{
	"id": "b3ea8186-06b3-45dc-b184-db6598a40fd5",
	"created_at": "2026-04-06T00:22:04.813322Z",
	"updated_at": "2026-04-10T03:21:16.717885Z",
	"deleted_at": null,
	"sha1_hash": "a5af97667944b6f2c85c358b8a0eb8da4de0ed5e",
	"title": "Malware Analysis: GuLoader Dissection Reveals New Anti-Analysis",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 762401,
	"plain_text": "Malware Analysis: GuLoader Dissection Reveals New Anti-Analysis\r\nBy Sarang Sonawane - Donato Onofri\r\nArchived: 2026-04-05 18:40:19 UTC\r\nGuLoader is an advanced malware downloader that uses a polymorphic shellcode loader to dodge\r\ntraditional security solutions\r\nCrowdStrike researchers expose complete GuLoader behavior by mapping all embedded DJB2 hash values\r\nfor every API used by the malware\r\nNew shellcode anti-analysis technique attempts to thwart researchers and hostile environments by scanning\r\nentire process memory for any virtual machine (VM)-related strings\r\nNew redundant code injection mechanism means to ensure code execution by using inline assembly to\r\nbypass user mode hooks from security solutions\r\nCrowdStrike analyzes malware to augment the behavior and machine learning-based detection and protection\r\ncapabilities built into the CrowdStrike Falcon® platform to deliver automated, world-class protection to\r\ncustomers.\r\nGuLoader has been known to employ a significant number of anti-analysis techniques, making detection and\r\nprotection challenging for other security solutions.\r\nIn dissecting GuLoader’s shellcode, CrowdStrike revealed a new anti-analysis technique meant to detect if the\r\nmalware is running in a hostile environment by scanning the entire process memory for any Virtual Machine\r\n(VM)-related strings. To bypass GuLoader’s anti-debugging evasion mechanisms, we found and described two\r\nnew working methods for patching debugger instructions meant to detect the presence of debugging tools used by\r\nresearchers for analysis.\r\nThis analysis includes what we believe is the first-ever mapping of all remaining DJB2 hash values for every API\r\nused by the GuLoader malware, revealing the first-ever complete view into the malware’s behavior and how it\r\ninteracts with the victim's machine.\r\nSee for yourself how the industry-leading CrowdStrike Falcon platform protects against modern threats\r\nlike GuLoader. Start your 15-day free trial today.\r\nThe Evolution of GuLoader\r\nGuLoader was first spotted in 2019 as a file downloader that was used to distribute remote access trojans (RATs)\r\nsuch as AgentTesla, FormBook, Nanocore, NETWIRE and the Parallax RAT.\r\nThese early versions of GuLoader were distributed via spam email campaigns containing archived attachments\r\ncontaining the malware in executable form. In 2020, CrowdStrike published a detailed analysis of GuLoader in\r\nhttps://www.crowdstrike.com/blog/guloader-dissection-reveals-new-anti-analysis-techniques-and-code-injection-redundancy/\r\nPage 1 of 10\n\nwhich a significant number of DJB2 hash values were mapped, revealing some of the APIs abused by the\r\nmalware.\r\nRecent variants started using an updated delivery mechanism where the payload is delivered via a Visual Basic\r\nScript (VBS) file. GuLoader also started employing advanced anti-analysis techniques to evade detection, such as\r\nanti-debug, anti-sandbox, anti-VM and anti-detection to make analysis difficult.\r\nBy analyzing the new GuLoader samples, we’re able to reveal and understand every anti-analysis and evasion\r\ntechnique being employed and paint a complete picture of the malware’s behavior.\r\nGuLoader’s Multistage Deployment\r\nThe recent GuLoader sample exhibits a multistage deployment:\r\nThe first stage involves using a VBS dropper file to drop a second-stage packed payload into a registry\r\nkey. It then uses a PowerShell script to execute and unpack the second stage payload from the registry key\r\nwithin memory.\r\nThe second stage payload performs all anti-analysis routines (described below), creates a Windows\r\nprocess (e.g., an ieinstal.exe) and injects the same shellcode into the new process.\r\nThe third stage reimplements all the anti-analysis techniques, downloads the final payload from a remote\r\nserver and executes it on the victim’s machine.\r\nExisting public research on GuLoader’s multistage deployment has extensively covered a wide range of anti-evasion techniques and behaviors. We used this as a starting point to further our analysis.\r\nVBScript\r\nThe VBScript contains two main arrays. One of them is the shellcode present in hex format that will be injected\r\ninto memory and the second is a Base64-encrypted PowerShell script. For persistence, this shellcode is then added\r\nto the Registry Key (HKEY_CURRENT_USER\\SOFTWARE\\TYMPANIESI) by the VBScript. Another variable\r\n“MEDITABU” with Base64 content is being merged and after decoding it forms a PowerShell script.\r\nPowerShell Script\r\nThe PowerShell script adds a Microsoft .NET class to a PowerShell session using Add-Type -typedefinition. It\r\nthen reads the shellcode from the registry entry created by the VBScript and loads the shellcode into the virtually\r\nallocated memory space using the API ZwAllocateVirtualMemory and RtlMoveMemory. After that, the shellcode\r\nis launched inside powershell.exe using the API Callwindowprocw function.\r\nThe first 40 bytes of the shellcode are executable assembly instructions and the remaining bytes are encrypted.\r\nThe first 40 bytes are responsible for decrypting the remaining part of the code, then the execution flow jumps\r\ninto the decrypted part. During the next stage, the shellcode replaces the first 40 hex bytes with a no operation\r\n(NOP) instruction. This is done to avoid re-debugging of the code.\r\nInitially, the shellcode traverses the process environment block (PEB) structure and fetches Ntdll to tap into\r\nexported NTAPI functions. The rest of the DLLs are loaded by using LoadLibrary. As previously covered by\r\nhttps://www.crowdstrike.com/blog/guloader-dissection-reveals-new-anti-analysis-techniques-and-code-injection-redundancy/\r\nPage 2 of 10\n\nCrowdStrike, GuLoader uses the DJB2 algorithm to load APIs. The assembly code for DJB2 traverses through\r\nexport functions of the required DLLs one by one, calculates the DJB2 hashes for each export API and then\r\ncompares those with the hardcoded hash value. We covered the DJB2 algorithm in a previous blog post.\r\nAnti-Analysis Techniques\r\nThe shellcode employs several anti-analysis and anti-debugging tricks at every step of execution, throwing an\r\nerror message if the shellcode detects any known analysis of debugging mechanisms.\r\nAnti-Debugging\r\nGuLoader uses a vectored exception handler (VEH) to throw off researchers and make disassembly and\r\ndebugging difficult by disrupting the normal flow of code execution to point the control flow to incorrect paths,\r\nraising exceptions that jump to other instructions. To add the exception, the shellcode uses the\r\nRtlAddVectoredExcepitionHandler API function.\r\nFigure 1. Vector Exception Handler function (click to enlarge)\r\nhttps://www.crowdstrike.com/blog/guloader-dissection-reveals-new-anti-analysis-techniques-and-code-injection-redundancy/\r\nPage 3 of 10\n\nGuLoader performs a series of anti-debugging and anti-disassembling checks to detect the presence of\r\nbreakpoints, usually associated with researchers analyzing its code execution flow.\r\nFor example, it extracts information from EXCEPTION_RECORD when it hits INT3 (0xCC) instruction and then\r\nit checks ExceptionCode from it. To determine if the VEH routine has been triggered by an INT3 instruction, it\r\nwill check if the value matches 0x80000003 (e.g., EXCEPTION_BREAKPOINT). It then retrieves the DR\r\nregisters from CONTEXT_RECORD to check if there are any HARDWARE breakpoints and it also checks the\r\nEIP (Extended Instruction Pointer) to see if it is equal to 0xCC. Looking for software breakpoints, GuLoader also\r\nchecks for the presence of other 0xCC instructions in code and terminates execution if found (shown in Figure 1).\r\nIf everything is as expected, the malware performs an XOR operation on the next byte after EIP and then replaces\r\nthe EIP on CONTEXT with the new value, ensuring the execution flow will reach the correct address.\r\nTo bypass this check, to automatically jump to the next real address and avoid the VEH routine, we can use the\r\nfollowing statement, inside the “command window” present at the bottom of x32 debugger, when the debugger\r\nreaches INT3 instruction (here the XOR value inside VEH was 0x40; it may be different in other samples):\r\neip=((ReadByte(eip+1)^0x40)+eip)\r\nTo avoid step-by-step replacement in the debugger, the following script can also be used to patch all of the INT3\r\ninstructions by replacing them with a JUMP to the real execution flow (copy the script below in the x32dbg\r\n“Script” tab):\r\ncall loop\r\nloop:\r\nmov $a, 0\r\nfindasm “int3”\r\ncmp $result, $a\r\nje exit\r\nmov $temp, ref.addr($a)\r\nmov $i, 0x40\r\nxor \u003c$temp+1\u003e, $i\r\nsub \u003c$temp+1\u003e, 2\r\n1:\u003c$temp\u003e = 0xEB\r\njmp loop\r\nexit:\r\nret\r\nBreakpoint checks on APIs are performed before calling every API and if found, the shellcode terminates.\r\nUsing the NtsetInformationThread API is also an anti-debugging technique. The DJB2 algorithm loads the\r\nNtsetInformationThread API and passes the second parameter as 11 (corresponding to\r\nThreadHideFromDebugger), which will crash the process when it runs from inside a debugger.\r\nAnti-debugging via NtQueryInformationProcess enables GuLoader to check the presence of a remote debugger\r\nin its process. Our sample leverages the NtQueryInformationProcess API, by specifying ProcessDebugPort (0x7)\r\nhttps://www.crowdstrike.com/blog/guloader-dissection-reveals-new-anti-analysis-techniques-and-code-injection-redundancy/\r\nPage 4 of 10\n\nas the second parameter. The loader checks for non-zero return values, which means the process is being\r\ndebugged.\r\nAnti-debugging via DbgBreakPoint and DbgUiRemoteBreakin allows GuLoader to patch two APIs in memory\r\nby leveraging the NtProtectVirtualMemory API to mark it writable for their addresses:\r\nDbgBreakPoint — by replacing with a NOP instruction\r\nDbgUiRemoteBreakin — by replacing with a random instruction\r\nDJB2 API Name\r\n4a082415 DbgBreakPoint\r\n880bb688 DbgUiRemoteBreakin\r\nAnti-Virtual Machine\r\nWhat’s different from previously analyzed GuLoader variants is that this shellcode performs memory scanning\r\nfor VMware-related string checks on every memory page from the entire process memory. GuLoader uses\r\nNtQueryVirtualMemory API to scan the entire memory of the process to check if there are any Virtual Machine\r\n(VM)-related strings present.\r\nFigure 2. Pseudocode showing how the Virtual Memory is scanned and how the Djb2 algorithm is used (click to\r\nenlarge)\r\nhttps://www.crowdstrike.com/blog/guloader-dissection-reveals-new-anti-analysis-techniques-and-code-injection-redundancy/\r\nPage 5 of 10\n\nThis is implemented by calling API NtQueryVirtualMemory with the handle 0xffffffff (current process) to\r\niteratively retrieve the base address of every page. The fourth parameter of this API is the MemoryInformation\r\nstructure which contains information about a range of pages in the virtual address space of a process. A similar\r\ntechnique has been implemented in the past on VMDE project by hfiref0x, in which the author searches in\r\nmemory for “Sandboxie” artifacts strings; in this case GuLoader searches for virtualization software traces.\r\nIf it finds any of the DJB2 values for a series of strings (i.e., VMSwitchUserControlClass, VM3DService Hidden\r\nWindow, VMDisplayChangeControlClass, vmtoolsdControlWndClass, etc.), the shellcode throws an error\r\nmessage that it is running under a virtual environment and then terminates execution.\r\nUsing CPUID and rdtsc is a very common anti-debugging trick that involves using the read time-stamp counter\r\n(rdtsc) instruction to determine how many CPU ticks took place since the processor was reset. This is used as a\r\ntiming check comparing the time required to execute two rdtsc instructions and then calling the CPUID instruction\r\nwith EAX =1 to retrieve the process information, returning the output in the ECX registry. If the thirty-first bit of\r\nECX is set, it is used as that the shellcode is running inside a potentially hostile environment (virtual machine).\r\nThe use of the EnumWindows function is also a popular anti-VM technique generally used to enumerate all top-level windows on the screen by passing the handle to each window. This API is used in the shellcode, counting the\r\nnumber of open windows inside the callback function. If the number is lower than 12, it will call the API\r\nTerminateProcess.\r\nEnumerating device drivers also falls under the anti-VM category. GuLoader uses EnumDeviceDriver from\r\n(psapi.dll) and checks the presence of specific drivers and triggers an error if found. Shellcode fetches and calls\r\ntwo APIs from its DJB2 values — DADA7345 and CDAFD506, respectively EnumDeviceDriver and\r\nGetDeviceDriverBasename — to enumerate driver names. Every enumerated driver name’s DJB2 hash value is\r\ncalculated. These hash values are then compared with hard-coded DJB2 hash values, which are actually VM-related device drivers.\r\nDJB2 Value Strings\r\n9ba8433a vmmouse.sys\r\nd5360503 vm3dmp_loader.sys\r\nD8FB0271 vm3dmp.sys\r\n52eb67f8 vmusbmouse.sys\r\nAfter bypassing all of the above tricks consecutively, it then loads addresses of several APIs as show in the table\r\nbelow:\r\nDJB2 Value API Name\r\nc4835d68 NtsetContextthread\r\nC45db42d NtWriteVirtualMemory\r\nhttps://www.crowdstrike.com/blog/guloader-dissection-reveals-new-anti-analysis-techniques-and-code-injection-redundancy/\r\nPage 6 of 10\n\nD05D0AFC ZwCreateSection\r\nC101ddb2 NtMapViewOfSection\r\n3b640034 NtsetInformationProcess\r\n8ad0acb1 NtOpenFile\r\nDe797b11 NtClose\r\n2334ac18 NtResumeThread\r\n1a45d798 NtCreateThreadEx\r\n9688DA44 CreateProcessInternalW\r\nScanning and enumerating installed software is a technique GuLoader uses to check for virtualization software\r\ninstalled as part of its anti-sandbox/anti-VM mechanism by loading APIs that match the DJB2 hash values\r\n55fbd1cd (MsiGetProductInfoA) and AD5448 (MsiEnumProductsA). The shellcode enumerates the products\r\nusing API MsiGetProductInfoA and checks if they match with a list of known software.\r\nService enumeration using the OpenScManager API establishes a connection to the service control manager on\r\nthe machine and opens the specified service control manager database. It then enumerates service control manager\r\ndatabase services using EnumServicesStatusA.\r\nProcess Hollowing\r\nProcess hollowing is a technique of executing arbitrary code in the address space of a separate live process by\r\ncreating a process in a suspended state then unmapping/hollowing its memory, which can then be replaced with\r\nmalicious code. In this case, the malware does not unmap an already mapped section on the remote process, but\r\ntries to add a new section and write the injected shellcode into it.\r\nThe below steps are followed for injection:\r\n1. The shellcode first creates a suspended process by calling CreateProcessInternal.\r\n2. It then calls NtOpenFile on \\\\??\\\\C:\\\\Windows\\\\syswow64\\\\iertutil.dll .\r\n3. It does NtCreateSection on that file, where it will inject its malicious shellcode.\r\n4. It then maps that section via NtMapViewofSection on the suspended process. If this injection technique fails,\r\nit uses the following redundancy method:\r\na.  NtAllocateVirtualMemory by invoking the inline assembly instructions (without calling ntdll.dll, to bypass\r\nAV/EDR User Mode hooks) of that function, using the following assembly stub:\r\nmov eax,18\r\nmov edx,ntdll.77178850\r\nhttps://www.crowdstrike.com/blog/guloader-dissection-reveals-new-anti-analysis-techniques-and-code-injection-redundancy/\r\nPage 7 of 10\n\ncall edx\r\nret 18\r\nIt uses NtWriteProcessMemory to copy the same shellcode onto that virtually allocated address.\r\n5. It then uses API NtGetContextThread on remote thread of suspended process, by specifying the following\r\nflags to retrieve the registry values of that thread:\r\ni. CONTEXT_CONTROL to retrieve the registers ESP, EIP, FLAGS, BP\r\nii. CONTEXT_INTEGER to retrieve the registers AX, BX, CX, DX, SI, DI\r\niii. CONTEXT_SEGMENTS to retrieve the registers DS, ES, FS, GS\r\n6. The retrieved CONTEXT is used to manipulate registers by calling the NTAPI NtSetContextThread to set the\r\nEAX register to the address of shellcode (EIP points to RtlUserThreadStart , which will jump to new EAX ).\r\n7. Finally, the malware calls the native API NtResumeThread to resume the process and execute the shellcode in\r\nthe new process.\r\nFinal Shellcode\r\nAfter injection, the shellcode re-executes all the anti-analysis steps mentioned above, and then decrypts the URL\r\nto retrieve the last payload from https\u003c:\u003e//biropem\u003c.\u003epapuabaratprov\u003c.\u003ego\u003c.\u003eid/bin_fXZOFMVq248\u003c.\u003ebin. It\r\nloads the API to manage the internet connection and connects to a URL to download the first level of payload,\r\nwhich then gets decrypted by the shellcode and results in dropping the Remcos malware.\r\nDJB2 API Name\r\nC6e89145 InternetOpenA\r\n9f39811c InternetSetOptionA\r\n292652cc InternetOpenUrlA\r\nF978A052 InternetReadFile\r\n71167D2C InternetCloseHandle\r\nHow the CrowdStrike Falcon Platform Protects Against GuLoader\r\nhttps://www.crowdstrike.com/blog/guloader-dissection-reveals-new-anti-analysis-techniques-and-code-injection-redundancy/\r\nPage 8 of 10\n\nClick to enlarge\r\nGuLoader remains a dangerous threat that’s been constantly evolving with new methods to evade detection. The\r\nFalcon platform uses behavior-based detection capabilities to automatically detect and prevent GuLoader early in\r\nthe attack chain by identifying the initial VBScript loader, preventing its execution.\r\nThis recent analysis performed by CrowdStrike on GuLoader now offers a complete picture of all the DJB2 hash\r\nvalues used for APIs. This type of threat research enables CrowdStrike to leverage expert human intelligence and\r\naugment its machine learning and behavior-based detection capabilities to stop breaches.\r\nIndicators of Compromise (IOCs)\r\nFile SHA256\r\nGuLoader f75cefc70404640cf823fe419af6f9841c3cfee17a9fdbe332da251d0964e17f\r\nAppendix\r\nThe following table contains the complete list of additional DJB2 hash values for APIs as used by GuLoader.\r\nDJB2 Value API Name\r\nDADA7345 EnumDeviceDriver\r\nCDAFD506 GetDeviceDriverBasename\r\nc4835d68 NtsetContextthread\r\nC45db42d NtWriteVirtualMemory\r\nD05D0AFC ZwCreateSection\r\nC101ddb2 NtMapViewOfSection\r\nhttps://www.crowdstrike.com/blog/guloader-dissection-reveals-new-anti-analysis-techniques-and-code-injection-redundancy/\r\nPage 9 of 10\n\n3b640034 NtsetInformationProcess\r\n8ad0acb1 NtOpenFile\r\nDe797b11 NtClose\r\n2334ac18 NtResumeThread\r\n1a45d798 NtCreateThreadEx\r\n9688DA44 CreateProcessInternalW\r\n55fbd1cd MsiGetProductInfoA\r\nAD5448 MsiEnumProductsA\r\n4a082415 DbgBreakPoint\r\n880bb688 DbgUiRemoteBreakin\r\nC6e89145 InternetOpenA\r\n9f39811c InternetSetOptionA\r\n292652cc InternetOpenUrlA\r\nF978A052 InternetReadFile\r\n71167D2C InternetCloseHandle\r\nAdditional Resources\r\nLearn how the powerful CrowdStrike Falcon® platform provides comprehensive protection across your\r\norganization, workers and data, wherever they are located.\r\nGet a full-featured free trial of CrowdStrike Falcon Prevent™ and see for yourself how true next-gen AV\r\nperforms against today’s most sophisticated threats.\r\nSource: https://www.crowdstrike.com/blog/guloader-dissection-reveals-new-anti-analysis-techniques-and-code-injection-redundancy/\r\nhttps://www.crowdstrike.com/blog/guloader-dissection-reveals-new-anti-analysis-techniques-and-code-injection-redundancy/\r\nPage 10 of 10",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia",
		"ETDA"
	],
	"references": [
		"https://www.crowdstrike.com/blog/guloader-dissection-reveals-new-anti-analysis-techniques-and-code-injection-redundancy/"
	],
	"report_names": [
		"guloader-dissection-reveals-new-anti-analysis-techniques-and-code-injection-redundancy"
	],
	"threat_actors": [],
	"ts_created_at": 1775434924,
	"ts_updated_at": 1775791276,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/a5af97667944b6f2c85c358b8a0eb8da4de0ed5e.pdf",
		"text": "https://archive.orkl.eu/a5af97667944b6f2c85c358b8a0eb8da4de0ed5e.txt",
		"img": "https://archive.orkl.eu/a5af97667944b6f2c85c358b8a0eb8da4de0ed5e.jpg"
	}
}