Black friday Up to 3 extra licenses FOR FREE + Special offer for TI LOOKUP Get it now

GuLoader

34
Global rank
25 infographic chevron month
Month rank
32 infographic chevron week
Week rank
0
IOCs

GuLoader is an advanced downloader written in shellcode. It’s used by criminals to distribute other malware, notably trojans, on a large scale. It’s infamous for using anti-detection and anti-analysis capabilities.

Downloader
Type
Italy
Origin
1 December, 2019
First seen
11 December, 2024
Last seen
Also known as
CloudEyE
vbdropper

How to analyze GuLoader with ANY.RUN

Downloader
Type
Italy
Origin
1 December, 2019
First seen
11 December, 2024
Last seen

IOCs

Domains
mail.elkat.com.my
elkat.com.my
URLs
http://pashupatiexports.com/BackdoorNEW_ixNqxYujPy62.bin
https://massagestockton.com/OPJIS%20LK%20FILE_LjiofSP47.bin
https://drive.google.com/uc?export=download&id=1EqbC150yuxihei7OVvzeE1oPo5RvvXgI
http://172.93.187.72/QfLxGBpvVnvtt167.bin
http://45.137.22.248/nSTbXfnKEyKbZuJcrDaW99.bin
https://drive.google.com/uc?export=download&id=1TCqUy8aQOFSEce1fhmy4Ro5-x-GzJrIK
https://drive.google.com/uc?export=download&id=15SHNM45oBh2I6s3GaIoEDnPi3FcRKwfv
https://clinicadentalimplant.com/images/images/o/bkDEdmp222.csv
https://elchupetedemark.com/wp-admin/lVCuTPzXimCVjJ127.bin
https://qif.ac.ke/flow_AoGPhiVz245.bin
https://cmdtech.com.vn/MY_XXX_VUVHawg214.bin
http://ffvgdsv.ug/ac.exe
https://drive.google.com/uc?export=download&id=1CGkeZyH2aFvlc_s_1D4WWtgHLoHWyhQ7
https://drive.google.com/uc?export=download&id=11NAZslAWBWkK1b4dFviELvvgWl48QHr6
https://onedrive.live.com/download?cid=46B98FE6F0D79519&resid=46B98FE6F0D79519%211842&authkey=ANcfRm-0LjxFJQY
https://onedrive.live.com/download?cid=8D14D74EB13B02D0&resid=8D14D74EB13B02D0%21161&authkey=AAzCpAsT_Jf9zKg
https://drive.google.com/uc?export=download&id=1C-K3KpQoFCqeIvTziAaSxcN9rn5ZA4Bb
https://onedrive.live.com/download?cid=59DDD422D234EC53&resid=59DDD422D234EC53%21109&authkey=AP7E4GdQBTZYNjw
http://85.239.34.152/download/netplus_fbSxHChwA37.bin
https://onedrive.live.com/download?cid=39B0EF49A1959633&resid=39B0EF49A1959633%21118&authkey=AAZyVo4_TWSVbes
Last Seen at

Recent blog posts

post image
Access and Use ANY.RUN’s TI Feeds via MISP
watchers 263
comments 0
post image
Analysis of Nova: A Snake Keylogger Fork
watchers 1376
comments 0
post image
Manufacturing Companies Targeted with New Lum...
watchers 1819
comments 0

What is GuLoader malware

Just like the name suggests, GuLoader (sometimes also called CloudEyE and vbdropper) is a first-stage trojan designed to infect a system and drop a final payload. Typically other trojans or RATs. Once the malware makes its way into the victim's system, it attempts to establish a remote connection and download a malicious executable.

This malware is infamous for using advanced anti-detection and obfuscation techniques. It evades network detection, stops executing in virtual environments, and can slip past automatics security systems.

Researchers first observed GuLoader in December 2019, when it was used in a campaign delivering Remcos RAT. Throughout 2020, the trojan kept gaining popularity, at one point accounting for 25% of all packeted samples recorded by Check Point Research. Today, GuLoader remains a highly active threat. It often delivers NanoCore, Agent Tesla, LokiBot, and FormBook.

General description of GuLoader downloader

GuLoader is written in encrypted shellcode wrapped in a Visual Basic 6 (VB6) executable. Notably, it stores second-stage payloads in cloud drive services. Usually, in Google Drive or Microsoft OneDrive. This way, it can establish a connection and download the executable without raising any red flags. The payload is usually encrypted, allowing it to slip past the cloud host’s security measures.

This loader is infamous for its use of anti-analysis techniques:

  1. The shellcode is heavily obfuscated and mixed with generous amounts of junk code.
  2. It detects sandboxes with EnumWindows by counting the number of application windows on the screen and terminates with an error message.
  3. It tampers with debugging software, causing crashes.
  4. It uses process hollowing to inject malicious code into a benign process and evade detection by an antivirus.
  5. To confuse analysts, its PE header contains only generic GetProcAddress instructions.

Like many downloaders, GuLoader is offered as a service. Prices start at $100 per month. It is distributed in the clearnet by a company with a domain name in the .eu zone. The website markets it under the name CloudEye, claiming that this is a security tool intended for protecting applications against cracking. However, the same site contains links to YouTube tutorials that clearly display how to use the software maliciously. They also show how to abuse cloud drives.

Researchers managed to link GuLoader to an Italian-based hacking group by analyzing emails left as contact details in old forum threads. One of the users behind the loader is known under the alias sonykuccio. He advertised a malware variant as far back as 2011 and offered paid services, claiming that he could make other malicious programs harder to detect. That is why GuLoader uses so many intricate anti-evasion techniques.

How to get more information from GuLoader malware

ANY.RUN helps researchers perform malware analysis of GuLoader and track its execution process in an interactive sandbox.

GuLoader text report

Figure 1: GuLoader text report generated by ANY.RUN

ANY.RUN allows users to save time during analysis and present crucial information extracted from malware immediately. Analysts may take a look inside GuLoader malware configuration 10 second after its process started.

GuLoader malware configuration

Figure 2: GuLoader malware configuration

GuLoader execution process

The distribution method of GuLoader has changed over time, but its execution flow has remained fairly straightforward. The main purpose of GuLoader is to download the primary payload to the infected system. Upon starting, it checks whether it is running inside a virtual environment. If the check passes, it establishes a connection and downloads the payload. Once the payload is downloaded and executed, GuLoader stops.

But even if loader didn't connect to C2 during analysis, you always may look in extracted malware configuration to find out from where GuLoader is wants to receive payload!

Read a detailed analysis of GuLoader in our blog.

Use ANY.RUN free for 14 days

Try the full power of interactive analysis

Start your free trial

Distribution of GuLoader

The distribution method of GuLoader is very typical. The loader is usually delivered as an Office document attachment in spam email campaigns. When downloaded, it uses a macro to install the malicious program. Sometimes it is also delivered as an executable in a .rar archive.

During the pandemic, many campaigns exploited the fear surrounding Covid-19 by mentioning the virus. More recently, attackers have been using fake payment invoices. They will impersonate a bank and use social engineering to trick the victim into downloading an infected file to check “payment details.”

Conclusion

GuLoader is available as a service for a relatively low price, can be easily found in the clearnet, and comes with easy-to-follow instructions. No wonder, then, that creators claim they already have over 5000 clients. Thanks to the combination of advanced anti-evasion tricks and ease of use, we expect its popularity to continue to grow.

Thankfully, GuLoader is easily detectable in ANY.RUN sandbox. It only takes a few minutes to launch an interactive emulation and identify the threat.

HAVE A LOOK AT

Virlock screenshot
Virlock
virlock
Virlock is a unique ransomware strain that combines encryption capabilities with file infection techniques. First observed in 2014, it stands out due to its polymorphic nature and ability to embed its code into compromised files, ensuring continued propagation. Once it infects a system, it encrypts files and locks the screen, demanding a ransom for file recovery and system access.
Read More
DeerStealer screenshot
DeerStealer
deerstealer
DeerStealer is an information-stealing malware discovered in 2024 by ANY.RUN, primarily targeting sensitive data such as login credentials, browser history, and cryptocurrency wallet details. It is often distributed through phishing campaigns and fake Google ads that mimic legitimate platforms like Google Authenticator. Once installed, it exfiltrates the stolen data to a remote command and control (C2) server. DeerStealer’s ability to disguise itself as legitimate downloads makes it particularly dangerous for unsuspecting users.
Read More
Lumma screenshot
Lumma
lumma
Lumma is an information stealer, developed using the C programming language. It is offered for sale as a malware-as-a-service, with several plans available. It usually targets cryptocurrency wallets, login credentials, and other sensitive information on a compromised system. The malicious software regularly gets updates that improve and expand its functionality, making it a serious stealer threat.
Read More
Bumblebee Loader screenshot
Bumblebee Loader
bumblebee
Bumblebee is a highly adaptable malware loader, often used by threat actors linked to the Conti and TrickBot cybercrime groups. Since its discovery in 2021, Bumblebee has been leveraged in phishing campaigns and email thread hijacking, primarily to distribute payloads like Cobalt Strike and ransomware. The malware employs obfuscation techniques, such as DLL injection and virtual environment detection, to avoid detection and sandbox analysis. Its command-and-control infrastructure and anti-analysis features allow it to persist on infected devices, where it enables further payload downloads and system compromise.
Read More
Razr screenshot
Razr
razr
Razr is a destructive ransomware that infiltrates systems to encrypt files, rendering them inaccessible to users. It appends the ".razr" extension to the encrypted files and drops a ransom note, typically named "README.txt," instructing victims on how to pay the ransom to obtain the decryption key. The malware often spreads through phishing emails with malicious attachments or by exploiting vulnerabilities in software and operating systems. Razr employs strong encryption algorithms, making it challenging to decrypt files without the attackers' key.
Read More
WannaCry screenshot
WannaCry
wannacry ransomware
WannaCry is a famous Ransomware that utilizes the EternalBlue exploit. This malware is known for infecting at least 200,000 computers worldwide and it continues to be an active and dangerous threat.
Read More