08/29/office-files-rtf-files-shellcode-and-more-shenanigans}, language = {English}, urldate = {2022-08-31} } Office Files, RTF files, Shellcode and more shenanigans
CloudEyE
2022-07-21Cert-AgIDCert-AgID
@online{certagid:20220721:tecniche:292165d, author = {Cert-AgID}, title = {{Tecniche per semplificare l’analisi del malware GuLoader}}, date = {2022-07-21}, organization = {Cert-AgID}, url = {https://cert-agid.gov.it/news/malware/tecniche-per-semplificare-lanalisi-del-malware-guloader/}, language = {Italian}, urldate = {2022-07-25} } Tecniche per semplificare l’analisi del malware GuLoader
CloudEyE
2022-07-12FortinetJames Slaughter
@online{slaughter:20220712:spoofed:5c3ce2f, author = {James Slaughter}, title = {{Spoofed Saudi Purchase Order Drops GuLoader – Part 2}}, date = {2022-07-12}, organization = {Fortinet}, url = {https://www.fortinet.com/blog/threat-research/spoofed-saudi-purchase-order-drops-guloader-part-two}, language = {English}, urldate = {2022-07-15} } Spoofed Saudi Purchase Order Drops GuLoader – Part 2
CloudEyE
2022-06-02MandiantMandiant
@online{mandiant:20220602:trending:0bcdbc4, author = {Mandiant}, title = {{TRENDING EVIL Q2 2022}}, date = {2022-06-02}, organization = {Mandiant}, url = {https://experience.mandiant.com/trending-evil-2/p/1}, language = {English}, urldate = {2022-06-07} } TRENDING EVIL Q2 2022
CloudEyE Cobalt Strike CryptBot Emotet IsaacWiper QakBot
2022-04-12HPPatrick Schläpfer
@online{schlpfer:20220412:malware:5032799, author = {Patrick Schläpfer}, title = {{Malware Campaigns Targeting African Banking Sector}}, date = {2022-04-12}, organization = {HP}, url = {https://threatresearch.ext.hp.com/malware-campaigns-targeting-african-banking-sector/}, language = {English}, urldate = {2022-04-15} } Malware Campaigns Targeting African Banking Sector
CloudEyE Remcos
2022-01-27forensicitguyTony Lambert
@online{lambert:20220127:guloader:c165a2c, author = {Tony Lambert}, title = {{GuLoader Executing Shellcode Using Callback Functions}}, date = {2022-01-27}, organization = {forensicitguy}, url = {https://forensicitguy.github.io/guloader-executing-shellcode-callbacks/}, language = {English}, urldate = {2022-02-01} } GuLoader Executing Shellcode Using Callback Functions
CloudEyE
2021-11-23HPPatrick Schläpfer
@online{schlpfer:20211123:ratdispenser:4677686, author = {Patrick Schläpfer}, title = {{RATDispenser: Stealthy JavaScript Loader Dispensing RATs into the Wild}}, date = {2021-11-23}, organization = {HP}, url = {https://threatresearch.ext.hp.com/javascript-malware-dispensing-rats-into-the-wild/}, language = {English}, urldate = {2021-11-29} } RATDispenser: Stealthy JavaScript Loader Dispensing RATs into the Wild
AdWind Ratty STRRAT CloudEyE Formbook Houdini Panda Stealer Remcos
2021-10HPHP Wolf Security
@techreport{security:202110:threat:49f8fc2, author = {HP Wolf Security}, title = {{Threat Insights Report Q3 - 2021}}, date = {2021-10}, institution = {HP}, url = {https://threatresearch.ext.hp.com/wp-content/uploads/2021/10/HP-Wolf-Security-Threat-Insights-Report-Q3-2021.pdf}, language = {English}, urldate = {2021-10-25} } Threat Insights Report Q3 - 2021
STRRAT CloudEyE NetWire RC Remcos TrickBot Vjw0rm
2021-09-03Trend MicroMohamad Mokbel
@techreport{mokbel:20210903:state:df86499, author = {Mohamad Mokbel}, title = {{The State of SSL/TLS Certificate Usage in Malware C&C Communications}}, date = {2021-09-03}, institution = {Trend Micro}, url = {https://www.trendmicro.com/content/dam/trendmicro/global/en/research/21/i/ssl-tls-technical-brief/ssl-tls-technical-brief.pdf}, language = {English}, urldate = {2021-09-19} } The State of SSL/TLS Certificate Usage in Malware C&C Communications
AdWind ostap AsyncRAT BazarBackdoor BitRAT Buer Chthonic CloudEyE Cobalt Strike DCRat Dridex FindPOS GootKit Gozi IcedID ISFB Nanocore RAT Orcus RAT PandaBanker Qadars QakBot Quasar RAT Rockloader ServHelper Shifu SManager TorrentLocker TrickBot Vawtrak Zeus Zloader
2021-08-23YouTube ( DuMp-GuY TrIcKsTeR)Jiří Vinopal
@online{vinopal:20210823:2:0b5dba8, author = {Jiří Vinopal}, title = {{[2] Lokibot analyzing - spoofing GULoader and LokiBot C2 [part2] - INetSim + BurpSuite}}, date = {2021-08-23}, organization = {YouTube ( DuMp-GuY TrIcKsTeR)}, url = {https://www.youtube.com/watch?v=N0wAh26wShE}, language = {English}, urldate = {2021-08-25} } [2] Lokibot analyzing - spoofing GULoader and LokiBot C2 [part2] - INetSim + BurpSuite
CloudEyE Loki Password Stealer (PWS)
2021-07-07YouTube ( DuMp-GuY TrIcKsTeR)Jiří Vinopal
@online{vinopal:20210707:2:85ce7e9, author = {Jiří Vinopal}, title = {{[2] Lokibot analyzing - spoofing GULoader and LokiBot C2 [part1] - Own implementation in Python}}, date = {2021-07-07}, organization = {YouTube ( DuMp-GuY TrIcKsTeR)}, url = {https://www.youtube.com/watch?v=-FxyzuRv6Wg}, language = {English}, urldate = {2021-07-20} } [2] Lokibot analyzing - spoofing GULoader and LokiBot C2 [part1] - Own implementation in Python
CloudEyE Loki Password Stealer (PWS)
2021-07-06YouTube ( DuMp-GuY TrIcKsTeR)Jiří Vinopal
@online{vinopal:20210706:1:be25f45, author = {Jiří Vinopal}, title = {{[1] Lokibot analyzing - defeating GuLoader with Windbg (Kernel debugging) and Live C2}}, date = {2021-07-06}, organization = {YouTube ( DuMp-GuY TrIcKsTeR)}, url = {https://www.youtube.com/watch?v=K3Yxu_9OUxU}, language = {English}, urldate = {2021-07-20} } [1] Lokibot analyzing - defeating GuLoader with Windbg (Kernel debugging) and Live C2
CloudEyE Loki Password Stealer (PWS)
2021-06-29Medium hidocohenHido Cohen
@online{cohen:20210629:guloaders:a569974, author = {Hido Cohen}, title = {{GuLoader’s Anti-Analysis Techniques}}, date = {2021-06-29}, organization = {Medium hidocohen}, url = {https://hidocohen.medium.com/guloaders-anti-analysis-techniques-e0d4b8437195}, language = {English}, urldate = {2021-07-20} } GuLoader’s Anti-Analysis Techniques
CloudEyE
2021-04-19Medium elis531989Eli Salem
@online{salem:20210419:dancing:7fbe743, author = {Eli Salem}, title = {{Dancing With Shellcodes: Cracking the latest version of Guloader}}, date = {2021-04-19}, organization = {Medium elis531989}, url = {https://elis531989.medium.com/dancing-with-shellcodes-cracking-the-latest-version-of-guloader-75083fb15cb4}, language = {English}, urldate = {2021-04-20} } Dancing With Shellcodes: Cracking the latest version of Guloader
CloudEyE
2021-04-13CERT Polska / NASKMichał Praszmo
@online{praszmo:20210413:keeping:a524af7, author = {Michał Praszmo}, title = {{Keeping an eye on CloudEyE (GuLoader) - Reverse engineering the loader}}, date = {2021-04-13}, organization = {CERT Polska / NASK}, url = {https://cert.pl/en/posts/2021/04/keeping-an-eye-on-guloader-reverse-engineering-the-loader/}, language = {English}, urldate = {2021-04-14} } Keeping an eye on CloudEyE (GuLoader) - Reverse engineering the loader
CloudEyE
2021-03-06Click All the Things! BlogJamie Arndt
@online{arndt:20210306:oleobject1bin:22436df, author = {Jamie Arndt}, title = {{oleObject1.bin – OLe10nATive – shellcode}}, date = {2021-03-06}, organization = {Click All the Things! Blog}, url = {https://clickallthethings.wordpress.com/2021/03/06/oleobject1-bin-ole10native-shellcode/}, language = {English}, urldate = {2021-03-11} } oleObject1.bin – OLe10nATive – shellcode
CloudEyE
2021-02-17K7 SecurityLokesh J
@online{j:20210217:guloader:c652eb6, author = {Lokesh J}, title = {{GuLoader Snowballs via MalSpam Campaigns}}, date = {2021-02-17}, organization = {K7 Security}, url = {https://labs.k7computing.com/?p=21725Lokesh}, language = {English}, urldate = {2021-03-31} } GuLoader Snowballs via MalSpam Campaigns
CloudEyE
2020-11-18VMRayVMRay Labs Team, Pascal Brackmann, Mateusz Lukaszewski
@online{team:20201118:malware:2c9a122, author = {VMRay Labs Team and Pascal Brackmann and Mateusz Lukaszewski}, title = {{Malware Analysis Spotlight: AZORult Delivered by GuLoader}}, date = {2020-11-18}, organization = {VMRay}, url = {https://www.vmray.com/cyber-security-blog/azorult-delivered-by-guloader-malware-analysis-spotlight/}, language = {English}, urldate = {2022-02-14} } Malware Analysis Spotlight: AZORult Delivered by GuLoader
Azorult CloudEyE
2020-09-17Joe Security's BlogJoe Security
@online{security:20200917:guloaders:fe9ed59, author = {Joe Security}, title = {{GuLoader's VM-Exit Instruction Hammering explained}}, date = {2020-09-17}, organization = {Joe Security's Blog}, url = {https://www.joesecurity.org/blog/3535317197858305930}, language = {English}, urldate = {2021-01-10} } GuLoader's VM-Exit Instruction Hammering explained
CloudEyE
2020-09-08MALWATIONmalwation
@online{malwation:20200908:malware:1814f92, author = {malwation}, title = {{Malware Config Extraction Diaries #1 – GuLoader}}, date = {2020-09-08}, organization = {MALWATION}, url = {https://malwation.com/malware-config-extraction-diaries-1-guloader/}, language = {English}, urldate = {2021-01-10} } Malware Config Extraction Diaries #1 – GuLoader
CloudEyE
2020-08-10MalwarebytesJérôme Segura
@online{segura:20200810:sba:afdfd32, author = {Jérôme Segura}, title = {{SBA phishing scams: from malware to advanced social engineering}}, date = {2020-08-10}, organization = {Malwarebytes}, url = {https://blog.malwarebytes.com/scams/2020/08/sba-phishing-scams-from-malware-to-advanced-social-engineering/}, language = {English}, urldate = {2020-08-12} } SBA phishing scams: from malware to advanced social engineering
CloudEyE
2020-08-05BluelivCarlos Rubio, Blueliv Labs Team
@online{rubio:20200805:playing:5b11606, author = {Carlos Rubio and Blueliv Labs Team}, title = {{Playing with GuLoader Anti-VM techniques}}, date = {2020-08-05}, organization = {Blueliv}, url = {https://www.blueliv.com/cyber-security-and-cyber-threat-intelligence-blog-blueliv/research/playing-with-guloader-anti-vm-techniques-malware/}, language = {English}, urldate = {2021-01-10} } Playing with GuLoader Anti-VM techniques
CloudEyE
2020-07-14SophosLabs UncutMarkel Picado, Sean Gallagher
@online{picado:20200714:raticate:85d260a, author = {Markel Picado and Sean Gallagher}, title = {{RATicate upgrades “RATs as a Service” attacks with commercial “crypter”}}, date = {2020-07-14}, organization = {SophosLabs Uncut}, url = {https://news.sophos.com/en-us/2020/07/14/raticate-rats-as-service-with-commercial-crypter/?cmp=30728}, language = {English}, urldate = {2020-07-15} } RATicate upgrades “RATs as a Service” attacks with commercial “crypter”
LokiBot BetaBot CloudEyE NetWire RC
2020-07-09VMRayPascal Brackmann
@online{brackmann:20200709:threat:dc4f44e, author = {Pascal Brackmann}, title = {{Threat Bulletin: Dissecting GuLoader’s Evasion Techniques}}, date = {2020-07-09}, organization = {VMRay}, url = {https://www.vmray.com/cyber-security-blog/guloader-evasion-techniques-threat-bulletin/}, language = {English}, urldate = {2021-01-10} } Threat Bulletin: Dissecting GuLoader’s Evasion Techniques
CloudEyE
2020-06-27kienmanowar Blogm4n0w4r
@online{m4n0w4r:20200627:quick:4b18a32, author = {m4n0w4r}, title = {{Quick analysis note about GuLoader (or CloudEyE)}}, date = {2020-06-27}, organization = {kienmanowar Blog}, url = {https://kienmanowar.wordpress.com/2020/06/27/quick-analysis-note-about-guloader-or-cloudeye/}, language = {English}, urldate = {2020-07-13} } Quick analysis note about GuLoader (or CloudEyE)
CloudEyE
2020-06-25CrowdStrikeUmesh Wanve
@online{wanve:20200625:guloader:acd7a79, author = {Umesh Wanve}, title = {{GuLoader: Peering Into a Shellcode-based Downloader}}, date = {2020-06-25}, organization = {CrowdStrike}, url = {https://www.crowdstrike.com/blog/guloader-malware-analysis/}, language = {English}, urldate = {2020-12-10} } GuLoader: Peering Into a Shellcode-based Downloader
CloudEyE
2020-06-22ProofpointSherrod DeGrippo, Proofpoint Threat Research Team
@online{degrippo:20200622:hakbit:4d8be82, author = {Sherrod DeGrippo and Proofpoint Threat Research Team}, title = {{Hakbit Ransomware Campaign Against Germany, Austria, Switzerland}}, date = {2020-06-22}, organization = {Proofpoint}, url = {https://www.proofpoint.com/us/blog/threat-insight/hakbit-ransomware-campaign-against-germany-austria-switzerland}, language = {English}, urldate = {2020-06-23} } Hakbit Ransomware Campaign Against Germany, Austria, Switzerland
CloudEyE Hakbit
2020-06-08Check Point ResearchCheck Point Research
@online{research:20200608:guloader:1f5e7ae, author = {Check Point Research}, title = {{GuLoader? No, CloudEyE.}}, date = {2020-06-08}, organization = {Check Point Research}, url = {https://research.checkpoint.com/2020/guloader-cloudeye/}, language = {English}, urldate = {2020-06-11} } GuLoader? No, CloudEyE.
CloudEyE
2020-05-20VIPREVIPRE Labs
@online{labs:20200520:unloading:ae230f0, author = {VIPRE Labs}, title = {{Unloading the GuLoader}}, date = {2020-05-20}, organization = {VIPRE}, url = {https://labs.vipre.com/unloading-the-guloader/}, language = {English}, urldate = {2021-01-10} } Unloading the GuLoader
CloudEyE
2020-05-08Twitter (@sysopfb)Jason Reaves
@online{reaves:20200508:guloader:e8262e4, author = {Jason Reaves}, title = {{Tweet on GuLoader anti analysis techniques}}, date = {2020-05-08}, organization = {Twitter (@sysopfb)}, url = {https://twitter.com/sysopfb/status/1258809373159305216}, language = {English}, urldate = {2021-01-05} } Tweet on GuLoader anti analysis techniques
CloudEyE
2020-05-05VinCSSm4n0w4r, Dang Dinh Phuong
@online{m4n0w4r:20200505:guloader:926315b, author = {m4n0w4r and Dang Dinh Phuong}, title = {{GuLoader AntiVM Techniques}}, date = {2020-05-05}, organization = {VinCSS}, url = {https://blog.vincss.net/2020/05/re014-guloader-antivm-techniques.html}, language = {Vietnamese}, urldate = {2020-07-13} } GuLoader AntiVM Techniques
CloudEyE
2020-05-04Twitter (@VK_intel)Vitali Kremez
@online{kremez:20200504:guloader:5d6f001, author = {Vitali Kremez}, title = {{GuLoader API Loader Algorithm}}, date = {2020-05-04}, organization = {Twitter (@VK_intel)}, url = {https://twitter.com/VK_Intel/status/1257206565146370050}, language = {English}, urldate = {2021-01-05} } GuLoader API Loader Algorithm
CloudEyE
2020-04-29Twitter (@VK_intel)Vitali Kremez
@online{kremez:20200429:some:2fb831b, author = {Vitali Kremez}, title = {{Some Insight into GuLoader family}}, date = {2020-04-29}, organization = {Twitter (@VK_intel)}, url = {https://twitter.com/VK_Intel/status/1255537954304524288}, language = {English}, urldate = {2021-01-05} } Some Insight into GuLoader family
CloudEyE
2020-04-21Twitter (@VK_intel)Vitali Kremez
@online{kremez:20200421:signed:0a546c1, author = {Vitali Kremez}, title = {{Tweet on Signed GuLoader}}, date = {2020-04-21}, organization = {Twitter (@VK_intel)}, url = {https://twitter.com/VK_Intel/status/1252678206852907011}, language = {English}, urldate = {2021-01-05} } Tweet on Signed GuLoader
CloudEyE
2020-04-13K7 SecurityLokesh J
@online{j:20200413:guloader:a8374ed, author = {Lokesh J}, title = {{GuLoader delivers RATs and Spies in Disguise}}, date = {2020-04-13}, organization = {K7 Security}, url = {https://labs.k7computing.com/?p=20156}, language = {English}, urldate = {2021-01-10} } GuLoader delivers RATs and Spies in Disguise
CloudEyE
2020-04-03Palo Alto Networks Unit 42Brad Duncan
@online{duncan:20200403:guloader:4b27e7a, author = {Brad Duncan}, title = {{GuLoader: Malspam Campaign Installing NetWire RAT}}, date = {2020-04-03}, organization = {Palo Alto Networks Unit 42}, url = {https://unit42.paloaltonetworks.com/guloader-installing-netwire-rat/}, language = {English}, urldate = {2021-01-10} } GuLoader: Malspam Campaign Installing NetWire RAT
CloudEyE NetWire RC
2020-04-02MorphisecArnold Osipov
@online{osipov:20200402:guloader:af464fe, author = {Arnold Osipov}, title = {{GuLoader: The RAT Downloader}}, date = {2020-04-02}, organization = {Morphisec}, url = {https://blog.morphisec.com/guloader-the-rat-downloader}, language = {English}, urldate = {2021-01-10} } GuLoader: The RAT Downloader
CloudEyE
2020-04-01CiscoShyam Sundar Ramaswami, Andrea Kaiser
@online{ramaswami:20200401:navigating:965952a, author = {Shyam Sundar Ramaswami and Andrea Kaiser}, title = {{Navigating Cybersecurity During a Pandemic: Latest Malware and Threat Actors}}, date = {2020-04-01}, organization = {Cisco}, url = {https://umbrella.cisco.com/blog/navigating-cybersecurity-during-a-pandemic-latest-malware-and-threat-actors}, language = {English}, urldate = {2020-08-19} } Navigating Cybersecurity During a Pandemic: Latest Malware and Threat Actors
Azorult CloudEyE Formbook KPOT Stealer Metamorfo Nanocore RAT NetWire RC TrickBot
2020-03-19Twitter (@TheEnergyStory)Dominik Reichel
@online{reichel:20200319:early:21fec54, author = {Dominik Reichel}, title = {{Tweet on early GuLoader samples dating back to October 2019}}, date = {2020-03-19}, organization = {Twitter (@TheEnergyStory)}, url = {https://twitter.com/TheEnergyStory/status/1240608893610459138}, language = {English}, urldate = {2021-01-05} } Tweet on early GuLoader samples dating back to October 2019
CloudEyE
2020-03-15Twitter (@TheEnergyStory)Dominik Reichel
@online{reichel:20200315:guloader:d3bc331, author = {Dominik Reichel}, title = {{GuLoader anti analysis/sandbox tricks}}, date = {2020-03-15}, organization = {Twitter (@TheEnergyStory)}, url = {https://twitter.com/TheEnergyStory/status/1239110192060608513}, language = {English}, urldate = {2021-01-05} } GuLoader anti analysis/sandbox tricks
CloudEyE
Yara Rules
[TLP:WHITE] win_cloudeye_auto (20220808 | Detects win.cloudeye.)
rule win_cloudeye_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2022-08-05"
        version = "1"
        description = "Detects win.cloudeye."
        info = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.6.0"
        signator_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.cloudeye"
        malpedia_rule_date = "20220805"
        malpedia_hash = "6ec06c64bcfdbeda64eff021c766b4ce34542b71"
        malpedia_version = "20220808"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using YARA-Signator.
     * The code and documentation is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { 80fd0b 6a00 52 6a00 6a00 f6c1ac ff95c0000000 }
            // n = 7, score = 100
            //   80fd0b               | cmp                 ch, 0xb
            //   6a00                 | push                0
            //   52                   | push                edx
            //   6a00                 | push                0
            //   6a00                 | push                0
            //   f6c1ac               | test                cl, 0xac
            //   ff95c0000000         | call                dword ptr [ebp + 0xc0]

        $sequence_1 = { 817e24200000e0 7473 817e2420000060 0f8483000000 817e2460000060 747a }
            // n = 6, score = 100
            //   817e24200000e0       | cmp                 dword ptr [esi + 0x24], 0xe0000020
            //   7473                 | je                  0x75
            //   817e2420000060       | cmp                 dword ptr [esi + 0x24], 0x60000020
            //   0f8483000000         | je                  0x89
            //   817e2460000060       | cmp                 dword ptr [esi + 0x24], 0x60000060
            //   747a                 | je                  0x7c

        $sequence_2 = { c7850001000000001000 89eb 81c300010000 53 }
            // n = 4, score = 100
            //   c7850001000000001000     | mov    dword ptr [ebp + 0x100], 0x100000
            //   89eb                 | mov                 ebx, ebp
            //   81c300010000         | add                 ebx, 0x100
            //   53                   | push                ebx

        $sequence_3 = { 6a40 ff7520 84f4 57 }
            // n = 4, score = 100
            //   6a40                 | push                0x40
            //   ff7520               | push                dword ptr [ebp + 0x20]
            //   84f4                 | test                ah, dh
            //   57                   | push                edi

        $sequence_4 = { 894704 83c710 c70718000000 6639c9 c7470400000000 8b4520 }
            // n = 6, score = 100
            //   894704               | mov                 dword ptr [edi + 4], eax
            //   83c710               | add                 edi, 0x10
            //   c70718000000         | mov                 dword ptr [edi], 0x18
            //   6639c9               | cmp                 cx, cx
            //   c7470400000000       | mov                 dword ptr [edi + 4], 0
            //   8b4520               | mov                 eax, dword ptr [ebp + 0x20]

        $sequence_5 = { 8b4d18 ba51f4087f e8???????? 8985c0000000 84d8 8b4d18 }
            // n = 6, score = 100
            //   8b4d18               | mov                 ecx, dword ptr [ebp + 0x18]
            //   ba51f4087f           | mov                 edx, 0x7f08f451
            //   e8????????           |                     
            //   8985c0000000         | mov                 dword ptr [ebp + 0xc0], eax
            //   84d8                 | test                al, bl
            //   8b4d18               | mov                 ecx, dword ptr [ebp + 0x18]

        $sequence_6 = { e8???????? 39d2 5a 85d8 }
            // n = 4, score = 100
            //   e8????????           |                     
            //   39d2                 | cmp                 edx, edx
            //   5a                   | pop                 edx
            //   85d8                 | test                eax, ebx

        $sequence_7 = { 75e4 83e902 83f900 7deb }
            // n = 4, score = 100
            //   75e4                 | jne                 0xffffffe6
            //   83e902               | sub                 ecx, 2
            //   83f900               | cmp                 ecx, 0
            //   7deb                 | jge                 0xffffffed

        $sequence_8 = { e8???????? 83f800 0f85da000000 38da 89e8 0500010000 }
            // n = 6, score = 100
            //   e8????????           |                     
            //   83f800               | cmp                 eax, 0
            //   0f85da000000         | jne                 0xe0
            //   38da                 | cmp                 dl, bl
            //   89e8                 | mov                 eax, ebp
            //   0500010000           | add                 eax, 0x100

        $sequence_9 = { 38fe 837d7001 0f8494000000 39d0 89fe }
            // n = 5, score = 100
            //   38fe                 | cmp                 dh, bh
            //   837d7001             | cmp                 dword ptr [ebp + 0x70], 1
            //   0f8494000000         | je                  0x9a
            //   39d0                 | cmp                 eax, edx
            //   89fe                 | mov                 esi, edi

    condition:
        7 of them and filesize < 90112
}
[TLP:WHITE] win_cloudeye_w0   (20200204 | Shellcode injector and downloader via RegAsm.exe payload)
rule win_cloudeye_w0 {
    meta:
        author = "ditekshen"
        description = "Shellcode injector and downloader via RegAsm.exe payload"
        source = "https://github.com/kevoreilly/CAPEv2/blob/master/data/yara/CAPE/SCInject.yar"
        malpedia_version = "20200204"
        malpedia_sharing = "TLP:WHITE"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.cloudeye"
        malpedia_license = ""
    strings:
        $s1 = "wininet.dll" fullword ascii
        $s2 = "ShellExecuteW" fullword ascii
        $s3 = "SHCreateDirectoryExW" fullword ascii
        $s4 = "Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce" fullword ascii
        $s5 = "Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko" fullword ascii

        $o1 = "msvbvm60.dll" fullword wide
        $o2 = "\\syswow64\\" fullword wide
        $o3 = "\\system32\\" fullword wide
        $o4 = "\\Microsoft.NET\\Framework\\" fullword wide
        $o5 = "USERPROFILE=" wide nocase
        $o6 = "windir=" fullword wide
        $o7 = "APPDATA=" nocase wide
        $o8 = "RegAsm.exe" fullword wide

        $url1 = "https://drive.google.com/uc?export=download&id=" ascii
        $url2 = "https://onedrive.live.com/download?cid=" ascii
        $url3 = "http://myurl/myfile.bin" fullword ascii
        $url4 = "http" ascii // fallback
    condition:
        all of ($s*) and 2 of ($o*) and 1 of ($url*)
}
Download all Yara Rules