{
	"id": "1775e3b0-58e0-437d-b2af-d92b28714bc6",
	"created_at": "2026-04-06T00:15:57.41691Z",
	"updated_at": "2026-04-10T13:12:47.962966Z",
	"deleted_at": null,
	"sha1_hash": "3d87c04a96e6d377a41632e70bd832165f48908f",
	"title": "Spoofed Saudi Purchase Order Drops GuLoader – Part 2 | FortiGuard Labs",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 521948,
	"plain_text": "Spoofed Saudi Purchase Order Drops GuLoader – Part 2 |\r\nFortiGuard Labs\r\nBy James Slaughter\r\nPublished: 2022-07-12 · Archived: 2026-04-05 22:00:53 UTC\r\nIn part one of this blog, FortiGuard Labs examined a recently discovered e-mail delivered to a coffee company in\r\nUkraine that was seemingly sent by an oil provider in Saudi Arabia. Purporting to contain an attached purchase\r\norder, the image of a PDF file was actually a link to an ISO file hosted in the cloud that contained an executable\r\nfor GuLoader. What makes this case interesting is that this executable uses NSIS (Nullsoft Scriptable Install\r\nSystem) to deploy itself.\r\nGuLoader (also known as CloudEye and vbdropper) dates to at least 2019 and is generally used to deploy other\r\nmalware variants such as Agent Tesla, Formbook, and Lokibot.\r\nIn this second part of the series, I will showcase a dynamic analysis of the main file, PO#23754-1.exe, as well as\r\ninvestigate the shellcode file “rudesbies.Par”. It will also highlight some of the defences it puts in place to hinder\r\nanalysis.\r\nAffected Platforms: Windows\r\nImpacted Users: Windows users\r\nImpact: Potential to deploy additional malware for additional purposes\r\nSeverity Level: Medium\r\nPO#23754-1.exe dynamic analysis\r\nThis sample has a basic level of awareness of its surroundings. If it is executed in a virtual environment that has\r\nan obvious artefact (e.g., VirtualBox Guest Additions Tray), it will halt immediately.\r\nhttps://www.fortinet.com/blog/threat-research/spoofed-saudi-purchase-order-drops-guloader-part-two\r\nPage 1 of 12\n\nFigure 1. Halting upon detection of a virtual environment.\r\nAs the file is executed from inside a mounted ISO file, the execution path will flow from Explorer.\r\nFigure 2. Execution tree.\r\nBy deploying from within a container such as an ISO, it is often possible to bypass MOTW (Mark-of-the-Web)\r\ncontrols that would stop files downloaded from the internet from executing. \r\nSince this is a NSIS file, anyone viewing the screen at the time of execution will see also see a progress window\r\nas files are installed.\r\nhttps://www.fortinet.com/blog/threat-research/spoofed-saudi-purchase-order-drops-guloader-part-two\r\nPage 2 of 12\n\nFigure 3. Installation window.\r\nThe label use, as shown in the NSIS script from part one of the blog, now becomes apparent when looking at the\r\ntitle bar for the window as well as the lower centre.\r\nhttps://www.fortinet.com/blog/threat-research/spoofed-saudi-purchase-order-drops-guloader-part-two\r\nPage 3 of 12\n\nFigure 4. Script image from part one showing the title bar and label use.\r\nAs was suspected during static analysis, all identified files have been placed into the “Temp” directory of the\r\nactive user account.\r\nhttps://www.fortinet.com/blog/threat-research/spoofed-saudi-purchase-order-drops-guloader-part-two\r\nPage 4 of 12\n\nFigure 5. Files installed in $TEMP (note, PROCEXP.exe is not deployed by this malware).\r\nA unique directory name is created (always beginning with “ns”) to store “System.dll”. A temp file that also is\r\nuniquely named (and again always prefixed with “ns”) is used in the NSIS deployment process. \r\nhttps://www.fortinet.com/blog/threat-research/spoofed-saudi-purchase-order-drops-guloader-part-two\r\nPage 5 of 12\n\nFigure 6. Registry entry created in HKCU\\SOFTWARE.\r\nIn part one of the blog, a registry key was highlighted in the NSIS script. Figure 6 shows this when implemented\r\non a victim system. It does not appear, however, that this is referenced later by the malware, nor does it appear\r\nthat a file named “PARALLELIZING.log” is ever committed to disk.  It is possible that this is a remnant of the\r\ntesting phase of the NSIS file that was no longer needed for the active campaign.\r\nSystem.dll\r\nAs mentioned earlier, “System.dll” is dropped into a unique directory. On its own, “System.dll” is a non-malicious\r\nfile. However, the NSIS script will effectively use this DLL to proxy Windows API calls to “kernel32.dll”. This is\r\ndone to read the file “rudesbies.Par” and inject its contents into the already running NSIS process. Doing things in\r\nthis fashion makes it more difficult to trace where the origin of the call is coming from, thereby making it appear\r\nto be legitimate. \r\nFigure 7. Call function as seen in IDA.\r\nAs can be seen in Figure 7, the “Call” function is used to actually make the API call to “kernel32.dll” \r\nFigure 8. Call function as seen in the debugger.\r\nDespite a different offset, i.e., the last four bytes of the address in Figure 7 (1817), it can be seen in Figure 8 when\r\n“Call” is called by the code executing in the debugger.\r\nIn all, five calls are made through “System.dll” to “kernel32.dll”. These read “rudesbies.Par” and then allocate\r\nappropriate space in memory within the running executable. The series of five figures shown below demonstrate\r\nthe entire journey to make this happen. Note the spelling of kernel as “KERNel”. Referring again back to part one,\r\nthis is identical to the representation in the NSIS script. \r\nhttps://www.fortinet.com/blog/threat-research/spoofed-saudi-purchase-order-drops-guloader-part-two\r\nPage 6 of 12\n\nFigure 9. CreateFileW is called to create a handle (a reference in memory within the OS) to the file\r\n“rudesbies.Par”.\r\nFigure 10. GetFileSize is called to determine the amount of memory required to store “rudesbies.Par”when\r\nopened.\r\nFigure 11. VirtualAllocEx is called to prepare a designated area of memory to store the contents of\r\n“rudesbies.Par”.\r\nFigure 12. ReadFile is called to take the contents of “rudesbies.Par” and store them in memory.\r\nFigure 13. CloseHandle asks the OS to release the handle to “rudesbies.Par”.\r\nInjection\r\nOnce rudesbies.Par is successfully read, it must then be injected back into the running NSIS process. This done\r\ninto a random region of memory within the NSIS process.\r\nFigure 14. By observing the memory map in the debugger, the addition of a region with the above characteristics\r\ncan be seen.\r\nViewing that region of memory initially shows what looks to be a very large number of “cmp” operations. \r\nhttps://www.fortinet.com/blog/threat-research/spoofed-saudi-purchase-order-drops-guloader-part-two\r\nPage 7 of 12\n\nFigure 15. Initial view of the injected shellcode.\r\nShellcode\r\nThe instructions shown in Figure 15 are junk code and don’t actually do anything. Regardless of the memory\r\noffset used to load the shellcode, the first set of meaningful instructions start at 014E.\r\nFigure 16. Start of actual instruction set (0002014E in this example, still in its encoded format).\r\nhttps://www.fortinet.com/blog/threat-research/spoofed-saudi-purchase-order-drops-guloader-part-two\r\nPage 8 of 12\n\nFrom this point, the code will attempt to decode the next 17208 bytes of “rudesbies.Par”. It does this by setting a\r\ncounter and then incrementing by four bytes while transiting a loop. Each time it goes through the loop, four bytes\r\nare added to the counter until it reaches 17208.   \r\nFigure 17. Compare instruction checking if the counter (edx) has reached 17208.\r\nWhile that is occurring every four bytes, an instruction is XOR’d using the key 919E1E2E. Due to endian-ness,\r\nthis is actually reversed and represented as 2E1E9E91.\r\nFigure 18. XOR key.\r\nOnce this has all been completed, further impediments to analysis have been added to hinder review by analysts\r\nsuch as periodic RDTSC (Read Time-Stamp Counter) instructions. Due to the time difference it takes to step\r\nhttps://www.fortinet.com/blog/threat-research/spoofed-saudi-purchase-order-drops-guloader-part-two\r\nPage 9 of 12\n\nthrough instructions manually versus when running normally, this will create a break in the normal flow of the\r\nprogram.\r\nFigure 19. RDTSC instruction.\r\nFortiGuard Labs was unfortunately unable to retrieve the final payload that was to have been dropped by this\r\nGuLoader sample. As mentioned earlier, GuLoader has been known to drop different types of malware, such as\r\nAgent Tesla, Formbook, and Lokibot.\r\nConclusion\r\nDespite being a dropper, this sample shows the advantages of when malware developers increase the number of\r\ndefences against analysis in their code. It slows down analysts attempting to share the details of a campaign,\r\nthereby maximizing the amount of time a malicious actor can keep their infrastructure up before becoming known\r\nand then compromised or taken down.\r\nGuLoader can be adapted for delivery in different campaigns with different malware types. It is an interesting and\r\nactive threat that will likely continue for some time to come.\r\nFortinet Protections\r\nThe GuLoader sample mentioned in this blog is detected by the following (AV) signature:\r\nNSIS/Injector.AOW!tr\r\nFortinet customers are protected from this malware through FortiGuard’s Antivirus, and CDR (content disarm and\r\nreconstruction) services and FortiMail, FortiClient, and FortiEDR solutions. \r\nDue to the ease of disruption, damage to daily operations, potential impact to the reputation of an organization,\r\nand the unwanted destruction or release of personally identifiable information (PII), etc., it is important to keep all\r\nAV and IPS signatures up to date.\r\nFortinet also has multiple solutions designed to help train users to understand and detect phishing threats:\r\nhttps://www.fortinet.com/blog/threat-research/spoofed-saudi-purchase-order-drops-guloader-part-two\r\nPage 10 of 12\n\nThe FortiPhish Phishing Simulation Service uses real-world simulations to help organizations test user awareness\r\nand vigilance to phishing threats and to train and reinforce proper practices when users encounter targeted\r\nphishing attacks.\r\nIn addition, we suggest that organizations also have their end users go through our FREE NSE training: NSE 1 –\r\nInformation Security Awareness. It includes a module on Internet threats that is designed to help end users learn\r\nhow to identify and protect themselves from various types of phishing attacks.\r\nIOCs\r\n Filename  SHA256\r\n PO#23754-1.ISO  c4debff9c0ec8a56aea5cd97215c6c906bd475ea8bd521fb9a346a4c992a0448\r\n PO#23754-1.exe  14d52119459ef12be3a2f9a3a6578ee3255580f679b1b54de0990b6ba403b0fe\r\n rudesbies.Par  4a1b6b30209c35ab180fa675a769e3285f54597963dd0bb29f7adb686ba88b79\r\n GuLoader  344362b48b8aa9a89623e0bfd139d62f07e2523e600a79bb5af940f35d0740e5\r\n GuLoader  3e79ce8ac441c8c8e777fe0804b67da0bd908a045d553a31893d95f15ae4ea01\r\n GuLoader  9c5f99c37d042b0d6f2b5614fade06d373b2b954bf021bbf955df03693f2380d\r\n GuLoader  53a0111fa7fca816618b65709ebf5d04ae9a64f9ebcfe08c60117a6a6f9d8030\r\n GuLoader  5805e51dc4825c86b2d38c2a011429259954395e2d7b1fd06d83a2a3ec16fc14\r\n GuLoader  1051d3690e70e4227a2b0a0aa87367fb09c49c55360c7a1880b2acfba0b77490\r\n GuLoader  cc1ad7582d16db389c1b15a1cccdc188a85398165623876f4c7887743e54a9f9\r\nNetwork IOCs\r\nhttps://www.fortinet.com/blog/threat-research/spoofed-saudi-purchase-order-drops-guloader-part-two\r\nPage 11 of 12\n\nbounceclick[.]live/VVB/COrg_RYGGqN229.binb\r\nThanks to Fred Gutierrez who helped contribute to this blog. \r\nLearn more about Fortinet’s FortiGuard Labs threat research and intelligence organization and the FortiGuard\r\nSecurity Subscriptions and Services portfolio.\r\nSource: https://www.fortinet.com/blog/threat-research/spoofed-saudi-purchase-order-drops-guloader-part-two\r\nhttps://www.fortinet.com/blog/threat-research/spoofed-saudi-purchase-order-drops-guloader-part-two\r\nPage 12 of 12",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"origins": [
		"web"
	],
	"references": [
		"https://www.fortinet.com/blog/threat-research/spoofed-saudi-purchase-order-drops-guloader-part-two"
	],
	"report_names": [
		"spoofed-saudi-purchase-order-drops-guloader-part-two"
	],
	"threat_actors": [],
	"ts_created_at": 1775434557,
	"ts_updated_at": 1775826767,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/3d87c04a96e6d377a41632e70bd832165f48908f.pdf",
		"text": "https://archive.orkl.eu/3d87c04a96e6d377a41632e70bd832165f48908f.txt",
		"img": "https://archive.orkl.eu/3d87c04a96e6d377a41632e70bd832165f48908f.jpg"
	}
}