SYMBOLCOMMON_NAMEaka. SYNONYMS
win.cloudeye (Back to overview)

CloudEyE

aka: GuLoader, vbdropper

CloudEyE (initially named GuLoader) is a small VB5/6 downloader. It typically downloads RATs/Stealers, such as Agent Tesla, Arkei/Vidar, Formbook, Lokibot, Netwire and Remcos, often but not always from Google Drive. The downloaded payload is xored.

References
2021-04-13CERT Polska / NASKMichał Praszmo
@online{praszmo:20210413:keeping:a524af7, author = {Michał Praszmo}, title = {{Keeping an eye on CloudEyE (GuLoader) - Reverse engineering the loader}}, date = {2021-04-13}, organization = {CERT Polska / NASK}, url = {https://cert.pl/en/posts/2021/04/keeping-an-eye-on-guloader-reverse-engineering-the-loader/}, language = {English}, urldate = {2021-04-14} } Keeping an eye on CloudEyE (GuLoader) - Reverse engineering the loader
CloudEyE
2021-03-06Click All the Things! BlogJamie Arndt
@online{arndt:20210306:oleobject1bin:22436df, author = {Jamie Arndt}, title = {{oleObject1.bin – OLe10nATive – shellcode}}, date = {2021-03-06}, organization = {Click All the Things! Blog}, url = {https://clickallthethings.wordpress.com/2021/03/06/oleobject1-bin-ole10native-shellcode/}, language = {English}, urldate = {2021-03-11} } oleObject1.bin – OLe10nATive – shellcode
CloudEyE
2021-02-17K7 SecurityLokesh J
@online{j:20210217:guloader:c652eb6, author = {Lokesh J}, title = {{GuLoader Snowballs via MalSpam Campaigns}}, date = {2021-02-17}, organization = {K7 Security}, url = {https://labs.k7computing.com/?p=21725Lokesh}, language = {English}, urldate = {2021-03-31} } GuLoader Snowballs via MalSpam Campaigns
CloudEyE
2020-11-18VMRayVMRay Labs Team
@online{team:20201118:malware:2c9a122, author = {VMRay Labs Team}, title = {{Malware Analysis Spotlight: AZORult Delivered by GuLoader}}, date = {2020-11-18}, organization = {VMRay}, url = {https://www.vmray.com/cyber-security-blog/azorult-delivered-by-guloader-malware-analysis-spotlight/}, language = {English}, urldate = {2020-11-25} } Malware Analysis Spotlight: AZORult Delivered by GuLoader
Azorult CloudEyE
2020-09-17Joe Security's BlogJoe Security
@online{security:20200917:guloaders:fe9ed59, author = {Joe Security}, title = {{GuLoader's VM-Exit Instruction Hammering explained}}, date = {2020-09-17}, organization = {Joe Security's Blog}, url = {https://www.joesecurity.org/blog/3535317197858305930}, language = {English}, urldate = {2021-01-10} } GuLoader's VM-Exit Instruction Hammering explained
CloudEyE
2020-09-08MALWATIONmalwation
@online{malwation:20200908:malware:1814f92, author = {malwation}, title = {{Malware Config Extraction Diaries #1 – GuLoader}}, date = {2020-09-08}, organization = {MALWATION}, url = {https://malwation.com/malware-config-extraction-diaries-1-guloader/}, language = {English}, urldate = {2021-01-10} } Malware Config Extraction Diaries #1 – GuLoader
CloudEyE
2020-08-10MalwarebytesJérôme Segura
@online{segura:20200810:sba:afdfd32, author = {Jérôme Segura}, title = {{SBA phishing scams: from malware to advanced social engineering}}, date = {2020-08-10}, organization = {Malwarebytes}, url = {https://blog.malwarebytes.com/scams/2020/08/sba-phishing-scams-from-malware-to-advanced-social-engineering/}, language = {English}, urldate = {2020-08-12} } SBA phishing scams: from malware to advanced social engineering
CloudEyE
2020-08-05BluelivCarlos Rubio, Blueliv Labs Team
@online{rubio:20200805:playing:5b11606, author = {Carlos Rubio and Blueliv Labs Team}, title = {{Playing with GuLoader Anti-VM techniques}}, date = {2020-08-05}, organization = {Blueliv}, url = {https://www.blueliv.com/cyber-security-and-cyber-threat-intelligence-blog-blueliv/research/playing-with-guloader-anti-vm-techniques-malware/}, language = {English}, urldate = {2021-01-10} } Playing with GuLoader Anti-VM techniques
CloudEyE
2020-07-14SophosLabs UncutMarkel Picado, Sean Gallagher
@online{picado:20200714:raticate:85d260a, author = {Markel Picado and Sean Gallagher}, title = {{RATicate upgrades “RATs as a Service” attacks with commercial “crypter”}}, date = {2020-07-14}, organization = {SophosLabs Uncut}, url = {https://news.sophos.com/en-us/2020/07/14/raticate-rats-as-service-with-commercial-crypter/?cmp=30728}, language = {English}, urldate = {2020-07-15} } RATicate upgrades “RATs as a Service” attacks with commercial “crypter”
LokiBot BetaBot CloudEyE NetWire RC
2020-07-09VMRayPascal Brackmann
@online{brackmann:20200709:threat:dc4f44e, author = {Pascal Brackmann}, title = {{Threat Bulletin: Dissecting GuLoader’s Evasion Techniques}}, date = {2020-07-09}, organization = {VMRay}, url = {https://www.vmray.com/cyber-security-blog/guloader-evasion-techniques-threat-bulletin/}, language = {English}, urldate = {2021-01-10} } Threat Bulletin: Dissecting GuLoader’s Evasion Techniques
CloudEyE
2020-06-27kienmanowar Blogm4n0w4r
@online{m4n0w4r:20200627:quick:4b18a32, author = {m4n0w4r}, title = {{Quick analysis note about GuLoader (or CloudEyE)}}, date = {2020-06-27}, organization = {kienmanowar Blog}, url = {https://kienmanowar.wordpress.com/2020/06/27/quick-analysis-note-about-guloader-or-cloudeye/}, language = {English}, urldate = {2020-07-13} } Quick analysis note about GuLoader (or CloudEyE)
CloudEyE
2020-06-25CrowdStrikeUmesh Wanve
@online{wanve:20200625:guloader:acd7a79, author = {Umesh Wanve}, title = {{GuLoader: Peering Into a Shellcode-based Downloader}}, date = {2020-06-25}, organization = {CrowdStrike}, url = {https://www.crowdstrike.com/blog/guloader-malware-analysis/}, language = {English}, urldate = {2020-12-10} } GuLoader: Peering Into a Shellcode-based Downloader
CloudEyE
2020-06-22ProofpointSherrod DeGrippo, Proofpoint Threat Research Team
@online{degrippo:20200622:hakbit:4d8be82, author = {Sherrod DeGrippo and Proofpoint Threat Research Team}, title = {{Hakbit Ransomware Campaign Against Germany, Austria, Switzerland}}, date = {2020-06-22}, organization = {Proofpoint}, url = {https://www.proofpoint.com/us/blog/threat-insight/hakbit-ransomware-campaign-against-germany-austria-switzerland}, language = {English}, urldate = {2020-06-23} } Hakbit Ransomware Campaign Against Germany, Austria, Switzerland
CloudEyE Hakbit
2020-06-08Check Point ResearchCheck Point Research
@online{research:20200608:guloader:1f5e7ae, author = {Check Point Research}, title = {{GuLoader? No, CloudEyE.}}, date = {2020-06-08}, organization = {Check Point Research}, url = {https://research.checkpoint.com/2020/guloader-cloudeye/}, language = {English}, urldate = {2020-06-11} } GuLoader? No, CloudEyE.
CloudEyE
2020-05-20VIPREVIPRE Labs
@online{labs:20200520:unloading:ae230f0, author = {VIPRE Labs}, title = {{Unloading the GuLoader}}, date = {2020-05-20}, organization = {VIPRE}, url = {https://labs.vipre.com/unloading-the-guloader/}, language = {English}, urldate = {2021-01-10} } Unloading the GuLoader
CloudEyE
2020-05-08Twitter (@sysopfb)Jason Reaves
@online{reaves:20200508:guloader:e8262e4, author = {Jason Reaves}, title = {{Tweet on GuLoader anti analysis techniques}}, date = {2020-05-08}, organization = {Twitter (@sysopfb)}, url = {https://twitter.com/sysopfb/status/1258809373159305216}, language = {English}, urldate = {2021-01-05} } Tweet on GuLoader anti analysis techniques
CloudEyE
2020-05-05VinCSSm4n0w4r, Dang Dinh Phuong
@online{m4n0w4r:20200505:guloader:926315b, author = {m4n0w4r and Dang Dinh Phuong}, title = {{GuLoader AntiVM Techniques}}, date = {2020-05-05}, organization = {VinCSS}, url = {https://blog.vincss.net/2020/05/re014-guloader-antivm-techniques.html}, language = {Vietnamese}, urldate = {2020-07-13} } GuLoader AntiVM Techniques
CloudEyE
2020-05-04Twitter (@VK_intel)Vitali Kremez
@online{kremez:20200504:guloader:5d6f001, author = {Vitali Kremez}, title = {{GuLoader API Loader Algorithm}}, date = {2020-05-04}, organization = {Twitter (@VK_intel)}, url = {https://twitter.com/VK_Intel/status/1257206565146370050}, language = {English}, urldate = {2021-01-05} } GuLoader API Loader Algorithm
CloudEyE
2020-04-29Twitter (@VK_intel)Vitali Kremez
@online{kremez:20200429:some:2fb831b, author = {Vitali Kremez}, title = {{Some Insight into GuLoader family}}, date = {2020-04-29}, organization = {Twitter (@VK_intel)}, url = {https://twitter.com/VK_Intel/status/1255537954304524288}, language = {English}, urldate = {2021-01-05} } Some Insight into GuLoader family
CloudEyE
2020-04-21Twitter (@VK_intel)Vitali Kremez
@online{kremez:20200421:signed:0a546c1, author = {Vitali Kremez}, title = {{Tweet on Signed GuLoader}}, date = {2020-04-21}, organization = {Twitter (@VK_intel)}, url = {https://twitter.com/VK_Intel/status/1252678206852907011}, language = {English}, urldate = {2021-01-05} } Tweet on Signed GuLoader
CloudEyE
2020-04-13K7 SecurityLokesh J
@online{j:20200413:guloader:a8374ed, author = {Lokesh J}, title = {{GuLoader delivers RATs and Spies in Disguise}}, date = {2020-04-13}, organization = {K7 Security}, url = {https://labs.k7computing.com/?p=20156}, language = {English}, urldate = {2021-01-10} } GuLoader delivers RATs and Spies in Disguise
CloudEyE
2020-04-03Palo Alto Networks Unit 42Brad Duncan
@online{duncan:20200403:guloader:4b27e7a, author = {Brad Duncan}, title = {{GuLoader: Malspam Campaign Installing NetWire RAT}}, date = {2020-04-03}, organization = {Palo Alto Networks Unit 42}, url = {https://unit42.paloaltonetworks.com/guloader-installing-netwire-rat/}, language = {English}, urldate = {2021-01-10} } GuLoader: Malspam Campaign Installing NetWire RAT
CloudEyE NetWire RC
2020-04-02MorphisecArnold Osipov
@online{osipov:20200402:guloader:af464fe, author = {Arnold Osipov}, title = {{GuLoader: The RAT Downloader}}, date = {2020-04-02}, organization = {Morphisec}, url = {https://blog.morphisec.com/guloader-the-rat-downloader}, language = {English}, urldate = {2021-01-10} } GuLoader: The RAT Downloader
CloudEyE
2020-04-01CiscoShyam Sundar Ramaswami, Andrea Kaiser
@online{ramaswami:20200401:navigating:965952a, author = {Shyam Sundar Ramaswami and Andrea Kaiser}, title = {{Navigating Cybersecurity During a Pandemic: Latest Malware and Threat Actors}}, date = {2020-04-01}, organization = {Cisco}, url = {https://umbrella.cisco.com/blog/navigating-cybersecurity-during-a-pandemic-latest-malware-and-threat-actors}, language = {English}, urldate = {2020-08-19} } Navigating Cybersecurity During a Pandemic: Latest Malware and Threat Actors
Azorult CloudEyE Formbook KPOT Stealer Metamorfo Nanocore RAT NetWire RC TrickBot
2020-03-19Twitter (@TheEnergyStory)Dominik Reichel
@online{reichel:20200319:early:21fec54, author = {Dominik Reichel}, title = {{Tweet on early GuLoader samples dating back to October 2019}}, date = {2020-03-19}, organization = {Twitter (@TheEnergyStory)}, url = {https://twitter.com/TheEnergyStory/status/1240608893610459138}, language = {English}, urldate = {2021-01-05} } Tweet on early GuLoader samples dating back to October 2019
CloudEyE
2020-03-15Twitter (@TheEnergyStory)Dominik Reichel
@online{reichel:20200315:guloader:d3bc331, author = {Dominik Reichel}, title = {{GuLoader anti analysis/sandbox tricks}}, date = {2020-03-15}, organization = {Twitter (@TheEnergyStory)}, url = {https://twitter.com/TheEnergyStory/status/1239110192060608513}, language = {English}, urldate = {2021-01-05} } GuLoader anti analysis/sandbox tricks
CloudEyE
Yara Rules
[TLP:WHITE] win_cloudeye_auto (20201023 | autogenerated rule brought to you by yara-signator)
rule win_cloudeye_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2020-12-22"
        version = "1"
        description = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.6.0"
        signator_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.cloudeye"
        malpedia_rule_date = "20201222"
        malpedia_hash = "30354d830a29f0fbd3714d93d94dea941d77a130"
        malpedia_version = "20201023"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using YARA-Signator.
     * The code and documentation is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { 80fd0b 6a00 52 6a00 6a00 f6c1ac ff95c0000000 }
            // n = 7, score = 100
            //   80fd0b               | cmp                 ch, 0xb
            //   6a00                 | push                0
            //   52                   | push                edx
            //   6a00                 | push                0
            //   6a00                 | push                0
            //   f6c1ac               | test                cl, 0xac
            //   ff95c0000000         | call                dword ptr [ebp + 0xc0]

        $sequence_1 = { 677261 6d 204669 6c 65735c 51 656d }
            // n = 7, score = 100
            //   677261               | jb                  0x64
            //   6d                   | insd                dword ptr es:[edi], dx
            //   204669               | and                 byte ptr [esi + 0x69], al
            //   6c                   | insb                byte ptr es:[edi], dx
            //   65735c               | jae                 0x5f
            //   51                   | push                ecx
            //   656d                 | insd                dword ptr es:[edi], dx

        $sequence_2 = { c7850001000000001000 89eb 81c300010000 53 }
            // n = 4, score = 100
            //   c7850001000000001000     | mov    dword ptr [ebp + 0x100], 0x100000
            //   89eb                 | mov                 ebx, ebp
            //   81c300010000         | add                 ebx, 0x100
            //   53                   | push                ebx

        $sequence_3 = { 41 43 eb0e 3b13 750a }
            // n = 5, score = 100
            //   41                   | inc                 ecx
            //   43                   | inc                 ebx
            //   eb0e                 | jmp                 0x10
            //   3b13                 | cmp                 edx, dword ptr [ebx]
            //   750a                 | jne                 0xc

        $sequence_4 = { 83c628 83c328 42 52 66f7c283c1 399704080000 }
            // n = 6, score = 100
            //   83c628               | add                 esi, 0x28
            //   83c328               | add                 ebx, 0x28
            //   42                   | inc                 edx
            //   52                   | push                edx
            //   66f7c283c1           | test                dx, 0xc183
            //   399704080000         | cmp                 dword ptr [edi + 0x804], edx

        $sequence_5 = { 6a00 6a00 80fd0b 6a00 }
            // n = 4, score = 100
            //   6a00                 | push                0
            //   6a00                 | push                0
            //   80fd0b               | cmp                 ch, 0xb
            //   6a00                 | push                0

        $sequence_6 = { e8???????? 39d2 5a 85d8 }
            // n = 4, score = 100
            //   e8????????           |                     
            //   39d2                 | cmp                 edx, edx
            //   5a                   | pop                 edx
            //   85d8                 | test                eax, ebx

        $sequence_7 = { 75e4 83e902 83f900 7deb }
            // n = 4, score = 100
            //   75e4                 | jne                 0xffffffe6
            //   83e902               | sub                 ecx, 2
            //   83f900               | cmp                 ecx, 0
            //   7deb                 | jge                 0xffffffed

        $sequence_8 = { 75e9 c20400 6685da 81f9130a8c30 b839050000 }
            // n = 5, score = 100
            //   75e9                 | jne                 0xffffffeb
            //   c20400               | ret                 4
            //   6685da               | test                dx, bx
            //   81f9130a8c30         | cmp                 ecx, 0x308c0a13
            //   b839050000           | mov                 eax, 0x539

        $sequence_9 = { 38fe 837d7001 0f8494000000 39d0 89fe }
            // n = 5, score = 100
            //   38fe                 | cmp                 dh, bh
            //   837d7001             | cmp                 dword ptr [ebp + 0x70], 1
            //   0f8494000000         | je                  0x9a
            //   39d0                 | cmp                 eax, edx
            //   89fe                 | mov                 esi, edi

    condition:
        7 of them and filesize < 90112
}
[TLP:WHITE] win_cloudeye_w0   (20200204 | Shellcode injector and downloader via RegAsm.exe payload)
rule win_cloudeye_w0 {
    meta:
        author = "ditekshen"
        description = "Shellcode injector and downloader via RegAsm.exe payload"
        source = "https://github.com/kevoreilly/CAPEv2/blob/master/data/yara/CAPE/SCInject.yar"
        malpedia_version = "20200204"
        malpedia_sharing = "TLP:WHITE"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.cloudeye"
        malpedia_license = ""
    strings:
        $s1 = "wininet.dll" fullword ascii
        $s2 = "ShellExecuteW" fullword ascii
        $s3 = "SHCreateDirectoryExW" fullword ascii
        $s4 = "Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce" fullword ascii
        $s5 = "Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko" fullword ascii

        $o1 = "msvbvm60.dll" fullword wide
        $o2 = "\\syswow64\\" fullword wide
        $o3 = "\\system32\\" fullword wide
        $o4 = "\\Microsoft.NET\\Framework\\" fullword wide
        $o5 = "USERPROFILE=" wide nocase
        $o6 = "windir=" fullword wide
        $o7 = "APPDATA=" nocase wide
        $o8 = "RegAsm.exe" fullword wide

        $url1 = "https://drive.google.com/uc?export=download&id=" ascii
        $url2 = "https://onedrive.live.com/download?cid=" ascii
        $url3 = "http://myurl/myfile.bin" fullword ascii
        $url4 = "http" ascii // fallback
    condition:
        all of ($s*) and 2 of ($o*) and 1 of ($url*)
}
Download all Yara Rules