BLACK FRIDAY: 2-for-1 offer NOVEMBER 20 - 26 See details

GuLoader

33
Global rank
22
Month rank
15
Week rank
943
IOCs

GuLoader is an advanced downloader written in shellcode. It’s used by criminals to distribute other malware, notably trojans, on a large scale. It’s infamous for using anti-detection and anti-analysis capabilities.

Downloader
Type
Italy
Origin
1 December, 2019
First seen
3 December, 2023
Last seen
Also known as
CloudEyE
vbdropper

How to analyze GuLoader with ANY.RUN

Downloader
Type
Italy
Origin
1 December, 2019
First seen
3 December, 2023
Last seen

IOCs

Hashes
275c9fcc1365ee55619bc42f4313c9dbb2f87742a6737c132a1d74bde1566563
f3535a81c3a20565c3334b9a342e3134209f3bd81fc1f652cf5f2630ea225d6d
f36ff06e53e2f0510dc12ae3208707a41b878af2705ea938aa356799fc71f45a
e1dc4fb987476e08e31e0df92ac86eeb6868ffdd6c1073ce80b6eb3272140148
7d177a192d55adb90e963b5809fc748bda863ba96388244e5900d388336a9fd5
1d4534ba003d4684b5cd962a161f662218ba784dac126c59279396acea739511
3c609fde5e771ccb3cff10b9e5fcc216848d94f7065eaeda2075b12ed44d2be7
8b97ed925285720da682df444450f11447f6f3e97013a309c099522757736410
a3fba721814f24b0ee8b64277079ddead0ea94b5eed98939aeac6efc11948157
085dc43983fad6a4c5d7be48a22cd94d00d2250b7da7dc5d63faceb6a0e5f233
5061f58e76915d882687f5f2a4f80db22196d777455913023e122cf90a156cbd
7b53347cffa39b9146236cbcdcbf2c40be98ca5cb360bbe07e1f10b20e391b49
920e040d64758438d2ba1514b29a497c8d7c0822d19c8b9f9df24d1a03583983
504a1971a4ad0a3006f67df485b92ef5f0bef5510adf777e24de9437c28cab48
695efaa4cb8c02906d34714e8cc293b3151dbaf964e19bb28b12e3be7daef725
36ad556c4e275f0bf4e6d5881810d0ebe811d61218c9a2c28629c77397ac4d82
5eb6f40321075392ebdeca3c270b0d41f3a338bb0cc293ab37baa88c6e9142bf
26d95099636e212fccb35c4865a6aaee393079698b6c3a6f0a07ef2960a845b0
ce095b3c9f7d839629bdd26a8edd4887da815a90ff55632a1f2b6c5873415e40
12748aea84778652c1b2fef43117bdb42de3061f4a4376927ca27154cce42013
URLs
https://onedrive.live.com/download?cid=674027E0093531EF&resid=674027E0093531EF%21115&authkey=AGjbhIm6m1Nvx-w
http://rrbp.org.au/oTaLw96.bin
http://ecox.pt/sRSVYdkWbWU11.bin
http://ecox.pt/Jorn.pfm
http://ecox.pt/uKFUIun170.bin
http://ecox.pt/Henrykkelsers.emz
https://abumchukwugi.ga/vvd222.bin
http://drive.google.com/uc?export=download&id=1YH9fubB4nrYg6Lwvpi2mMkfl1k3mjHCY
http://drive.google.com/uc?export=download&id=1LpzktY2Zwmar7M6veyZcS4F_Fq6eUzcN
http://69.174.100.3/rjWwHjAqwNivkz7.bin
http://drive.google.com/uc?export=download&id=1zMHs8bvvtHMH9u462VIogvp653aD7XxS
http://185.174.102.227/EAV_ANpZyc210.bin
http://ked-ind.com/ucnBKkTMh217.bin
http://bounceclick.live/VVB/COrg_RYGGqN229.bin
http://drive.google.com/uc?export=download&id=1a3LogP_CZTO3Sw-yPBsJpTbQ71PCilv2
https://drive.google.com/uc?export=download&id=1smc1tPYe0JqmZ6igUWtnLwtzbp7YpbtG
https://megajeettextiles.com/MYFORMBOOK_bDpxAPNLbC200.bin
https://andreameixueiro.com/IRANSAT_Vsidob74.bin
http://74.84.150.168/OwJflSvYFbhvHWFKYNeFAKRUkaTg249.bin
http://stephenmichaelsmith.com/wp-includes/assets/PloNsIWjhuKj189.bin
Last Seen at

Recent blog posts

3 Cybersecurity Events ANY.RUN Attended in No...
watchers 140
comments 0
5 malware threats we discovered in the wild i...
watchers 343
comments 0
RisePro Malware Analysis: Exploring C2 Commun...
watchers 2312
comments 0

What is GuLoader malware

Just like the name suggests, GuLoader (sometimes also called CloudEyE and vbdropper) is a first-stage trojan designed to infect a system and drop a final payload. Typically other trojans or RATs. Once the malware makes its way into the victim's system, it attempts to establish a remote connection and download a malicious executable.

This malware is infamous for using advanced anti-detection and obfuscation techniques. It evades network detection, stops executing in virtual environments, and can slip past automatics security systems.

Researchers first observed GuLoader in December 2019, when it was used in a campaign delivering Remcos RAT. Throughout 2020, the trojan kept gaining popularity, at one point accounting for 25% of all packeted samples recorded by Check Point Research. Today, GuLoader remains a highly active threat. It often delivers NanoCore, Agent Tesla, LokiBot, and FormBook.

General description of GuLoader downloader

GuLoader is written in encrypted shellcode wrapped in a Visual Basic 6 (VB6) executable. Notably, it stores second-stage payloads in cloud drive services. Usually, in Google Drive or Microsoft OneDrive. This way, it can establish a connection and download the executable without raising any red flags. The payload is usually encrypted, allowing it to slip past the cloud host’s security measures.

This loader is infamous for its use of anti-analysis techniques:

  1. The shellcode is heavily obfuscated and mixed with generous amounts of junk code.
  2. It detects sandboxes with EnumWindows by counting the number of application windows on the screen and terminates with an error message.
  3. It tampers with debugging software, causing crashes.
  4. It uses process hollowing to inject malicious code into a benign process and evade detection by an antivirus.
  5. To confuse analysts, its PE header contains only generic GetProcAddress instructions.

Like many downloaders, GuLoader is offered as a service. Prices start at $100 per month. It is distributed in the clearnet by a company with a domain name in the .eu zone. The website markets it under the name CloudEye, claiming that this is a security tool intended for protecting applications against cracking. However, the same site contains links to YouTube tutorials that clearly display how to use the software maliciously. They also show how to abuse cloud drives.

Researchers managed to link GuLoader to an Italian-based hacking group by analyzing emails left as contact details in old forum threads. One of the users behind the loader is known under the alias sonykuccio. He advertised a malware variant as far back as 2011 and offered paid services, claiming that he could make other malicious programs harder to detect. That is why GuLoader uses so many intricate anti-evasion techniques.

How to get more information from GuLoader malware

ANY.RUN helps researchers perform malware analysis of GuLoader and track its execution process in an interactive sandbox.

GuLoader text report

Figure 1: GuLoader text report generated by ANY.RUN

ANY.RUN allows users to save time during analysis and present crucial information extracted from malware immediately. Analysts may take a look inside GuLoader malware configuration 10 second after its process started.

GuLoader malware configuration

Figure 2: GuLoader malware configuration

GuLoader execution process

The form of GuLoader's distribution changing over time, but its execution flow always stay pretty straightforward. Since the purpose of GuLoader is to download to the infected system main payload, after its start it check is it run inside virtual environment. When check passed, it starts connection and download payload. Once payload downloaded and starts execution, GuLoader stops.

But even if loader didn't connect to C2 during analysis, you always may look in extracted malware configuration to find out from where GuLoader is wants to receive payload!

Read a detailed analysis of GuLoader in our blog.

Use ANY.RUN free for 14 days

Try the full power of interactive analysis

Start your free trial

Distribution of GuLoader

The distribution method of GuLoader is very typical. The loader is usually delivered as an Office document attachment in spam email campaigns. When downloaded, it uses a macro to install the malicious program. Sometimes it is also delivered as an executable in a .rar archive.

During the pandemic, many campaigns exploited the fear surrounding Covid-19 by mentioning the virus. More recently, attackers have been using fake payment invoices. They will impersonate a bank and use social engineering to trick the victim into downloading an infected file to check “payment details.”

Conclusion

GuLoader is available as a service for a relatively low price, can be easily found in the clearnet, and comes with easy-to-follow instructions. No wonder, then, that creators claim they already have over 5000 clients. Thanks to the combination of advanced anti-evasion tricks and ease of use, we expect its popularity to continue to grow.

Thankfully, GuLoader is easily detectable in ANY.RUN sandbox. It only takes a few minutes to launch an interactive emulation and identify the threat.

HAVE A LOOK AT

Adwind screenshot
Adwind
adwind trojan
Adwind RAT, sometimes also called Unrecom, Sockrat, Frutas, jRat, and JSocket, is a Malware As A Service Remote Access Trojan that attackers can use to collect information from infected machines. It was one of the most popular RATs in the market in 2015.
Read More
Agent Tesla screenshot
Agent Tesla
agenttesla trojan rat stealer
Agent Tesla is spyware that collects information about the actions of its victims by recording keystrokes and user interactions. It is falsely marketed as a legitimate software on the dedicated website where this malware is sold.
Read More
Amadey screenshot
Amadey
amadey
Amadey is a formidable Windows infostealer threat, characterized by its persistence mechanisms, modular design, and ability to execute various malicious tasks.
Read More
Arkei screenshot
Arkei
arkei stealer
Arkei is a stealer type malware capable of collecting passwords, autosaved forms, cryptocurrency wallet credentials, and files.
Read More
AsyncRAT screenshot
AsyncRAT
asyncrat
AsyncRAT is a RAT that can monitor and remotely control infected systems. This malware was introduced on Github as a legitimate open-source remote administration software, but hackers use it for its many powerful malicious functions.
Read More
WarZone screenshot
WarZone
warzone avemaria stealer trojan rat
WarZone RAT is a remote access trojan, which is written in C++ and offered as a malware-as-a-service. It packs a wide range of capabilities, from stealing victims’ files and passwords to capturing desktop activities. WarZone RAT is primarily distributed via phishing emails and receives regular updates from its C2.
Read More

Our website uses cookies. By visiting the pages of the site, you agree to our Privacy Policy