BLACK FRIDAY: 2-for-1 offer NOVEMBER 20 - 26 See details

GuLoader

32
Global rank
16 infographic chevron month
Month rank
19 infographic chevron week
Week rank
1038
IOCs

GuLoader is an advanced downloader written in shellcode. It’s used by criminals to distribute other malware, notably trojans, on a large scale. It’s infamous for using anti-detection and anti-analysis capabilities.

Downloader
Type
Italy
Origin
1 December, 2019
First seen
22 May, 2024
Last seen
Also known as
CloudEyE
vbdropper

How to analyze GuLoader with ANY.RUN

Downloader
Type
Italy
Origin
1 December, 2019
First seen
22 May, 2024
Last seen

IOCs

Hashes
09ec94c4b0172ceb189b7e15b36d82e70fef89a19d20856b5c60211a01693d48
d7750235007c0d35353219bebab9ccb181f7e1d019c265e441a734b19c88dc69
664103fce27db44ec5d391677e582686ebaee9aaee6cf7629b2a73c778d7628f
99b586cc398a20b8c56016b597dd3cca87dee97c73d789cd0831065429a1f5a1
c4c938498c092e2d1e79e40023e98943f9364cca8408c7dc124db38ae3866f6b
6bb050c720d849b96f8f9ba6cadc840d27afdcafe89aea7b5526d127ddd9ef2b
114a7efb95ce3d5b35a36781755d02ad1ef8de4620369416ac62580789d1d85e
bb6a92b2c43488bf8d0310090aa4036b5e292c9ab5030c8ebdd1864cf015f9ba
e1688c649c30cd631479f5744866d1dff3a0c63f9e3cbb0b32fe3d59be911dd3
9afa755ca4d1281b0fa54f6b6d591205d551d4c881f1955b52bb35d242976f88
bdf17c65ec65b47fdb97184d1817af84736dcd9a6c4d183e9a4e9631260e69ae
cbcb7bc0561545b8aba0cd7a2641bb41014d520fdb82c9ab1b47ebe6f590b035
34ed97da7048adf65fa3abe3dc721e6cbc7706a178d3849d473b4da1bfa92c9d
9421483b437544acf326c3a6196608adb154310dae3a08831406678785d82d08
d8933e7d6e91c53200c334528a935434d1b0e2ce2286e9842e75911ea832b8c7
ca45e77ac36dbac665b854501b7d8f9ef85cb98683e5fc757f6ae85f9b08b0dc
fd775fba95fd84104013b657ee28b7b8b756a04a086300a0752228d6c7a333cc
ac559093b826b83ed87524dc07e62d05eaec9b3f13392a1187b65d4b277bd2fa
d0bdc69ed2bcd5332c1b8f871c78a80b4dedf2196d4151c71d32e14fd977050d
629969a0881903021d039f309d10a9028a1b967153706f7db6386c0773ce727d
Domains
mail.elkat.com.my
elkat.com.my
URLs
http://167.160.166.205/XjnsYBiY159.bin
https://drive.google.com/uc?export=download&id=10VQOzdHwCypDXq-f4LrK5izO5Z0tsdyQ
https://villaszilva.hu/SMwiOZTE119.bin
https://drive.google.com/uc?export=download&id=1Wg_4KeUdQB3-dgFb1XmJ7djDOZxJqDfb
https://outdoorshop.ba/XkhznnuKeKxHhcb18.binUdtasTudricohltd.top/XkhznnuKeKxHhcb18.bin
https://drive.google.com/uc?export=download&id=1K1ysHgrMnlJfXc9Gg4-EY_-v8b-2SC9B
http://46.183.222.32/amtEDCTjQadgLql191.bin
https://www.zepingtuzla.com/frVRKelyBPNbD194.bin
https://drive.google.com/uc?export=download&id=1OKDYnwO3s85sfWYBNeY-WHt4-RE2cpcB
https://drive.google.com/uc?export=download&id=1Iw1ePJDtXKYT9bCoHB-Nhsm1Sv3binXY
http://107.174.20.217/ZkKIyzTq148.bin
http://www.qeintechnologies.com/NmBkxeAZlIrfpt226.bin
https://drive.google.com/uc?export=download&id=1K1J55fzGPS9sFQkWm6matRahm3iHYHIN
https://drive.google.com/uc?export=download&id=1uC4q2HrJPc3j_cqewudIt3r3VrCAt60I
https://drive.google.com/uc?export=download&id=1I0LJGKW-kjo-DJHUKoec3dzUFjQKMjxx
https://drive.google.com/uc?export=download&id=1oVtTntL4nWtTzvC7d0R6SFbvzA88x3uB
http://38.15.131.216/TmvfDWknNOPvN247.bin
https://cdn.discordapp.com/attachments/1232238430654562385/1235388447477469256/DIBYlIUb233.bin
https://drive.google.com/uc?export=download&id=1gz78tnMzp-24jg1V-TmEdKjE5v5WEKRO
https://drive.google.com/uc?export=download&id=1AYHmt2bs57Yr79xy1imPloOi3aBM9rnl
Last Seen at

Recent blog posts

post image
ANY.RUN attends Osintomático 2024
watchers 48
comments 0
post image
Windows 11 UAC Bypass in Modern Malware
watchers 657
comments 0
post image
New Hijack Loader Variant: Uses Process Hollo...
watchers 564
comments 0

What is GuLoader malware

Just like the name suggests, GuLoader (sometimes also called CloudEyE and vbdropper) is a first-stage trojan designed to infect a system and drop a final payload. Typically other trojans or RATs. Once the malware makes its way into the victim's system, it attempts to establish a remote connection and download a malicious executable.

This malware is infamous for using advanced anti-detection and obfuscation techniques. It evades network detection, stops executing in virtual environments, and can slip past automatics security systems.

Researchers first observed GuLoader in December 2019, when it was used in a campaign delivering Remcos RAT. Throughout 2020, the trojan kept gaining popularity, at one point accounting for 25% of all packeted samples recorded by Check Point Research. Today, GuLoader remains a highly active threat. It often delivers NanoCore, Agent Tesla, LokiBot, and FormBook.

General description of GuLoader downloader

GuLoader is written in encrypted shellcode wrapped in a Visual Basic 6 (VB6) executable. Notably, it stores second-stage payloads in cloud drive services. Usually, in Google Drive or Microsoft OneDrive. This way, it can establish a connection and download the executable without raising any red flags. The payload is usually encrypted, allowing it to slip past the cloud host’s security measures.

This loader is infamous for its use of anti-analysis techniques:

  1. The shellcode is heavily obfuscated and mixed with generous amounts of junk code.
  2. It detects sandboxes with EnumWindows by counting the number of application windows on the screen and terminates with an error message.
  3. It tampers with debugging software, causing crashes.
  4. It uses process hollowing to inject malicious code into a benign process and evade detection by an antivirus.
  5. To confuse analysts, its PE header contains only generic GetProcAddress instructions.

Like many downloaders, GuLoader is offered as a service. Prices start at $100 per month. It is distributed in the clearnet by a company with a domain name in the .eu zone. The website markets it under the name CloudEye, claiming that this is a security tool intended for protecting applications against cracking. However, the same site contains links to YouTube tutorials that clearly display how to use the software maliciously. They also show how to abuse cloud drives.

Researchers managed to link GuLoader to an Italian-based hacking group by analyzing emails left as contact details in old forum threads. One of the users behind the loader is known under the alias sonykuccio. He advertised a malware variant as far back as 2011 and offered paid services, claiming that he could make other malicious programs harder to detect. That is why GuLoader uses so many intricate anti-evasion techniques.

How to get more information from GuLoader malware

ANY.RUN helps researchers perform malware analysis of GuLoader and track its execution process in an interactive sandbox.

GuLoader text report

Figure 1: GuLoader text report generated by ANY.RUN

ANY.RUN allows users to save time during analysis and present crucial information extracted from malware immediately. Analysts may take a look inside GuLoader malware configuration 10 second after its process started.

GuLoader malware configuration

Figure 2: GuLoader malware configuration

GuLoader execution process

The form of GuLoader's distribution changing over time, but its execution flow always stay pretty straightforward. Since the purpose of GuLoader is to download to the infected system main payload, after its start it check is it run inside virtual environment. When check passed, it starts connection and download payload. Once payload downloaded and starts execution, GuLoader stops.

But even if loader didn't connect to C2 during analysis, you always may look in extracted malware configuration to find out from where GuLoader is wants to receive payload!

Read a detailed analysis of GuLoader in our blog.

Use ANY.RUN free for 14 days

Try the full power of interactive analysis

Start your free trial

Distribution of GuLoader

The distribution method of GuLoader is very typical. The loader is usually delivered as an Office document attachment in spam email campaigns. When downloaded, it uses a macro to install the malicious program. Sometimes it is also delivered as an executable in a .rar archive.

During the pandemic, many campaigns exploited the fear surrounding Covid-19 by mentioning the virus. More recently, attackers have been using fake payment invoices. They will impersonate a bank and use social engineering to trick the victim into downloading an infected file to check “payment details.”

Conclusion

GuLoader is available as a service for a relatively low price, can be easily found in the clearnet, and comes with easy-to-follow instructions. No wonder, then, that creators claim they already have over 5000 clients. Thanks to the combination of advanced anti-evasion tricks and ease of use, we expect its popularity to continue to grow.

Thankfully, GuLoader is easily detectable in ANY.RUN sandbox. It only takes a few minutes to launch an interactive emulation and identify the threat.

HAVE A LOOK AT

Adwind screenshot
Adwind
adwind trojan
Adwind RAT, sometimes also called Unrecom, Sockrat, Frutas, jRat, and JSocket, is a Malware As A Service Remote Access Trojan that attackers can use to collect information from infected machines. It was one of the most popular RATs in the market in 2015.
Read More
Agent Tesla screenshot
Agent Tesla
agenttesla trojan rat stealer
Agent Tesla is spyware that collects information about the actions of its victims by recording keystrokes and user interactions. It is falsely marketed as a legitimate software on the dedicated website where this malware is sold.
Read More
Amadey screenshot
Amadey
amadey
Amadey is a formidable Windows infostealer threat, characterized by its persistence mechanisms, modular design, and ability to execute various malicious tasks.
Read More
Arkei screenshot
Arkei
arkei stealer
Arkei is a stealer type malware capable of collecting passwords, autosaved forms, cryptocurrency wallet credentials, and files.
Read More
AsyncRAT screenshot
AsyncRAT
asyncrat
AsyncRAT is a RAT that can monitor and remotely control infected systems. This malware was introduced on Github as a legitimate open-source remote administration software, but hackers use it for its many powerful malicious functions.
Read More
WarZone screenshot
WarZone
warzone avemaria stealer trojan rat
WarZone RAT is a remote access trojan, which is written in C++ and offered as a malware-as-a-service. It packs a wide range of capabilities, from stealing victims’ files and passwords to capturing desktop activities. WarZone RAT is primarily distributed via phishing emails and receives regular updates from its C2.
Read More

Our website uses cookies. By visiting the pages of the site, you agree to our Privacy Policy