SYMBOLCOMMON_NAMEaka. SYNONYMS
win.cloudeye (Back to overview)

CloudEyE

aka: GuLoader, vbdropper

CloudEyE (initially named GuLoader) is a small VB5/6 downloader. It typically downloads RATs/Stealers, such as Agent Tesla, Arkei/Vidar, Formbook, Lokibot, Netwire and Remcos, often but not always from Google Drive. The downloaded payload is xored.

References
2020-11-18VMRayVMRay Labs Team
@online{team:20201118:malware:2c9a122, author = {VMRay Labs Team}, title = {{Malware Analysis Spotlight: AZORult Delivered by GuLoader}}, date = {2020-11-18}, organization = {VMRay}, url = {https://www.vmray.com/cyber-security-blog/azorult-delivered-by-guloader-malware-analysis-spotlight/}, language = {English}, urldate = {2020-11-25} } Malware Analysis Spotlight: AZORult Delivered by GuLoader
Azorult CloudEyE
2020-08-10MalwarebytesJérôme Segura
@online{segura:20200810:sba:afdfd32, author = {Jérôme Segura}, title = {{SBA phishing scams: from malware to advanced social engineering}}, date = {2020-08-10}, organization = {Malwarebytes}, url = {https://blog.malwarebytes.com/scams/2020/08/sba-phishing-scams-from-malware-to-advanced-social-engineering/}, language = {English}, urldate = {2020-08-12} } SBA phishing scams: from malware to advanced social engineering
CloudEyE
2020-07-14SophosLabs UncutMarkel Picado, Sean Gallagher
@online{picado:20200714:raticate:85d260a, author = {Markel Picado and Sean Gallagher}, title = {{RATicate upgrades “RATs as a Service” attacks with commercial “crypter”}}, date = {2020-07-14}, organization = {SophosLabs Uncut}, url = {https://news.sophos.com/en-us/2020/07/14/raticate-rats-as-service-with-commercial-crypter/?cmp=30728}, language = {English}, urldate = {2020-07-15} } RATicate upgrades “RATs as a Service” attacks with commercial “crypter”
LokiBot BetaBot CloudEyE NetWire RC
2020-06-27kienmanowar Blogm4n0w4r
@online{m4n0w4r:20200627:quick:4b18a32, author = {m4n0w4r}, title = {{Quick analysis note about GuLoader (or CloudEyE)}}, date = {2020-06-27}, organization = {kienmanowar Blog}, url = {https://kienmanowar.wordpress.com/2020/06/27/quick-analysis-note-about-guloader-or-cloudeye/}, language = {English}, urldate = {2020-07-13} } Quick analysis note about GuLoader (or CloudEyE)
CloudEyE
2020-06-22ProofpointSherrod DeGrippo, Proofpoint Threat Research Team
@online{degrippo:20200622:hakbit:4d8be82, author = {Sherrod DeGrippo and Proofpoint Threat Research Team}, title = {{Hakbit Ransomware Campaign Against Germany, Austria, Switzerland}}, date = {2020-06-22}, organization = {Proofpoint}, url = {https://www.proofpoint.com/us/blog/threat-insight/hakbit-ransomware-campaign-against-germany-austria-switzerland}, language = {English}, urldate = {2020-06-23} } Hakbit Ransomware Campaign Against Germany, Austria, Switzerland
CloudEyE Hakbit
2020-06-08Check Point ResearchCheck Point Research
@online{research:20200608:guloader:1f5e7ae, author = {Check Point Research}, title = {{GuLoader? No, CloudEyE.}}, date = {2020-06-08}, organization = {Check Point Research}, url = {https://research.checkpoint.com/2020/guloader-cloudeye/}, language = {English}, urldate = {2020-06-11} } GuLoader? No, CloudEyE.
CloudEyE
2020-05-05VinCSSm4n0w4r, Dang Dinh Phuong
@online{m4n0w4r:20200505:guloader:926315b, author = {m4n0w4r and Dang Dinh Phuong}, title = {{GuLoader AntiVM Techniques}}, date = {2020-05-05}, organization = {VinCSS}, url = {https://blog.vincss.net/2020/05/re014-guloader-antivm-techniques.html}, language = {Vietnamese}, urldate = {2020-07-13} } GuLoader AntiVM Techniques
CloudEyE
2020-04-01CiscoShyam Sundar Ramaswami, Andrea Kaiser
@online{ramaswami:20200401:navigating:965952a, author = {Shyam Sundar Ramaswami and Andrea Kaiser}, title = {{Navigating Cybersecurity During a Pandemic: Latest Malware and Threat Actors}}, date = {2020-04-01}, organization = {Cisco}, url = {https://umbrella.cisco.com/blog/navigating-cybersecurity-during-a-pandemic-latest-malware-and-threat-actors}, language = {English}, urldate = {2020-08-19} } Navigating Cybersecurity During a Pandemic: Latest Malware and Threat Actors
Azorult CloudEyE Formbook KPOT Stealer Metamorfo Nanocore RAT NetWire RC TrickBot
Yara Rules
[TLP:WHITE] win_cloudeye_auto (20201014 | autogenerated rule brought to you by yara-signator)
rule win_cloudeye_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2020-10-14"
        version = "1"
        description = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.5.0"
        tool_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.cloudeye"
        malpedia_rule_date = "20201014"
        malpedia_hash = "a7e3bd57eaf12bf3ea29a863c041091ba3af9ac9"
        malpedia_version = "20201014"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using YARA-Signator.
     * The code and documentation is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { 89e5 8b4508 84d9 8b5d0c 85d8 53 e8???????? }
            // n = 7, score = 100
            //   89e5                 | mov                 ebp, esp
            //   8b4508               | mov                 eax, dword ptr [ebp + 8]
            //   84d9                 | test                cl, bl
            //   8b5d0c               | mov                 ebx, dword ptr [ebp + 0xc]
            //   85d8                 | test                eax, ebx
            //   53                   | push                ebx
            //   e8????????           |                     

        $sequence_1 = { 0f8483000000 817e2460000060 747a 817e24400000c0 7465 }
            // n = 5, score = 100
            //   0f8483000000         | je                  0x89
            //   817e2460000060       | cmp                 dword ptr [esi + 0x24], 0x60000060
            //   747a                 | je                  0x7c
            //   817e24400000c0       | cmp                 dword ptr [esi + 0x24], 0xc0000040
            //   7465                 | je                  0x67

        $sequence_2 = { ffc2 ebbb 4d 31d2 }
            // n = 4, score = 100
            //   ffc2                 | inc                 edx
            //   ebbb                 | jmp                 0xffffffbd
            //   4d                   | dec                 ebp
            //   31d2                 | xor                 edx, edx

        $sequence_3 = { 57 e8???????? 6685cb 837d7c00 7417 85db 837d7401 }
            // n = 7, score = 100
            //   57                   | push                edi
            //   e8????????           |                     
            //   6685cb               | test                bx, cx
            //   837d7c00             | cmp                 dword ptr [ebp + 0x7c], 0
            //   7417                 | je                  0x19
            //   85db                 | test                ebx, ebx
            //   837d7401             | cmp                 dword ptr [ebp + 0x74], 1

        $sequence_4 = { 40 41 43 eb0e 3b13 750a 8943fb }
            // n = 7, score = 100
            //   40                   | inc                 eax
            //   41                   | inc                 ecx
            //   43                   | inc                 ebx
            //   eb0e                 | jmp                 0x10
            //   3b13                 | cmp                 edx, dword ptr [ebx]
            //   750a                 | jne                 0xc
            //   8943fb               | mov                 dword ptr [ebx - 5], eax

        $sequence_5 = { 0319 05f8000000 8b4810 894c2408 895c2404 }
            // n = 5, score = 100
            //   0319                 | add                 ebx, dword ptr [ecx]
            //   05f8000000           | add                 eax, 0xf8
            //   8b4810               | mov                 ecx, dword ptr [eax + 0x10]
            //   894c2408             | mov                 dword ptr [esp + 8], ecx
            //   895c2404             | mov                 dword ptr [esp + 4], ebx

        $sequence_6 = { 5a 52 6a01 ff95c8000000 83f800 74ea 90 }
            // n = 7, score = 100
            //   5a                   | pop                 edx
            //   52                   | push                edx
            //   6a01                 | push                1
            //   ff95c8000000         | call                dword ptr [ebp + 0xc8]
            //   83f800               | cmp                 eax, 0
            //   74ea                 | je                  0xffffffec
            //   90                   | nop                 

        $sequence_7 = { 42 52 66f7c283c1 399704080000 75d3 }
            // n = 5, score = 100
            //   42                   | inc                 edx
            //   52                   | push                edx
            //   66f7c283c1           | test                dx, 0xc183
            //   399704080000         | cmp                 dword ptr [edi + 0x804], edx
            //   75d3                 | jne                 0xffffffd5

        $sequence_8 = { 81ef00040000 57 57 ff754c }
            // n = 4, score = 100
            //   81ef00040000         | sub                 edi, 0x400
            //   57                   | push                edi
            //   57                   | push                edi
            //   ff754c               | push                dword ptr [ebp + 0x4c]

        $sequence_9 = { 56 8903 eb2b f6c759 8b18 81e3ffff0000 895d14 }
            // n = 7, score = 100
            //   56                   | push                esi
            //   8903                 | mov                 dword ptr [ebx], eax
            //   eb2b                 | jmp                 0x2d
            //   f6c759               | test                bh, 0x59
            //   8b18                 | mov                 ebx, dword ptr [eax]
            //   81e3ffff0000         | and                 ebx, 0xffff
            //   895d14               | mov                 dword ptr [ebp + 0x14], ebx

    condition:
        7 of them and filesize < 90112
}
[TLP:WHITE] win_cloudeye_w0   (20200204 | Shellcode injector and downloader via RegAsm.exe payload)
rule win_cloudeye_w0 {
    meta:
        author = "ditekshen"
        description = "Shellcode injector and downloader via RegAsm.exe payload"
        source = "https://github.com/kevoreilly/CAPEv2/blob/master/data/yara/CAPE/SCInject.yar"
        malpedia_version = "20200204"
        malpedia_sharing = "TLP:WHITE"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.cloudeye"
    strings:
        $s1 = "wininet.dll" fullword ascii
        $s2 = "ShellExecuteW" fullword ascii
        $s3 = "SHCreateDirectoryExW" fullword ascii
        $s4 = "Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce" fullword ascii
        $s5 = "Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko" fullword ascii

        $o1 = "msvbvm60.dll" fullword wide
        $o2 = "\\syswow64\\" fullword wide
        $o3 = "\\system32\\" fullword wide
        $o4 = "\\Microsoft.NET\\Framework\\" fullword wide
        $o5 = "USERPROFILE=" wide nocase
        $o6 = "windir=" fullword wide
        $o7 = "APPDATA=" nocase wide
        $o8 = "RegAsm.exe" fullword wide

        $url1 = "https://drive.google.com/uc?export=download&id=" ascii
        $url2 = "https://onedrive.live.com/download?cid=" ascii
        $url3 = "http://myurl/myfile.bin" fullword ascii
        $url4 = "http" ascii // fallback
    condition:
        all of ($s*) and 2 of ($o*) and 1 of ($url*)
}
Download all Yara Rules