BLACK FRIDAY: 2-for-1 offer NOVEMBER 20 - 26 See details

GuLoader

34
Global rank
22 infographic chevron month
Month rank
19 infographic chevron week
Week rank
0
IOCs

GuLoader is an advanced downloader written in shellcode. It’s used by criminals to distribute other malware, notably trojans, on a large scale. It’s infamous for using anti-detection and anti-analysis capabilities.

Downloader
Type
Italy
Origin
1 December, 2019
First seen
14 October, 2024
Last seen
Also known as
CloudEyE
vbdropper

How to analyze GuLoader with ANY.RUN

Downloader
Type
Italy
Origin
1 December, 2019
First seen
14 October, 2024
Last seen

IOCs

Hashes
909f1a14891dbebec0119d730800bd50fb49357ed5fc102ce762e6b8c81e9dd5
d7750235007c0d35353219bebab9ccb181f7e1d019c265e441a734b19c88dc69
baf3549a34cd21d5a9544ae263187aa3ca582f206dca72a2dd196f568688ba8a
08ce40cdea37a6c10f0b7aef1666b7eed2e731cae889b19046e806baa0c1312a
7feb0133d36aafdd1b2ba2dbae6ea92c8cefee7b48b82cbcd736dc729196a3e5
5075794e00244b8aaa7ca4d9bef9d29616466714e45e4ea79755f64284804110
3d074e895222334006b862b885e039d81c48586958faccfa3e499e9dc9c2cf63
eb70d795a9bc30cd25af85d26eeb6807375dcbb5ea1cd3648df10dcd7f6f717d
6ecb10f422ea7a57b9e2ca118809a80e01858ca52849da5dbbee62de3d907fa7
c03b3de38a4c16044ed792465b6bc73a1e15bb86e5543fa89b3fe866e55b015f
95f279bcebc9564a0cf9699e88441eebdf91b96338f105bb53856709424ef3b5
d424f08c993045ab5d5d9d298eb4e3d852decd3e41b204d8614e7db6a0985079
a502177615ac74e35f1c1d8ae87cd45b691a76fbce137687b4045b2b275048c1
c448d90d15bb1e6df8b712c56f3b5ae316147dd0d4a0b0a047cea03141b6e0ac
10d9cfb99d393c5a42e499dbf19a65e4b8f696e9802a0da2d66fa20e84eb4b34
836be4d0df21047ec44acbdcfe6da91812d647b37864659bd77e7baf45afe89c
2118f741f116ae8b028bae1ea150dcbadcde6d7634bd0232054d97a5467c5a4c
f47076ba512fa40711e9560a4de7734523d9b1bc53c5510f15191138387e10d3
b3441cd04205175c973de6e529b4ce95c76b42b43c9ff6cf28d22cbf4c5abf95
26b6db164a7b9adf2749c7834835b2e211a1307b9bfc7b04dd21493ec6edd2d7
Domains
mail.elkat.com.my
elkat.com.my
URLs
https://drive.google.com/uc?export=download&id=1TCqUy8aQOFSEce1fhmy4Ro5-x-GzJrIK
https://drive.google.com/uc?export=download&id=15SHNM45oBh2I6s3GaIoEDnPi3FcRKwfv
https://clinicadentalimplant.com/images/images/o/bkDEdmp222.csv
https://elchupetedemark.com/wp-admin/lVCuTPzXimCVjJ127.bin
https://qif.ac.ke/flow_AoGPhiVz245.bin
https://cmdtech.com.vn/MY_XXX_VUVHawg214.bin
http://ffvgdsv.ug/ac.exe
http://pashupatiexports.com/BackdoorNEW_ixNqxYujPy62.bin
https://drive.google.com/uc?export=download&id=1CGkeZyH2aFvlc_s_1D4WWtgHLoHWyhQ7
https://drive.google.com/uc?export=download&id=11NAZslAWBWkK1b4dFviELvvgWl48QHr6
https://onedrive.live.com/download?cid=46B98FE6F0D79519&resid=46B98FE6F0D79519%211842&authkey=ANcfRm-0LjxFJQY
https://onedrive.live.com/download?cid=8D14D74EB13B02D0&resid=8D14D74EB13B02D0%21161&authkey=AAzCpAsT_Jf9zKg
https://drive.google.com/uc?export=download&id=1C-K3KpQoFCqeIvTziAaSxcN9rn5ZA4Bb
https://onedrive.live.com/download?cid=59DDD422D234EC53&resid=59DDD422D234EC53%21109&authkey=AP7E4GdQBTZYNjw
http://85.239.34.152/download/netplus_fbSxHChwA37.bin
https://onedrive.live.com/download?cid=39B0EF49A1959633&resid=39B0EF49A1959633%21118&authkey=AAZyVo4_TWSVbes
http://185.225.73.165/download/KFlCDkfoA181.searetrDem85.239.34.152/download/KFlCDkfoA181.sea
https://drive.google.com/uc?export=download&id=1NAz8nr2dttvl867AN4vgsXjhSiwJ3nj_
https://r9f.fun/mine_tHgCELaIbi47.bin
https://r9f.fun/rem_yGYTbW36.bin
Last Seen at

Recent blog posts

post image
Private AI Assistant for Malware Analysis in...
watchers 930
comments 0
post image
5 Characteristics of Good Threat Intelligence...
watchers 471
comments 0
post image
New PhantomLoader Malware Distributes SSLoad:...
watchers 4045
comments 0

What is GuLoader malware

Just like the name suggests, GuLoader (sometimes also called CloudEyE and vbdropper) is a first-stage trojan designed to infect a system and drop a final payload. Typically other trojans or RATs. Once the malware makes its way into the victim's system, it attempts to establish a remote connection and download a malicious executable.

This malware is infamous for using advanced anti-detection and obfuscation techniques. It evades network detection, stops executing in virtual environments, and can slip past automatics security systems.

Researchers first observed GuLoader in December 2019, when it was used in a campaign delivering Remcos RAT. Throughout 2020, the trojan kept gaining popularity, at one point accounting for 25% of all packeted samples recorded by Check Point Research. Today, GuLoader remains a highly active threat. It often delivers NanoCore, Agent Tesla, LokiBot, and FormBook.

General description of GuLoader downloader

GuLoader is written in encrypted shellcode wrapped in a Visual Basic 6 (VB6) executable. Notably, it stores second-stage payloads in cloud drive services. Usually, in Google Drive or Microsoft OneDrive. This way, it can establish a connection and download the executable without raising any red flags. The payload is usually encrypted, allowing it to slip past the cloud host’s security measures.

This loader is infamous for its use of anti-analysis techniques:

  1. The shellcode is heavily obfuscated and mixed with generous amounts of junk code.
  2. It detects sandboxes with EnumWindows by counting the number of application windows on the screen and terminates with an error message.
  3. It tampers with debugging software, causing crashes.
  4. It uses process hollowing to inject malicious code into a benign process and evade detection by an antivirus.
  5. To confuse analysts, its PE header contains only generic GetProcAddress instructions.

Like many downloaders, GuLoader is offered as a service. Prices start at $100 per month. It is distributed in the clearnet by a company with a domain name in the .eu zone. The website markets it under the name CloudEye, claiming that this is a security tool intended for protecting applications against cracking. However, the same site contains links to YouTube tutorials that clearly display how to use the software maliciously. They also show how to abuse cloud drives.

Researchers managed to link GuLoader to an Italian-based hacking group by analyzing emails left as contact details in old forum threads. One of the users behind the loader is known under the alias sonykuccio. He advertised a malware variant as far back as 2011 and offered paid services, claiming that he could make other malicious programs harder to detect. That is why GuLoader uses so many intricate anti-evasion techniques.

How to get more information from GuLoader malware

ANY.RUN helps researchers perform malware analysis of GuLoader and track its execution process in an interactive sandbox.

GuLoader text report

Figure 1: GuLoader text report generated by ANY.RUN

ANY.RUN allows users to save time during analysis and present crucial information extracted from malware immediately. Analysts may take a look inside GuLoader malware configuration 10 second after its process started.

GuLoader malware configuration

Figure 2: GuLoader malware configuration

GuLoader execution process

The distribution method of GuLoader has changed over time, but its execution flow has remained fairly straightforward. The main purpose of GuLoader is to download the primary payload to the infected system. Upon starting, it checks whether it is running inside a virtual environment. If the check passes, it establishes a connection and downloads the payload. Once the payload is downloaded and executed, GuLoader stops.

But even if loader didn't connect to C2 during analysis, you always may look in extracted malware configuration to find out from where GuLoader is wants to receive payload!

Read a detailed analysis of GuLoader in our blog.

Use ANY.RUN free for 14 days

Try the full power of interactive analysis

Start your free trial

Distribution of GuLoader

The distribution method of GuLoader is very typical. The loader is usually delivered as an Office document attachment in spam email campaigns. When downloaded, it uses a macro to install the malicious program. Sometimes it is also delivered as an executable in a .rar archive.

During the pandemic, many campaigns exploited the fear surrounding Covid-19 by mentioning the virus. More recently, attackers have been using fake payment invoices. They will impersonate a bank and use social engineering to trick the victim into downloading an infected file to check “payment details.”

Conclusion

GuLoader is available as a service for a relatively low price, can be easily found in the clearnet, and comes with easy-to-follow instructions. No wonder, then, that creators claim they already have over 5000 clients. Thanks to the combination of advanced anti-evasion tricks and ease of use, we expect its popularity to continue to grow.

Thankfully, GuLoader is easily detectable in ANY.RUN sandbox. It only takes a few minutes to launch an interactive emulation and identify the threat.

HAVE A LOOK AT

Adwind screenshot
Adwind
adwind trojan
Adwind RAT, sometimes also called Unrecom, Sockrat, Frutas, jRat, and JSocket, is a Malware As A Service Remote Access Trojan that attackers can use to collect information from infected machines. It was one of the most popular RATs in the market in 2015.
Read More
Agent Tesla screenshot
Agent Tesla
agenttesla trojan rat stealer
Agent Tesla is spyware that collects information about the actions of its victims by recording keystrokes and user interactions. It is falsely marketed as a legitimate software on the dedicated website where this malware is sold.
Read More
Amadey screenshot
Amadey
amadey
Amadey is a formidable Windows infostealer threat, characterized by its persistence mechanisms, modular design, and ability to execute various malicious tasks.
Read More
Arkei screenshot
Arkei
arkei stealer
Arkei is a stealer type malware capable of collecting passwords, autosaved forms, cryptocurrency wallet credentials, and files.
Read More
AsyncRAT screenshot
AsyncRAT
asyncrat
AsyncRAT is a RAT that can monitor and remotely control infected systems. This malware was introduced on Github as a legitimate open-source remote administration software, but hackers use it for its many powerful malicious functions.
Read More
WarZone screenshot
WarZone
warzone avemaria stealer trojan rat
WarZone RAT is a remote access trojan, which is written in C++ and offered as a malware-as-a-service. It packs a wide range of capabilities, from stealing victims’ files and passwords to capturing desktop activities. WarZone RAT is primarily distributed via phishing emails and receives regular updates from its C2.
Read More