{
	"id": "f798adbd-bd39-4a85-a6aa-8c6e72bc435c",
	"created_at": "2026-04-06T00:10:17.087438Z",
	"updated_at": "2026-04-10T03:21:13.766589Z",
	"deleted_at": null,
	"sha1_hash": "e80f62df99eeb06d46f98824b148d2fe8547df15",
	"title": "Threat Bulletin: Dissecting GuLoader’s Evasion Techniques - VMRay",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 1513301,
	"plain_text": "Threat Bulletin: Dissecting GuLoader’s Evasion Techniques -\r\nVMRay\r\nBy VMRay Labs\r\nPublished: 2020-07-09 · Archived: 2026-04-05 13:28:19 UTC\r\nEditor’s Note: This blog post was updated on August 10, 2020.\r\nOver the last couple of months, we observed a new downloader called GuLoader (also known as CloudEyE) that\r\nhas been actively distributed in 2020. In contrast to prototypical downloaders, GuLoader is known to use popular\r\ncloud services such as Google Drive, OneDrive and Dropbox to host its encrypted payloads. So far, we have seen\r\nthat GuLoader is being used to deliver Formbook, NanoCore, LokiBot, and Remcos, among others. We’ve\r\nobserved that GuLoader uses a combination of evasion techniques that evade sandboxes and slow down (manual)\r\nanalysis.\r\nOn June 6th, 2020, the developers of GuLoader informed the public that they had shut down their service (Figure\r\n1). Despite the suspension of service, we anticipate other malware families will evolve and adapt some of these\r\ntechniques in the near future. In this post, we will highlight GuLoader’s techniques with a focus on sandbox\r\nevasion and anti-analysis.\r\nView the VMRay Platform Report for GuLoader\r\nOverview and Shellcode\r\nhttps://www.vmray.com/cyber-security-blog/guloader-evasion-techniques-threat-bulletin/\r\nPage 1 of 11\n\nIn our analysis, we can see that GuLoader creates another instance (in the following referenced as the second\r\ninstance) of itself and modifies its execution (Figure 2 and Figure 3).\r\nThe second instance then performs further malicious activities, which include network activity to download the\r\npayload and the memory modification of other processes (Figure 4).\r\nOther reports about GuLoader revealed the main functionality is implemented as shellcode, whereby the sample is\r\na 32-bit executable written in VB6 that contains the shellcode in encrypted form.\r\nDuring execution, the embedded shellcode is decrypted, executed, and even injected, as seen before (Figure 2).\r\nBy loading the shellcode in IDA Pro (we loaded the shellcode at offset 0x001A0000) or a similar disassembler, we\r\ncan see that the code is heavily obfuscated. The code is split into smaller parts containing additional junk code\r\n(Figure 6) connected with control-flow changing instructions such as call, return and (indirect) jump. In contrast\r\nto compiler-generated code, the shellcode combines code instructions and data such as strings, which is typical for\r\nposition-independent code.\r\nThis makes the static control-flow analysis more difficult and causes the automatic analysis of IDA Pro to fail.\r\nFor example, the addresses of library names are pushed on the stack using the call instruction (Figure 5). In\r\ncompiler-generated code, this instruction transfers the control flow to another function, and the return instruction\r\ntransfers it to the caller.\r\nhttps://www.vmray.com/cyber-security-blog/guloader-evasion-techniques-threat-bulletin/\r\nPage 2 of 11\n\nGuLoader resolves the required functions during runtime and uses the hash algorithm djb2 to find the desired\r\nfunctions.\r\nAnti-Analysis and Evasion Techniques\r\nExpanding on the abovementioned techniques, the shellcode contains more techniques to obstruct automatic\r\nanalysis. One of these techniques is the search for virtual machine artifacts, which are embedded as djb2 hash\r\nvalues. In Figure 6, we can see that these hash values are pushed on top of the stack and the successive call to the\r\nfunction tries to find the corresponding artifacts in memory.\r\nhttps://www.vmray.com/cyber-security-blog/guloader-evasion-techniques-threat-bulletin/\r\nPage 3 of 11\n\nSince these values are calculated by a one-way function (djb2), their preimages are unknown. So far, the strings in\r\nTable 1 are possible preimages.\r\nHash Preimages Notes\r\n7F21185B “HookLibraryx86.dll” ScyllaHide Plugin for x64dbg\r\nA7C53F01 “VBoxTrayToolWndClass” VirtualBox Guest Additions\r\nB314751D “vmtoolsdControlWndClass” VMWare, see [1]\r\nIf one of these hashes is found in memory, the sample displays an error message (Figure 7) and terminates the\r\nprocess. Therefore, the sample shows no further malicious behavior, and it does not download the payload.\r\nIn addition to the virtual machine artifacts, GuLoader verifies the number of top-level Windows displayed on the\r\ncurrent screen to exclude running in a sandbox (Figure 8.).\r\nhttps://www.vmray.com/cyber-security-blog/guloader-evasion-techniques-threat-bulletin/\r\nPage 4 of 11\n\nFor each top-level Window, the callback function (Figure 9) increases a counter by one, which leads to the overall\r\nnumber of top-level Windows. This counter is used in the check at 0x1A01A6, which validates if at least 12 top-level Windows are present.\r\nFigure 8: Verification of the number of top-level windows on the screen.\r\nIf the number is lower, the process terminates in which case no error message is displayed.\r\nTo further prevent the manual analysis with a debugger, GuLoader modifies functions related to debugging\r\n(Figure 10).\r\nGuLoader modifies the two functions DbgBreakPoint and DbgUiRemoteBreakin. For the first function, the first\r\nbyte is replaced by a NOP instruction, and for the second function, the code is replaced by a call to ExitProcess\r\n(Figure 11).\r\nhttps://www.vmray.com/cyber-security-blog/guloader-evasion-techniques-threat-bulletin/\r\nPage 5 of 11\n\nFigure 10: VMRay Analyzer – Code modifications of the function DbgUiRemoteBreakin\r\n[Right] After code modification of the function DbgUiRemoteBreakin.\r\nAfter the code modifications of DbgUiRemoteBreakin, attaching a debugger to the running process results in its\r\ntermination.\r\nIn addition to modifying the two functions mentioned above, GuLoader modifies further functions exported by\r\nNtdll.dll (Figure 12). These functions are well-known candidates for function hooking, which allows intercepting\r\nfunction calls by redirecting the control flow. Some Antivirus Software and Sandboxes use function hooking to\r\nmonitor the behavior of a given program.\r\nVerifying this suspicion in IDA Pro, GuLoader iterates through the code section of Ntdll.dll. While iterating\r\nGuLoader tries to undo modifications introduced through function hooking as mentioned in Crowdstrike’s\r\nanalysis and disables Turbo Thunks, see WoW64 Internals.\r\nTo find candidates for modification, GuLoader uses various byte patterns, including “B8 00 00 00 00 BA” (Figure\r\n13).\r\nhttps://www.vmray.com/cyber-security-blog/guloader-evasion-techniques-threat-bulletin/\r\nPage 6 of 11\n\nDisabling of Turbo Thunks is reported (Figure 12) and calls to these functions are still monitored because\r\nVMRay’s technology does not rely on hooking.\r\nFurthermore, GuLoader hides threads by calling the function NtSetInformationThreadwith the value\r\nHideFromDebugger (0x11) for the parameter ThreadInformationClass(Figure 14).\r\nIn addition to the previously mentioned hash values of virtual machine artifacts, GuLoader checks the presence of\r\nthe Qemu Guest Agent on the filesystem. Both filesystem strings are visible in the shellcode (Figure 15) and\r\nfunction log (Figure 14).\r\nhttps://www.vmray.com/cyber-security-blog/guloader-evasion-techniques-threat-bulletin/\r\nPage 7 of 11\n\nBefore the second instance is created, or, in case of the second instance, before the payload is downloaded, it\r\ndelays its execution by using the instructions cpuid and rdtsc frequently in a loop (Figure 16).\r\nThe instruction cpuid provides information about the processor and available features and can be used to detect\r\nthe presence of a hypervisor. In addition, rdtsc provides the number of CPU cycles since the last reset.\r\nIf cpuid is executed in a virtual machine, the instruction causes the control flow to be transferred to the hypervisor\r\nwhich resolves the request. Switching from the virtual machine to the hypervisor and back again introduces an\r\noverhead that can be used to detect a virtual machine.\r\nIn case that a sandbox patches the rdtsc instruction to return a fixed value, the loop in Figure 16 is an infinite loop\r\nsince the register edx at 0x001A2506 has always the value 0 and the subsequent conditional jump is always taken.\r\nNext, the sample performs the actions related to its stage. In the first stage, it creates a new process of itself, tries\r\nto unmap its base image, maps msvbvm60.dll instead, followed by the previously mentioned code injection.\r\nIn the second stage, it downloads the payload using WinINet’s functions InternetOpenURLA and\r\nInternetReadFile. We inspected the behavior of both stages in the VMRay function log (Figure 17). We\r\nhighlighted the fuction calls to NtGetContextThread in both figure because calls to some specific functions\r\nhttps://www.vmray.com/cyber-security-blog/guloader-evasion-techniques-threat-bulletin/\r\nPage 8 of 11\n\nincluding CreateProcessInternalW, NTAllocateVirtualMemory, NTWriteVirtualMemory and NTResumeThread\r\nare preceded by a call to NtGetContextThreat.\r\nThese functions are well-known candidates for breakpoints during manual dynamic analysis, and GuLoader tries\r\nto detect the presence of these breakpoints (Figure 18). After a call to NtGetContextThread, the values of the\r\ndebug registers DR0, DR1, DR3, DR6, DR7 are investigated to detect hardware breakpoints. Next, the code of the\r\ndesired function is checked against interrupts/software breakpoints (0xCC, 0x3CD, 0x0B0F), which are typically\r\nset by debuggers, before the function is finally called (offset 0x1A2E66).\r\nAfter all of these evasion and anti-analysis attempts, the second instance decrypts the received payload, maps it\r\ninto memory, and transfers execution.\r\nConclusion\r\nWith the help of VMRay Analyzer, we can observe the complete behavior of GuLoader, which automates and\r\naccelerates the identification of important behavior for further analysis (Figures 19 \u0026 20). This analysis is a good\r\nexample of how malware evolves and adapts technical sandbox evasion and anti-analysis techniques. The quick\r\nhttps://www.vmray.com/cyber-security-blog/guloader-evasion-techniques-threat-bulletin/\r\nPage 9 of 11\n\nand widespread adoption of GuLoader confirms a growing demand for evasive malware loaders in the criminal\r\nunderground.\r\nReferences\r\nhttps://malpedia.caad.fkie.fraunhofer.de/details/win.cloudeye\r\nhttps://www.crowdstrike.com/blog/guloader-malware-analysis/\r\nhttps://wbenny.github.io/2018/11/04/wow64-internals.html\r\nIOCs\r\nhttps://www.vmray.com/cyber-security-blog/guloader-evasion-techniques-threat-bulletin/\r\nPage 10 of 11\n\nSample\r\nb240e52ea8a55a50760de6017d644d2d0fcc43fd8918abdf99964efb464c37b6\r\nServer\r\n5[.]206[.]227[.]100\r\nEncrypted Payload\r\n5399f144876e276e8ee1ea206bb4599ca912d8ff42327bdbf08f588a0a836b4e\r\nSource: https://www.vmray.com/cyber-security-blog/guloader-evasion-techniques-threat-bulletin/\r\nhttps://www.vmray.com/cyber-security-blog/guloader-evasion-techniques-threat-bulletin/\r\nPage 11 of 11",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"references": [
		"https://www.vmray.com/cyber-security-blog/guloader-evasion-techniques-threat-bulletin/"
	],
	"report_names": [
		"guloader-evasion-techniques-threat-bulletin"
	],
	"threat_actors": [],
	"ts_created_at": 1775434217,
	"ts_updated_at": 1775791273,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/e80f62df99eeb06d46f98824b148d2fe8547df15.pdf",
		"text": "https://archive.orkl.eu/e80f62df99eeb06d46f98824b148d2fe8547df15.txt",
		"img": "https://archive.orkl.eu/e80f62df99eeb06d46f98824b148d2fe8547df15.jpg"
	}
}