win.cloudeye (Back to overview)


aka: GuLoader, vbdropper

CloudEyE (initially named GuLoader) is a small VB5/6 downloader. It typically downloads RATs/Stealers, such as Agent Tesla, Arkei/Vidar, Formbook, Lokibot, Netwire and Remcos, often but not always from Google Drive. The downloaded payload is xored.

2024-04-15Positive TechnologiesAleksandr Badaev, Kseniya Naumova
SteganoAmor campaign: TA558 mass-attacking companies and public institutions all around the world
LokiBot 404 Keylogger Agent Tesla CloudEyE Formbook Remcos XWorm
2024-03-11CyberIntAdi Bleih
GuLoader Downloaded: A Look at the Latest Iteration
2024-02-09YouTube (Embee Research)Embee_research
Guloader Decoding With Cyberchef
2023-12-06ElasticDaniel Stepanic
Getting gooey with GULOADER: deobfuscating the downloader
2023-09-29IntrinsecCTI Intrinsec, Intrinsec
Ongoing threats targeting the energy industry
Agent Tesla CloudEyE
2023-09-19CheckpointAlexey Bukhteyev, Arie Olshtein
Unveiling the Shadows: The Dark Alliance between GuLoader and Remcos
CloudEyE Remcos
2023-08-10AhnLabAhnLab ASEC Analysis Team
GuLoader Malware Disguised as Tax Invoices and Shipping Statements (Detected by MDS Products)
2023-07-28YouTube (SANS Cyber Defense)Stef Rand
Drop It Like It's Qbot: Separating malicious droppers, loaders, and crypters from their payloads
CloudEyE QakBot
2023-07-28Red CanaryStef Rand
Drop It Like It's Qbot: Separating malicious droppers, loaders, and crypters from their payloads
CloudEyE QakBot
CloudEyE — From .lnk to Shellcode
CloudEyE Remcos
2023-06-29MorphisecArnold Osipov
GuLoader Campaign Targets Law Firms in the US
GuLoader: Navigating a Maze of Intricacy
2023-05-22Check PointAlexey Bukhteyev, Arie Olshtein
Cloud-based Malware Delivery: The Evolution of GuLoader
Deobfuscating the Latest GuLoader: Automating Analysis with Ghidra Scripting
2023-04-13MicrosoftMicrosoft Threat Intelligence
Threat actors strive to cause Tax Day headaches
CloudEyE Remcos
2023-04-10Check PointCheck Point
March 2023’s Most Wanted Malware: New Emotet Campaign Bypasses Microsoft Blocks to Distribute Malicious OneNote Files
Agent Tesla CloudEyE Emotet Formbook Nanocore RAT NjRAT QakBot Remcos Tofsee
2023-03-11Zainware labsZainWare
Analyzing GuLoader
2023-01-05SymantecThreat Hunter Team
Bluebottle: Campaign Hits Banks in French-speaking Countries in Africa
CloudEyE Cobalt Strike MimiKatz NetWire RC POORTRY Quasar RAT BlueBottle
2022-12-19CrowdStrikeDonato Onofri, Sarang Sonawane
Malware Analysis: GuLoader Dissection Reveals New Anti-Analysis Techniques and Code Injection Redundancy
2022-10-12SpamhausRaashid Bhat
Dissecting the new shellcode-based variant of GuLoader (CloudEyE)
2022-09-12VMRayPascal Brackmann
The evolution of GuLoader
2022-08-29InQuestDavid Ledbetter
Office Files, RTF files, Shellcode and more shenanigans
Tecniche per semplificare l’analisi del malware GuLoader
2022-07-12FortinetJames Slaughter
Spoofed Saudi Purchase Order Drops GuLoader – Part 2
CloudEyE Cobalt Strike CryptBot Emotet IsaacWiper QakBot
2022-04-12HPPatrick Schläpfer
Malware Campaigns Targeting African Banking Sector
CloudEyE Remcos
2022-01-27forensicitguyTony Lambert
GuLoader Executing Shellcode Using Callback Functions
2021-11-23HPPatrick Schläpfer
RATDispenser: Stealthy JavaScript Loader Dispensing RATs into the Wild
AdWind Ratty STRRAT CloudEyE Formbook Houdini Panda Stealer Remcos
2021-10-01HPHP Wolf Security
Threat Insights Report Q3 - 2021
STRRAT CloudEyE NetWire RC Remcos TrickBot Vjw0rm
2021-09-03Trend MicroMohamad Mokbel
The State of SSL/TLS Certificate Usage in Malware C&C Communications
AdWind ostap AsyncRAT BazarBackdoor BitRAT Buer Chthonic CloudEyE Cobalt Strike DCRat Dridex FindPOS GootKit Gozi IcedID ISFB Nanocore RAT Orcus RAT PandaBanker Qadars QakBot Quasar RAT Rockloader ServHelper Shifu SManager TorrentLocker TrickBot Vawtrak Zeus Zloader
2021-08-23YouTube ( DuMp-GuY TrIcKsTeR)Jiří Vinopal
[2] Lokibot analyzing - spoofing GULoader and LokiBot C2 [part2] - INetSim + BurpSuite
CloudEyE Loki Password Stealer (PWS)
2021-07-07YouTube ( DuMp-GuY TrIcKsTeR)Jiří Vinopal
[2] Lokibot analyzing - spoofing GULoader and LokiBot C2 [part1] - Own implementation in Python
CloudEyE Loki Password Stealer (PWS)
2021-07-06YouTube ( DuMp-GuY TrIcKsTeR)Jiří Vinopal
[1] Lokibot analyzing - defeating GuLoader with Windbg (Kernel debugging) and Live C2
CloudEyE Loki Password Stealer (PWS)
2021-06-29Medium hidocohenHido Cohen
GuLoader’s Anti-Analysis Techniques
2021-04-19Medium elis531989Eli Salem
Dancing With Shellcodes: Cracking the latest version of Guloader
2021-04-13CERT Polska / NASKMichał Praszmo
Keeping an eye on CloudEyE (GuLoader) - Reverse engineering the loader
2021-03-06Click All the Things! BlogJamie Arndt
oleObject1.bin – OLe10nATive – shellcode
2021-02-17K7 SecurityLokesh J
GuLoader Snowballs via MalSpam Campaigns
2020-11-18VMRayMateusz Lukaszewski, Pascal Brackmann, VMRay Labs Team
Malware Analysis Spotlight: AZORult Delivered by GuLoader
Azorult CloudEyE
2020-09-17Joe Security's BlogJoe Security
GuLoader's VM-Exit Instruction Hammering explained
Malware Config Extraction Diaries #1 – GuLoader
2020-08-10MalwarebytesJérôme Segura
SBA phishing scams: from malware to advanced social engineering
2020-08-05BluelivBlueliv Labs Team, Carlos Rubio
Playing with GuLoader Anti-VM techniques
2020-07-14SophosLabs UncutMarkel Picado, Sean Gallagher
RATicate upgrades “RATs as a Service” attacks with commercial “crypter”
LokiBot BetaBot CloudEyE NetWire RC
2020-07-09VMRayPascal Brackmann
Threat Bulletin: Dissecting GuLoader’s Evasion Techniques
2020-06-27kienmanowar Blogm4n0w4r
Quick analysis note about GuLoader (or CloudEyE)
2020-06-25CrowdStrikeUmesh Wanve
GuLoader: Peering Into a Shellcode-based Downloader
2020-06-22ProofpointProofpoint Threat Research Team, Sherrod DeGrippo
Hakbit Ransomware Campaign Against Germany, Austria, Switzerland
CloudEyE Hakbit
2020-06-08Check Point ResearchCheck Point Research
GuLoader? No, CloudEyE.
2020-05-20VIPREVIPRE Labs
Unloading the GuLoader
2020-05-08Twitter (@sysopfb)Jason Reaves
Tweet on GuLoader anti analysis techniques
2020-05-05VinCSSDang Dinh Phuong, m4n0w4r
GuLoader AntiVM Techniques
2020-05-04Twitter (@VK_intel)Vitali Kremez
GuLoader API Loader Algorithm
2020-04-29Twitter (@VK_intel)Vitali Kremez
Some Insight into GuLoader family
2020-04-21Twitter (@VK_intel)Vitali Kremez
Tweet on Signed GuLoader
2020-04-13K7 SecurityLokesh J
GuLoader delivers RATs and Spies in Disguise
2020-04-03Palo Alto Networks Unit 42Brad Duncan
GuLoader: Malspam Campaign Installing NetWire RAT
CloudEyE NetWire RC
2020-04-02MorphisecArnold Osipov
GuLoader: The RAT Downloader
2020-04-01CiscoAndrea Kaiser, Shyam Sundar Ramaswami
Navigating Cybersecurity During a Pandemic: Latest Malware and Threat Actors
Azorult CloudEyE Formbook KPOT Stealer Metamorfo Nanocore RAT NetWire RC TrickBot
2020-03-19Twitter (@TheEnergyStory)Dominik Reichel
Tweet on early GuLoader samples dating back to October 2019
2020-03-15Twitter (@TheEnergyStory)Dominik Reichel
GuLoader anti analysis/sandbox tricks
Yara Rules
[TLP:WHITE] win_cloudeye_auto (20230808 | Detects win.cloudeye.)
rule win_cloudeye_auto {

        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2023-12-06"
        version = "1"
        description = "Detects win.cloudeye."
        info = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.6.0"
        signator_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = ""
        malpedia_rule_date = "20231130"
        malpedia_hash = "fc8a0e9f343f6d6ded9e7df1a64dac0cc68d7351"
        malpedia_version = "20230808"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using YARA-Signator.
     * The code and documentation is published here:
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.

        $sequence_0 = { 83c002 668b1c08 668b140e 6639d3 75e4 83e902 83f900 }
            // n = 7, score = 100
            //   83c002               | add                 eax, 2
            //   668b1c08             | mov                 bx, word ptr [eax + ecx]
            //   668b140e             | mov                 dx, word ptr [esi + ecx]
            //   6639d3               | cmp                 bx, dx
            //   75e4                 | jne                 0xffffffe6
            //   83e902               | sub                 ecx, 2
            //   83f900               | cmp                 ecx, 0

        $sequence_1 = { 7545 66f7c14179 685595db6d e8???????? }
            // n = 4, score = 100
            //   7545                 | jne                 0x47
            //   66f7c14179           | test                cx, 0x7941
            //   685595db6d           | push                0x6ddb9555
            //   e8????????           |                     

        $sequence_2 = { e8???????? 5f 59 83c628 41 3b8f04080000 75a8 }
            // n = 7, score = 100
            //   e8????????           |                     
            //   5f                   | pop                 edi
            //   59                   | pop                 ecx
            //   83c628               | add                 esi, 0x28
            //   41                   | inc                 ecx
            //   3b8f04080000         | cmp                 ecx, dword ptr [edi + 0x804]
            //   75a8                 | jne                 0xffffffaa

        $sequence_3 = { 7408 0185f4000000 eba4 85d8 }
            // n = 4, score = 100
            //   7408                 | je                  0xa
            //   0185f4000000         | add                 dword ptr [ebp + 0xf4], eax
            //   eba4                 | jmp                 0xffffffa6
            //   85d8                 | test                eax, ebx

        $sequence_4 = { 89f8 0500080000 50 6aff }
            // n = 4, score = 100
            //   89f8                 | mov                 eax, edi
            //   0500080000           | add                 eax, 0x800
            //   50                   | push                eax
            //   6aff                 | push                -1

        $sequence_5 = { 6685d2 e8???????? 84ef 80fd37 57 e8???????? 58 }
            // n = 7, score = 100
            //   6685d2               | test                dx, dx
            //   e8????????           |                     
            //   84ef                 | test                bh, ch
            //   80fd37               | cmp                 ch, 0x37
            //   57                   | push                edi
            //   e8????????           |                     
            //   58                   | pop                 eax

        $sequence_6 = { c3 38ed 817e24200000e0 7473 }
            // n = 4, score = 100
            //   c3                   | ret                 
            //   38ed                 | cmp                 ch, ch
            //   817e24200000e0       | cmp                 dword ptr [esi + 0x24], 0xe0000020
            //   7473                 | je                  0x75

        $sequence_7 = { 668b00 6631c8 39c8 6631c3 6681fb4d5a 7407 6639c1 }
            // n = 7, score = 100
            //   668b00               | mov                 ax, word ptr [eax]
            //   6631c8               | xor                 ax, cx
            //   39c8                 | cmp                 eax, ecx
            //   6631c3               | xor                 bx, ax
            //   6681fb4d5a           | cmp                 bx, 0x5a4d
            //   7407                 | je                  9
            //   6639c1               | cmp                 cx, ax

        $sequence_8 = { 0fbae11f 0f82d63c0000 61 0faee8 0f31 0faee8 c1e220 }
            // n = 7, score = 100
            //   0fbae11f             | bt                  ecx, 0x1f
            //   0f82d63c0000         | jb                  0x3cdc
            //   61                   | popal               
            //   0faee8               | lfence              
            //   0f31                 | rdtsc               
            //   0faee8               | lfence              
            //   c1e220               | shl                 edx, 0x20

        $sequence_9 = { 75e4 83e902 83f900 7deb ff742404 }
            // n = 5, score = 100
            //   75e4                 | jne                 0xffffffe6
            //   83e902               | sub                 ecx, 2
            //   83f900               | cmp                 ecx, 0
            //   7deb                 | jge                 0xffffffed
            //   ff742404             | push                dword ptr [esp + 4]

        7 of them and filesize < 90112
[TLP:WHITE] win_cloudeye_w0   (20200204 | Shellcode injector and downloader via RegAsm.exe payload)
rule win_cloudeye_w0 {
        author = "ditekshen"
        description = "Shellcode injector and downloader via RegAsm.exe payload"
        source = ""
        malpedia_version = "20200204"
        malpedia_sharing = "TLP:WHITE"
        malpedia_reference = ""
        malpedia_license = ""
        $s1 = "wininet.dll" fullword ascii
        $s2 = "ShellExecuteW" fullword ascii
        $s3 = "SHCreateDirectoryExW" fullword ascii
        $s4 = "Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce" fullword ascii
        $s5 = "Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko" fullword ascii

        $o1 = "msvbvm60.dll" fullword wide
        $o2 = "\\syswow64\\" fullword wide
        $o3 = "\\system32\\" fullword wide
        $o4 = "\\Microsoft.NET\\Framework\\" fullword wide
        $o5 = "USERPROFILE=" wide nocase
        $o6 = "windir=" fullword wide
        $o7 = "APPDATA=" nocase wide
        $o8 = "RegAsm.exe" fullword wide

        $url1 = "" ascii
        $url2 = "" ascii
        $url3 = "http://myurl/myfile.bin" fullword ascii
        $url4 = "http" ascii // fallback
        all of ($s*) and 2 of ($o*) and 1 of ($url*)
Download all Yara Rules