BLACK FRIDAY: 2-for-1 offer NOVEMBER 20 - 26 See details

GuLoader

32
Global rank
21 infographic chevron month
Month rank
14 infographic chevron week
Week rank
962
IOCs

GuLoader is an advanced downloader written in shellcode. It’s used by criminals to distribute other malware, notably trojans, on a large scale. It’s infamous for using anti-detection and anti-analysis capabilities.

Downloader
Type
Italy
Origin
1 December, 2019
First seen
28 March, 2024
Last seen
Also known as
CloudEyE
vbdropper

How to analyze GuLoader with ANY.RUN

Downloader
Type
Italy
Origin
1 December, 2019
First seen
28 March, 2024
Last seen

IOCs

Hashes
206ff9790482fbcedcc240a3f94e0db6ed744311a632b344c6b0ef89bab6b262
b1ce73dac896a841321b1f502bcc32313de930cd0e5561874e51e80dc7cb06cc
43d8892713a3554204212f26b69ffa63e274f0ffbd31c2d8be4f6feaee3e2371
6e4b29cbfa89623e5d5ee5224276c1a70608aec5578db1f64e503c6a619d3ce2
3e95a3d6fa66dde612e6c43e15acd6e7b825ddb520ea562ad8f256190f2d21b8
a6f050832360a47b8a1ab39f81e4dc4fccc4ab54725c2fa23193f3bb301e2daa
cc9a22842ccf898b5add9b85827c98bdc7e6fdb5cfecac929561562ff9d4982f
4699098fefd30492bd86303ed8b6c8bb0923134a147cb3ad7af053f7a346aff3
4df45d5c109f75ab624bef07b6d0ecc5f7c7fd2527efdd2af3b18e0c5d8b32ee
fde4a513bcaa3fb7429b67363cc8e25b19c8b0490dc11675ac4bf1e8e19090ff
84e316ba28c1745989fcba630c13792daa4286bee90d828d9eb6e9f36d86f4fd
23bdbcc94a910fc7a4873ba666aa18404017514df95a9b1266d3aa233663c3ee
a1df9eea4b3b8563b273282adb8e25984e5cb1583c96a5001f270cd85d210145
e3fd893ab86713b7e8d6707e5d918e7aebfea4eb8f7bf7814701c19c3240ac32
0d009a63e063b7cad827ba30cdb5d3d3964eb750f859b9417f6b17763ff63ea3
066b046245de0ef6b1f19c24a924cbf696e734b359725308c838ce6a0deabe57
6931d5a8ac6e00c855139d9da394b7895d83a9a18a8974c0b2381c5a28e68678
2118f741f116ae8b028bae1ea150dcbadcde6d7634bd0232054d97a5467c5a4c
a1be064e3cc35f968df7a27e0a928b6fc6519926eda417222ad637eb1f0d0396
572c70b1f167c7a19728583ddf3c5024df5e514cceaccc04ae6bb990fd71a30a
URLs
https://drive.google.com/uc?export=download&id=1R4RM9CWYB4R0UMgs1EPs1s49u1ENPV-t
http://pashupatiexports.com/BackdoorNEW_ixNqxYujPy62.bin
https://onedrive.live.com/download?cid=8D14D74EB13B02D0&resid=8D14D74EB13B02D0%21161&authkey=AAzCpAsT_Jf9zKg
https://drive.google.com/uc?export=download&id=1CGkeZyH2aFvlc_s_1D4WWtgHLoHWyhQ7
https://drive.google.com/uc?export=download&id=11NAZslAWBWkK1b4dFviELvvgWl48QHr6
https://cmdtech.com.vn/MY_XXX_VUVHawg214.bin
https://onedrive.live.com/download?cid=46B98FE6F0D79519&resid=46B98FE6F0D79519%211842&authkey=ANcfRm-0LjxFJQY
https://qif.ac.ke/flow_AoGPhiVz245.bin
http://ffvgdsv.ug/ac.exe
https://clearrange53.com/css/c/z_vGUbKB130.bin
http://nsfgfpoppo.com/QiiYtfRO236.aca
https://innotech.ge/mo/pic.bin
https://multiline.ae/xl/pic.bin
http://cdn.discordapp.com/attachments/1006294934455861361/1011739679382573197/hdg.sea
http://www.mountveederwines.com/a1/bin_encrypted_C58FF9F.bin
https://drive.google.com/uc?export=download&id=1k-jRJDJqBSv21BAGMZhNX26o1EKZ6l63
https://www.chinesetaipeichess.com.tw/Portal/wp-content/plugins/TOPXOH/EAV_sBFEeNXHYi35.bin
http://cocomexdelbajio.com/files/bin_hyvmBtW228.bin
http://akaliresources.com/test_fEayB239.bin
https://onedrive.live.com/download?cid=674027E0093531EF&resid=674027E0093531EF%21115&authkey=AGjbhIm6m1Nvx-w
Last Seen at

Recent blog posts

post image
Basic Malware Packers: What are They and How...
watchers 621
comments 0
post image
New BunnyLoader Version Gains Modular Capabil...
watchers 211
comments 0
post image
What are Threat Intelligence Feeds? 
watchers 187
comments 0

What is GuLoader malware

Just like the name suggests, GuLoader (sometimes also called CloudEyE and vbdropper) is a first-stage trojan designed to infect a system and drop a final payload. Typically other trojans or RATs. Once the malware makes its way into the victim's system, it attempts to establish a remote connection and download a malicious executable.

This malware is infamous for using advanced anti-detection and obfuscation techniques. It evades network detection, stops executing in virtual environments, and can slip past automatics security systems.

Researchers first observed GuLoader in December 2019, when it was used in a campaign delivering Remcos RAT. Throughout 2020, the trojan kept gaining popularity, at one point accounting for 25% of all packeted samples recorded by Check Point Research. Today, GuLoader remains a highly active threat. It often delivers NanoCore, Agent Tesla, LokiBot, and FormBook.

General description of GuLoader downloader

GuLoader is written in encrypted shellcode wrapped in a Visual Basic 6 (VB6) executable. Notably, it stores second-stage payloads in cloud drive services. Usually, in Google Drive or Microsoft OneDrive. This way, it can establish a connection and download the executable without raising any red flags. The payload is usually encrypted, allowing it to slip past the cloud host’s security measures.

This loader is infamous for its use of anti-analysis techniques:

  1. The shellcode is heavily obfuscated and mixed with generous amounts of junk code.
  2. It detects sandboxes with EnumWindows by counting the number of application windows on the screen and terminates with an error message.
  3. It tampers with debugging software, causing crashes.
  4. It uses process hollowing to inject malicious code into a benign process and evade detection by an antivirus.
  5. To confuse analysts, its PE header contains only generic GetProcAddress instructions.

Like many downloaders, GuLoader is offered as a service. Prices start at $100 per month. It is distributed in the clearnet by a company with a domain name in the .eu zone. The website markets it under the name CloudEye, claiming that this is a security tool intended for protecting applications against cracking. However, the same site contains links to YouTube tutorials that clearly display how to use the software maliciously. They also show how to abuse cloud drives.

Researchers managed to link GuLoader to an Italian-based hacking group by analyzing emails left as contact details in old forum threads. One of the users behind the loader is known under the alias sonykuccio. He advertised a malware variant as far back as 2011 and offered paid services, claiming that he could make other malicious programs harder to detect. That is why GuLoader uses so many intricate anti-evasion techniques.

How to get more information from GuLoader malware

ANY.RUN helps researchers perform malware analysis of GuLoader and track its execution process in an interactive sandbox.

GuLoader text report

Figure 1: GuLoader text report generated by ANY.RUN

ANY.RUN allows users to save time during analysis and present crucial information extracted from malware immediately. Analysts may take a look inside GuLoader malware configuration 10 second after its process started.

GuLoader malware configuration

Figure 2: GuLoader malware configuration

GuLoader execution process

The form of GuLoader's distribution changing over time, but its execution flow always stay pretty straightforward. Since the purpose of GuLoader is to download to the infected system main payload, after its start it check is it run inside virtual environment. When check passed, it starts connection and download payload. Once payload downloaded and starts execution, GuLoader stops.

But even if loader didn't connect to C2 during analysis, you always may look in extracted malware configuration to find out from where GuLoader is wants to receive payload!

Read a detailed analysis of GuLoader in our blog.

Use ANY.RUN free for 14 days

Try the full power of interactive analysis

Start your free trial

Distribution of GuLoader

The distribution method of GuLoader is very typical. The loader is usually delivered as an Office document attachment in spam email campaigns. When downloaded, it uses a macro to install the malicious program. Sometimes it is also delivered as an executable in a .rar archive.

During the pandemic, many campaigns exploited the fear surrounding Covid-19 by mentioning the virus. More recently, attackers have been using fake payment invoices. They will impersonate a bank and use social engineering to trick the victim into downloading an infected file to check “payment details.”

Conclusion

GuLoader is available as a service for a relatively low price, can be easily found in the clearnet, and comes with easy-to-follow instructions. No wonder, then, that creators claim they already have over 5000 clients. Thanks to the combination of advanced anti-evasion tricks and ease of use, we expect its popularity to continue to grow.

Thankfully, GuLoader is easily detectable in ANY.RUN sandbox. It only takes a few minutes to launch an interactive emulation and identify the threat.

HAVE A LOOK AT

Adwind screenshot
Adwind
adwind trojan
Adwind RAT, sometimes also called Unrecom, Sockrat, Frutas, jRat, and JSocket, is a Malware As A Service Remote Access Trojan that attackers can use to collect information from infected machines. It was one of the most popular RATs in the market in 2015.
Read More
Agent Tesla screenshot
Agent Tesla
agenttesla trojan rat stealer
Agent Tesla is spyware that collects information about the actions of its victims by recording keystrokes and user interactions. It is falsely marketed as a legitimate software on the dedicated website where this malware is sold.
Read More
Amadey screenshot
Amadey
amadey
Amadey is a formidable Windows infostealer threat, characterized by its persistence mechanisms, modular design, and ability to execute various malicious tasks.
Read More
Arkei screenshot
Arkei
arkei stealer
Arkei is a stealer type malware capable of collecting passwords, autosaved forms, cryptocurrency wallet credentials, and files.
Read More
AsyncRAT screenshot
AsyncRAT
asyncrat
AsyncRAT is a RAT that can monitor and remotely control infected systems. This malware was introduced on Github as a legitimate open-source remote administration software, but hackers use it for its many powerful malicious functions.
Read More
WarZone screenshot
WarZone
warzone avemaria stealer trojan rat
WarZone RAT is a remote access trojan, which is written in C++ and offered as a malware-as-a-service. It packs a wide range of capabilities, from stealing victims’ files and passwords to capturing desktop activities. WarZone RAT is primarily distributed via phishing emails and receives regular updates from its C2.
Read More

Our website uses cookies. By visiting the pages of the site, you agree to our Privacy Policy