SYMBOLCOMMON_NAMEaka. SYNONYMS
win.cloudeye (Back to overview)

CloudEyE

aka: GuLoader, vbdropper

CloudEyE (initially named GuLoader) is a small VB5/6 downloader. It typically downloads RATs/Stealers, such as Agent Tesla, Arkei/Vidar, Formbook, Lokibot, Netwire and Remcos, often but not always from Google Drive. The downloaded payload is xored.

References
2021-09-03Trend MicroMohamad Mokbel
@techreport{mokbel:20210903:state:df86499, author = {Mohamad Mokbel}, title = {{The State of SSL/TLS Certificate Usage in Malware C&C Communications}}, date = {2021-09-03}, institution = {Trend Micro}, url = {https://www.trendmicro.com/content/dam/trendmicro/global/en/research/21/i/ssl-tls-technical-brief/ssl-tls-technical-brief.pdf}, language = {English}, urldate = {2021-09-19} } The State of SSL/TLS Certificate Usage in Malware C&C Communications
AdWind ostap AsyncRAT BazarBackdoor BitRAT Buer Chthonic CloudEyE Cobalt Strike DCRat Dridex FindPOS GootKit Gozi IcedID ISFB Nanocore RAT Orcus RAT PandaBanker Qadars QakBot Quasar RAT Rockloader ServHelper Shifu SManager TorrentLocker TrickBot Vawtrak Zeus Zloader
2021-08-23YouTube ( DuMp-GuY TrIcKsTeR)Jiří Vinopal
@online{vinopal:20210823:2:0b5dba8, author = {Jiří Vinopal}, title = {{[2] Lokibot analyzing - spoofing GULoader and LokiBot C2 [part2] - INetSim + BurpSuite}}, date = {2021-08-23}, organization = {YouTube ( DuMp-GuY TrIcKsTeR)}, url = {https://www.youtube.com/watch?v=N0wAh26wShE}, language = {English}, urldate = {2021-08-25} } [2] Lokibot analyzing - spoofing GULoader and LokiBot C2 [part2] - INetSim + BurpSuite
CloudEyE Loki Password Stealer (PWS)
2021-07-07YouTube ( DuMp-GuY TrIcKsTeR)Jiří Vinopal
@online{vinopal:20210707:2:85ce7e9, author = {Jiří Vinopal}, title = {{[2] Lokibot analyzing - spoofing GULoader and LokiBot C2 [part1] - Own implementation in Python}}, date = {2021-07-07}, organization = {YouTube ( DuMp-GuY TrIcKsTeR)}, url = {https://www.youtube.com/watch?v=-FxyzuRv6Wg}, language = {English}, urldate = {2021-07-20} } [2] Lokibot analyzing - spoofing GULoader and LokiBot C2 [part1] - Own implementation in Python
CloudEyE Loki Password Stealer (PWS)
2021-07-06YouTube ( DuMp-GuY TrIcKsTeR)Jiří Vinopal
@online{vinopal:20210706:1:be25f45, author = {Jiří Vinopal}, title = {{[1] Lokibot analyzing - defeating GuLoader with Windbg (Kernel debugging) and Live C2}}, date = {2021-07-06}, organization = {YouTube ( DuMp-GuY TrIcKsTeR)}, url = {https://www.youtube.com/watch?v=K3Yxu_9OUxU}, language = {English}, urldate = {2021-07-20} } [1] Lokibot analyzing - defeating GuLoader with Windbg (Kernel debugging) and Live C2
CloudEyE Loki Password Stealer (PWS)
2021-06-29Medium hidocohenHido Cohen
@online{cohen:20210629:guloaders:a569974, author = {Hido Cohen}, title = {{GuLoader’s Anti-Analysis Techniques}}, date = {2021-06-29}, organization = {Medium hidocohen}, url = {https://hidocohen.medium.com/guloaders-anti-analysis-techniques-e0d4b8437195}, language = {English}, urldate = {2021-07-20} } GuLoader’s Anti-Analysis Techniques
CloudEyE
2021-04-19Medium elis531989Eli Salem
@online{salem:20210419:dancing:7fbe743, author = {Eli Salem}, title = {{Dancing With Shellcodes: Cracking the latest version of Guloader}}, date = {2021-04-19}, organization = {Medium elis531989}, url = {https://elis531989.medium.com/dancing-with-shellcodes-cracking-the-latest-version-of-guloader-75083fb15cb4}, language = {English}, urldate = {2021-04-20} } Dancing With Shellcodes: Cracking the latest version of Guloader
CloudEyE
2021-04-13CERT Polska / NASKMichał Praszmo
@online{praszmo:20210413:keeping:a524af7, author = {Michał Praszmo}, title = {{Keeping an eye on CloudEyE (GuLoader) - Reverse engineering the loader}}, date = {2021-04-13}, organization = {CERT Polska / NASK}, url = {https://cert.pl/en/posts/2021/04/keeping-an-eye-on-guloader-reverse-engineering-the-loader/}, language = {English}, urldate = {2021-04-14} } Keeping an eye on CloudEyE (GuLoader) - Reverse engineering the loader
CloudEyE
2021-03-06Click All the Things! BlogJamie Arndt
@online{arndt:20210306:oleobject1bin:22436df, author = {Jamie Arndt}, title = {{oleObject1.bin – OLe10nATive – shellcode}}, date = {2021-03-06}, organization = {Click All the Things! Blog}, url = {https://clickallthethings.wordpress.com/2021/03/06/oleobject1-bin-ole10native-shellcode/}, language = {English}, urldate = {2021-03-11} } oleObject1.bin – OLe10nATive – shellcode
CloudEyE
2021-02-17K7 SecurityLokesh J
@online{j:20210217:guloader:c652eb6, author = {Lokesh J}, title = {{GuLoader Snowballs via MalSpam Campaigns}}, date = {2021-02-17}, organization = {K7 Security}, url = {https://labs.k7computing.com/?p=21725Lokesh}, language = {English}, urldate = {2021-03-31} } GuLoader Snowballs via MalSpam Campaigns
CloudEyE
2020-11-18VMRayVMRay Labs Team
@online{team:20201118:malware:2c9a122, author = {VMRay Labs Team}, title = {{Malware Analysis Spotlight: AZORult Delivered by GuLoader}}, date = {2020-11-18}, organization = {VMRay}, url = {https://www.vmray.com/cyber-security-blog/azorult-delivered-by-guloader-malware-analysis-spotlight/}, language = {English}, urldate = {2020-11-25} } Malware Analysis Spotlight: AZORult Delivered by GuLoader
Azorult CloudEyE
2020-09-17Joe Security's BlogJoe Security
@online{security:20200917:guloaders:fe9ed59, author = {Joe Security}, title = {{GuLoader's VM-Exit Instruction Hammering explained}}, date = {2020-09-17}, organization = {Joe Security's Blog}, url = {https://www.joesecurity.org/blog/3535317197858305930}, language = {English}, urldate = {2021-01-10} } GuLoader's VM-Exit Instruction Hammering explained
CloudEyE
2020-09-08MALWATIONmalwation
@online{malwation:20200908:malware:1814f92, author = {malwation}, title = {{Malware Config Extraction Diaries #1 – GuLoader}}, date = {2020-09-08}, organization = {MALWATION}, url = {https://malwation.com/malware-config-extraction-diaries-1-guloader/}, language = {English}, urldate = {2021-01-10} } Malware Config Extraction Diaries #1 – GuLoader
CloudEyE
2020-08-10MalwarebytesJérôme Segura
@online{segura:20200810:sba:afdfd32, author = {Jérôme Segura}, title = {{SBA phishing scams: from malware to advanced social engineering}}, date = {2020-08-10}, organization = {Malwarebytes}, url = {https://blog.malwarebytes.com/scams/2020/08/sba-phishing-scams-from-malware-to-advanced-social-engineering/}, language = {English}, urldate = {2020-08-12} } SBA phishing scams: from malware to advanced social engineering
CloudEyE
2020-08-05BluelivCarlos Rubio, Blueliv Labs Team
@online{rubio:20200805:playing:5b11606, author = {Carlos Rubio and Blueliv Labs Team}, title = {{Playing with GuLoader Anti-VM techniques}}, date = {2020-08-05}, organization = {Blueliv}, url = {https://www.blueliv.com/cyber-security-and-cyber-threat-intelligence-blog-blueliv/research/playing-with-guloader-anti-vm-techniques-malware/}, language = {English}, urldate = {2021-01-10} } Playing with GuLoader Anti-VM techniques
CloudEyE
2020-07-14SophosLabs UncutMarkel Picado, Sean Gallagher
@online{picado:20200714:raticate:85d260a, author = {Markel Picado and Sean Gallagher}, title = {{RATicate upgrades “RATs as a Service” attacks with commercial “crypter”}}, date = {2020-07-14}, organization = {SophosLabs Uncut}, url = {https://news.sophos.com/en-us/2020/07/14/raticate-rats-as-service-with-commercial-crypter/?cmp=30728}, language = {English}, urldate = {2020-07-15} } RATicate upgrades “RATs as a Service” attacks with commercial “crypter”
LokiBot BetaBot CloudEyE NetWire RC
2020-07-09VMRayPascal Brackmann
@online{brackmann:20200709:threat:dc4f44e, author = {Pascal Brackmann}, title = {{Threat Bulletin: Dissecting GuLoader’s Evasion Techniques}}, date = {2020-07-09}, organization = {VMRay}, url = {https://www.vmray.com/cyber-security-blog/guloader-evasion-techniques-threat-bulletin/}, language = {English}, urldate = {2021-01-10} } Threat Bulletin: Dissecting GuLoader’s Evasion Techniques
CloudEyE
2020-06-27kienmanowar Blogm4n0w4r
@online{m4n0w4r:20200627:quick:4b18a32, author = {m4n0w4r}, title = {{Quick analysis note about GuLoader (or CloudEyE)}}, date = {2020-06-27}, organization = {kienmanowar Blog}, url = {https://kienmanowar.wordpress.com/2020/06/27/quick-analysis-note-about-guloader-or-cloudeye/}, language = {English}, urldate = {2020-07-13} } Quick analysis note about GuLoader (or CloudEyE)
CloudEyE
2020-06-25CrowdStrikeUmesh Wanve
@online{wanve:20200625:guloader:acd7a79, author = {Umesh Wanve}, title = {{GuLoader: Peering Into a Shellcode-based Downloader}}, date = {2020-06-25}, organization = {CrowdStrike}, url = {https://www.crowdstrike.com/blog/guloader-malware-analysis/}, language = {English}, urldate = {2020-12-10} } GuLoader: Peering Into a Shellcode-based Downloader
CloudEyE
2020-06-22ProofpointSherrod DeGrippo, Proofpoint Threat Research Team
@online{degrippo:20200622:hakbit:4d8be82, author = {Sherrod DeGrippo and Proofpoint Threat Research Team}, title = {{Hakbit Ransomware Campaign Against Germany, Austria, Switzerland}}, date = {2020-06-22}, organization = {Proofpoint}, url = {https://www.proofpoint.com/us/blog/threat-insight/hakbit-ransomware-campaign-against-germany-austria-switzerland}, language = {English}, urldate = {2020-06-23} } Hakbit Ransomware Campaign Against Germany, Austria, Switzerland
CloudEyE Hakbit
2020-06-08Check Point ResearchCheck Point Research
@online{research:20200608:guloader:1f5e7ae, author = {Check Point Research}, title = {{GuLoader? No, CloudEyE.}}, date = {2020-06-08}, organization = {Check Point Research}, url = {https://research.checkpoint.com/2020/guloader-cloudeye/}, language = {English}, urldate = {2020-06-11} } GuLoader? No, CloudEyE.
CloudEyE
2020-05-20VIPREVIPRE Labs
@online{labs:20200520:unloading:ae230f0, author = {VIPRE Labs}, title = {{Unloading the GuLoader}}, date = {2020-05-20}, organization = {VIPRE}, url = {https://labs.vipre.com/unloading-the-guloader/}, language = {English}, urldate = {2021-01-10} } Unloading the GuLoader
CloudEyE
2020-05-08Twitter (@sysopfb)Jason Reaves
@online{reaves:20200508:guloader:e8262e4, author = {Jason Reaves}, title = {{Tweet on GuLoader anti analysis techniques}}, date = {2020-05-08}, organization = {Twitter (@sysopfb)}, url = {https://twitter.com/sysopfb/status/1258809373159305216}, language = {English}, urldate = {2021-01-05} } Tweet on GuLoader anti analysis techniques
CloudEyE
2020-05-05VinCSSm4n0w4r, Dang Dinh Phuong
@online{m4n0w4r:20200505:guloader:926315b, author = {m4n0w4r and Dang Dinh Phuong}, title = {{GuLoader AntiVM Techniques}}, date = {2020-05-05}, organization = {VinCSS}, url = {https://blog.vincss.net/2020/05/re014-guloader-antivm-techniques.html}, language = {Vietnamese}, urldate = {2020-07-13} } GuLoader AntiVM Techniques
CloudEyE
2020-05-04Twitter (@VK_intel)Vitali Kremez
@online{kremez:20200504:guloader:5d6f001, author = {Vitali Kremez}, title = {{GuLoader API Loader Algorithm}}, date = {2020-05-04}, organization = {Twitter (@VK_intel)}, url = {https://twitter.com/VK_Intel/status/1257206565146370050}, language = {English}, urldate = {2021-01-05} } GuLoader API Loader Algorithm
CloudEyE
2020-04-29Twitter (@VK_intel)Vitali Kremez
@online{kremez:20200429:some:2fb831b, author = {Vitali Kremez}, title = {{Some Insight into GuLoader family}}, date = {2020-04-29}, organization = {Twitter (@VK_intel)}, url = {https://twitter.com/VK_Intel/status/1255537954304524288}, language = {English}, urldate = {2021-01-05} } Some Insight into GuLoader family
CloudEyE
2020-04-21Twitter (@VK_intel)Vitali Kremez
@online{kremez:20200421:signed:0a546c1, author = {Vitali Kremez}, title = {{Tweet on Signed GuLoader}}, date = {2020-04-21}, organization = {Twitter (@VK_intel)}, url = {https://twitter.com/VK_Intel/status/1252678206852907011}, language = {English}, urldate = {2021-01-05} } Tweet on Signed GuLoader
CloudEyE
2020-04-13K7 SecurityLokesh J
@online{j:20200413:guloader:a8374ed, author = {Lokesh J}, title = {{GuLoader delivers RATs and Spies in Disguise}}, date = {2020-04-13}, organization = {K7 Security}, url = {https://labs.k7computing.com/?p=20156}, language = {English}, urldate = {2021-01-10} } GuLoader delivers RATs and Spies in Disguise
CloudEyE
2020-04-03Palo Alto Networks Unit 42Brad Duncan
@online{duncan:20200403:guloader:4b27e7a, author = {Brad Duncan}, title = {{GuLoader: Malspam Campaign Installing NetWire RAT}}, date = {2020-04-03}, organization = {Palo Alto Networks Unit 42}, url = {https://unit42.paloaltonetworks.com/guloader-installing-netwire-rat/}, language = {English}, urldate = {2021-01-10} } GuLoader: Malspam Campaign Installing NetWire RAT
CloudEyE NetWire RC
2020-04-02MorphisecArnold Osipov
@online{osipov:20200402:guloader:af464fe, author = {Arnold Osipov}, title = {{GuLoader: The RAT Downloader}}, date = {2020-04-02}, organization = {Morphisec}, url = {https://blog.morphisec.com/guloader-the-rat-downloader}, language = {English}, urldate = {2021-01-10} } GuLoader: The RAT Downloader
CloudEyE
2020-04-01CiscoShyam Sundar Ramaswami, Andrea Kaiser
@online{ramaswami:20200401:navigating:965952a, author = {Shyam Sundar Ramaswami and Andrea Kaiser}, title = {{Navigating Cybersecurity During a Pandemic: Latest Malware and Threat Actors}}, date = {2020-04-01}, organization = {Cisco}, url = {https://umbrella.cisco.com/blog/navigating-cybersecurity-during-a-pandemic-latest-malware-and-threat-actors}, language = {English}, urldate = {2020-08-19} } Navigating Cybersecurity During a Pandemic: Latest Malware and Threat Actors
Azorult CloudEyE Formbook KPOT Stealer Metamorfo Nanocore RAT NetWire RC TrickBot
2020-03-19Twitter (@TheEnergyStory)Dominik Reichel
@online{reichel:20200319:early:21fec54, author = {Dominik Reichel}, title = {{Tweet on early GuLoader samples dating back to October 2019}}, date = {2020-03-19}, organization = {Twitter (@TheEnergyStory)}, url = {https://twitter.com/TheEnergyStory/status/1240608893610459138}, language = {English}, urldate = {2021-01-05} } Tweet on early GuLoader samples dating back to October 2019
CloudEyE
2020-03-15Twitter (@TheEnergyStory)Dominik Reichel
@online{reichel:20200315:guloader:d3bc331, author = {Dominik Reichel}, title = {{GuLoader anti analysis/sandbox tricks}}, date = {2020-03-15}, organization = {Twitter (@TheEnergyStory)}, url = {https://twitter.com/TheEnergyStory/status/1239110192060608513}, language = {English}, urldate = {2021-01-05} } GuLoader anti analysis/sandbox tricks
CloudEyE
Yara Rules
[TLP:WHITE] win_cloudeye_auto (20211008 | Detects win.cloudeye.)
rule win_cloudeye_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2021-10-07"
        version = "1"
        description = "Detects win.cloudeye."
        info = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.6.0"
        signator_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.cloudeye"
        malpedia_rule_date = "20211007"
        malpedia_hash = "e5b790e0f888f252d49063a1251ca60ec2832535"
        malpedia_version = "20211008"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using YARA-Signator.
     * The code and documentation is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { 6a00 6a02 6639c1 6800000040 }
            // n = 4, score = 100
            //   6a00                 | push                0
            //   6a02                 | push                2
            //   6639c1               | cmp                 cx, ax
            //   6800000040           | push                0x40000000

        $sequence_1 = { ffb704080000 ffb518010000 6685d8 e8???????? }
            // n = 4, score = 100
            //   ffb704080000         | push                dword ptr [edi + 0x804]
            //   ffb518010000         | push                dword ptr [ebp + 0x118]
            //   6685d8               | test                ax, bx
            //   e8????????           |                     

        $sequence_2 = { ff7610 8b5520 035614 52 8b8700080000 03460c }
            // n = 6, score = 100
            //   ff7610               | push                dword ptr [esi + 0x10]
            //   8b5520               | mov                 edx, dword ptr [ebp + 0x20]
            //   035614               | add                 edx, dword ptr [esi + 0x14]
            //   52                   | push                edx
            //   8b8700080000         | mov                 eax, dword ptr [edi + 0x800]
            //   03460c               | add                 eax, dword ptr [esi + 0xc]

        $sequence_3 = { 52 51 3d39050000 7545 66f7c14179 }
            // n = 5, score = 100
            //   52                   | push                edx
            //   51                   | push                ecx
            //   3d39050000           | cmp                 eax, 0x539
            //   7545                 | jne                 0x47
            //   66f7c14179           | test                cx, 0x7941

        $sequence_4 = { 59 5b 6685da 31c0 83c004 833c0400 }
            // n = 6, score = 100
            //   59                   | pop                 ecx
            //   5b                   | pop                 ebx
            //   6685da               | test                dx, bx
            //   31c0                 | xor                 eax, eax
            //   83c004               | add                 eax, 4
            //   833c0400             | cmp                 dword ptr [esp + eax], 0

        $sequence_5 = { 3b8f04080000 75d7 ffb70c080000 39c8 ff7520 6639d1 }
            // n = 6, score = 100
            //   3b8f04080000         | cmp                 ecx, dword ptr [edi + 0x804]
            //   75d7                 | jne                 0xffffffd9
            //   ffb70c080000         | push                dword ptr [edi + 0x80c]
            //   39c8                 | cmp                 eax, ecx
            //   ff7520               | push                dword ptr [ebp + 0x20]
            //   6639d1               | cmp                 cx, dx

        $sequence_6 = { 6200 7600 6d 0036 0030 }
            // n = 5, score = 100
            //   6200                 | bound               eax, qword ptr [eax]
            //   7600                 | jbe                 2
            //   6d                   | insd                dword ptr es:[edi], dx
            //   0036                 | add                 byte ptr [esi], dh
            //   0030                 | add                 byte ptr [eax], dh

        $sequence_7 = { 8b400c 8b4014 8b00 8b5810 84c2 }
            // n = 5, score = 100
            //   8b400c               | mov                 eax, dword ptr [eax + 0xc]
            //   8b4014               | mov                 eax, dword ptr [eax + 0x14]
            //   8b00                 | mov                 eax, dword ptr [eax]
            //   8b5810               | mov                 ebx, dword ptr [eax + 0x10]
            //   84c2                 | test                dl, al

        $sequence_8 = { 6685d8 e8???????? 6639d8 6685da }
            // n = 4, score = 100
            //   6685d8               | test                ax, bx
            //   e8????????           |                     
            //   6639d8               | cmp                 ax, bx
            //   6685da               | test                dx, bx

        $sequence_9 = { 31d2 48 ffc2 49 }
            // n = 4, score = 100
            //   31d2                 | xor                 edx, edx
            //   48                   | dec                 eax
            //   ffc2                 | inc                 edx
            //   49                   | dec                 ecx

    condition:
        7 of them and filesize < 90112
}
[TLP:WHITE] win_cloudeye_w0   (20200204 | Shellcode injector and downloader via RegAsm.exe payload)
rule win_cloudeye_w0 {
    meta:
        author = "ditekshen"
        description = "Shellcode injector and downloader via RegAsm.exe payload"
        source = "https://github.com/kevoreilly/CAPEv2/blob/master/data/yara/CAPE/SCInject.yar"
        malpedia_version = "20200204"
        malpedia_sharing = "TLP:WHITE"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.cloudeye"
        malpedia_license = ""
    strings:
        $s1 = "wininet.dll" fullword ascii
        $s2 = "ShellExecuteW" fullword ascii
        $s3 = "SHCreateDirectoryExW" fullword ascii
        $s4 = "Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce" fullword ascii
        $s5 = "Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko" fullword ascii

        $o1 = "msvbvm60.dll" fullword wide
        $o2 = "\\syswow64\\" fullword wide
        $o3 = "\\system32\\" fullword wide
        $o4 = "\\Microsoft.NET\\Framework\\" fullword wide
        $o5 = "USERPROFILE=" wide nocase
        $o6 = "windir=" fullword wide
        $o7 = "APPDATA=" nocase wide
        $o8 = "RegAsm.exe" fullword wide

        $url1 = "https://drive.google.com/uc?export=download&id=" ascii
        $url2 = "https://onedrive.live.com/download?cid=" ascii
        $url3 = "http://myurl/myfile.bin" fullword ascii
        $url4 = "http" ascii // fallback
    condition:
        all of ($s*) and 2 of ($o*) and 1 of ($url*)
}
Download all Yara Rules