{
	"id": "f4c779db-974c-4847-b5b2-ae73947af096",
	"created_at": "2026-04-06T00:07:29.418316Z",
	"updated_at": "2026-04-10T03:20:16.384493Z",
	"deleted_at": null,
	"sha1_hash": "3fb1db784a7099674d74e284a2c7737fa24aae38",
	"title": "Tackling Anti-Analysis Techniques of GuLoader and RedLine Stealer",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 3228113,
	"plain_text": "Tackling Anti-Analysis Techniques of GuLoader and RedLine\r\nStealer\r\nBy Mark Lim, Zong-Yu Wu\r\nPublished: 2024-01-05 · Archived: 2026-04-05 13:51:36 UTC\r\nExecutive Summary\r\nMalware, like many complex software systems, relies on the concept of software configuration. Configurations\r\nestablish guidelines for malware behavior and they are a common feature among the various malware families we\r\nexamine. The configuration data embedded within malware can offer invaluable insights into the intentions of\r\ncybercriminals. However, due to its significance, malware authors deliberately make configuration data\r\nchallenging to parse statically from the file.\r\nOver the past few years, we have developed a system to extract internal malware configurations. We will share\r\ncode from our extractors for multiple malware families with the research community. These extractors, written in\r\nPython, are designed to scan and extract configuration data from memory dumps associated with specific malware\r\nsamples.\r\nWe will also introduce selected configuration protection techniques employed by two malware families: GuLoader\r\nand RedLine Stealer. For those interested in more details, please look into the whitepaper, slides or video we\r\npresented at Virus Bulletin 2023 in London.\r\nPalo Alto Networks customers are better protected from these threats through our Next-Generation Firewall with\r\ncloud-delivered security services including WildFire. If you think you might have been compromised or have an\r\nurgent matter, get in touch with the Unit 42 Incident Response team.\r\nTechnical Analysis of GuLoader\r\nThe GuLoader authors went to great lengths to obfuscate their C2 configuration. Figure 1 provides a timeline\r\nillustrating the evolution of GuLoader obfuscation techniques.\r\nhttps://unit42.paloaltonetworks.com/malware-configuration-extraction-techniques-guloader-redline-stealer/\r\nPage 1 of 7\n\nFigure 1. Timeline showing the evolution of obfuscation techniques used by Guloader.\r\nThis evolution has defeated our previous approach to extracting GuLoader malware configuration. The GuLoader\r\nauthors’ newer techniques include ciphertext splitting and control flow obfuscation.\r\nCiphertext Splitting\r\nWe have labeled GuLoader’s previous method of storing encrypted configuration data (ciphertext) in the top\r\nsection of Figure 2 as the “old method.” In this old method, the ciphertext was stored as a continuous sequence of\r\nbytes.\r\nFigure 2. Comparing old and new methods of storing ciphertext.\r\nIn the lower section of Figure 2 above, we have labeled the new approach as GuLoader’s “new method,” where\r\nthe ciphertext is computed from a function. In this function, the ciphertext is first divided into a 4-byte DWORD.\r\nEach DWORD is individually encrypted using randomized mathematical operations.\r\nFor example, to retrieve the first DWORD of the ciphertext from GuLoader’s new method, we must perform the\r\nmathematical operations illustrated below in Figure 3.\r\nhttps://unit42.paloaltonetworks.com/malware-configuration-extraction-techniques-guloader-redline-stealer/\r\nPage 2 of 7\n\nFigure 3. An example of computing a DWORD of the ciphertext from Guloader’s new method of\r\nstoring ciphertext.\r\nTo acquire the complete ciphertext from this new method, we perform a series of operations similar to the method\r\nshown in Figure 3 above for each individual DWORD. Subsequently, we concatenate these DWORD values\r\ntogether, resulting in the complete ciphertext.\r\nControl Flow Obfuscation\r\nIn early 2023, we encountered a GuLoader sample that originally had zero VirusTotal (VT) detections. Using Hex-Rays IDA Pro to disassemble and analyze this malware sample, we found instructions that attempted to prevent\r\nfurther analysis. These anti-analysis instructions were designed to cause EXCEPTION_BREAKPOINT,\r\nEXCEPTION_ACCESS_VIOLATION and EXCEPTION_SINGLE_STEP violations.\r\nFigure 4 illustrates how GuLoader implemented all these instructions for anti-analysis.\r\nFigure 4. Dissembler analysis of the Guloader sample revealing the anti-analysis instructions.\r\nhttps://unit42.paloaltonetworks.com/malware-configuration-extraction-techniques-guloader-redline-stealer/\r\nPage 3 of 7\n\nThe anti-analysis instructions noted in Figure 4 above rendered our previous solution of writing an IDA processor\r\nmodule extension ineffective. Due to the variable nature of the length of Intel x86 CPU instructions, we could not\r\ndetect the huge combination of instructions that triggered EXCEPTION_ACCESS_VIOLATION and\r\nEXCEPTION_SINGLE_STEP exceptions.\r\nSince our previous solution was no longer effective, we had to manually analyze the code to find these anti-analysis instructions and bypass them to extract the configuration. We explained in detail how we extracted the\r\nconfiguration in our whitepaper for Virus Bulletin.\r\nTechnical Analysis of RedLine Stealer\r\nThe SHA256 hash for the RedLine Stealer sample used in this analysis is\r\na4cf69f849e9ea0ab4eba1cdc1ef2a973591bc7bb55901fdbceb412fb1147ef9. Using an MSIL decompiler called\r\ndnSpy, we quickly identified the configuration data as shown below in Figure 5.\r\nFigure 5. Screenshot taken from dnSpy that contains the RedLine Stealer sample’s encrypted\r\nconfiguration block.\r\nWe implemented a decryption routine in Python as shown below in Figure 6. We invite readers to manually grab\r\nexample ciphertexts and keys to test whether the script from Figure 6 decrypts correctly.\r\nFigure 6. The decryption routine written in Python.\r\nNext, we located the configuration (shown in Figures 7 and 8) and prepared the decrypt function in Python.\r\nHowever, before decrypting the data, we had to manually grab the ciphertext and key from the decompiled result\r\nhttps://unit42.paloaltonetworks.com/malware-configuration-extraction-techniques-guloader-redline-stealer/\r\nPage 4 of 7\n\ngenerated by dnSpy.\r\nWhen writing C code, we directly access system memory, so we sometimes call the executables compiled from C\r\ncode as native executables. However, in .NET MSIL, everything is managed. A pointer leads to the character array\r\nstored somewhere in the binary in native C code, but all we see in the compiled MSIL are the tokens.\r\nWhen accessing these tokens, the runtime library (CLR) parses where the ciphertext is actually stored, which is\r\none less thing for an analyst to worry about. For example, in Figure 7 comments generated by dnSpy show that the\r\nstring IP is a token number 0x04000013.\r\nFigure 7. DnSpy labeling the token number of the decompiled strings.\r\nNext, we open the RedLine Stealer sample in IDA Pro and navigate to the same function. Figure 8 shows that the\r\nldstr commands push object reference for the metadata strings located at seg000:29F1, seg000:29FB,\r\nseg000:2A05 and seg000:2A0F. The object references are enclosed in black boxes in Figure 8.\r\nThese metadata strings are set by instructions located at seg000:29F6, seg000:2A00, seg000:2A0A and\r\nseg000:2A14 respectively. The stsfld instructions replace the value of a static field with a value from the\r\nevaluation stack. The values on the evaluation stack for each field are enclosed in red boxes.\r\nFigure 8. IDA Pro disassembler view of the configuration setup function.\r\nhttps://unit42.paloaltonetworks.com/malware-configuration-extraction-techniques-guloader-redline-stealer/\r\nPage 5 of 7\n\nThe IP field from Figure 7 is not enough to statically extract the configuration. The source of the string that was\r\npushed onto the stack for the IP field has not yet been identified. The operand type of the instruction ldstr shown\r\nin Figure 8 is, according to Microsoft, a string token, and string tokens are stored in the #US (User-Stream) table.\r\nTo find the string token, we used an open-source library called dnfile, which is like a .NET version of PEfile.\r\nDnfile allows us to easily access the #US tokens by just giving the .NET runtime identifier (RID). Dnfile also\r\nprovides the interface to access the user streams and a lot more.\r\nThe Python implementation shown in Figure 9 is an example of how we accessed user streams by offset. We\r\npassed the user string into the decryption routine shown in Figure 9 once we got the user stream by the token. This\r\nshould return the decrypted configuration.\r\nFigure 9. An implementation that uses dnfile to get the resource by a given .NET MSIL token.\r\nConclusion\r\nBy delving into the methods used for GuLoader and RedLine Stealer, we shed light on the process of locating and\r\nextracting C2 configurations from various malware families.\r\nLeveraging our insights gained from analyzing these malware configurations, we can enhance our ability to detect,\r\nanalyze and develop effective countermeasures against malicious software. Through continuous collaboration and\r\nknowledge sharing, we can collectively stay ahead of cybercriminals to help safeguard our digital systems and\r\nnetworks.\r\nPalo Alto Networks customers are better protected from the threats discussed in this article through the following\r\nproducts:\r\nNext-Generation Firewall with cloud-delivered security services including WildFire detect the files\r\nmentioned within this report as malicious.\r\nIf you think you might have been compromised or have an urgent matter, get in touch with the Unit 42 Incident\r\nResponse team or call:\r\nNorth America Toll-Free: 866.486.4842 (866.4.UNIT42)\r\nhttps://unit42.paloaltonetworks.com/malware-configuration-extraction-techniques-guloader-redline-stealer/\r\nPage 6 of 7\n\nEMEA: +31.20.299.3130\r\nAPAC: +65.6983.8730\r\nJapan: +81.50.1790.0200\r\nPalo Alto Networks has shared these findings with our fellow Cyber Threat Alliance (CTA) members. CTA\r\nmembers use this intelligence to rapidly deploy protections to their customers and to systematically disrupt\r\nmalicious cyber actors. Learn more about the Cyber Threat Alliance.\r\nIndicators of Compromise\r\nSHA256 Hash of the GuLoader Sample Analyzed in This Article\r\n32ea41ff050f09d0b92967588a131e0a170cb46baf7ee58d03277d09336f89d9\r\nSHA256 Hash of the RedLine Stealer Sample Analyzed in This Article\r\na4cf69f849e9ea0ab4eba1cdc1ef2a973591bc7bb55901fdbceb412fb1147ef9\r\nSource: https://unit42.paloaltonetworks.com/malware-configuration-extraction-techniques-guloader-redline-stealer/\r\nhttps://unit42.paloaltonetworks.com/malware-configuration-extraction-techniques-guloader-redline-stealer/\r\nPage 7 of 7",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"ETDA"
	],
	"references": [
		"https://unit42.paloaltonetworks.com/malware-configuration-extraction-techniques-guloader-redline-stealer/"
	],
	"report_names": [
		"malware-configuration-extraction-techniques-guloader-redline-stealer"
	],
	"threat_actors": [],
	"ts_created_at": 1775434049,
	"ts_updated_at": 1775791216,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/3fb1db784a7099674d74e284a2c7737fa24aae38.pdf",
		"text": "https://archive.orkl.eu/3fb1db784a7099674d74e284a2c7737fa24aae38.txt",
		"img": "https://archive.orkl.eu/3fb1db784a7099674d74e284a2c7737fa24aae38.jpg"
	}
}