{
	"id": "b2933694-f7ab-4adc-ba7d-73a928e4ed8a",
	"created_at": "2026-04-06T00:16:44.052568Z",
	"updated_at": "2026-04-10T13:12:28.292366Z",
	"deleted_at": null,
	"sha1_hash": "e8b86c1c03e1c3fd3ba0fb4a5b631d5aa0c68bce",
	"title": "Unloading the GuLoader",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 90239,
	"plain_text": "Unloading the GuLoader\r\nBy VIPRE Labs\r\nPublished: 2020-05-20 · Archived: 2026-04-05 18:25:10 UTC\r\nWe recently came across a spike of spam email samples containing GuLoader. This malware was discovered last\r\nyear in 2019 and became more popular among cyber criminals during the coronavirus outbreak. GuLoader is\r\nusually attached to a spam email related to bill payments, wire transfers or COVID malspam (you can see a\r\ndetailed analysis of the COVID malspam here). GuLoader is written in VB5/6 and compressed in a .rar/.iso file.\r\nWe can see on the graph below the increase of GuLoader which our customers have received:\r\nData collected from January to April 2020 showing the increase in GuLoader related samples\r\nFigure 1.0 Data collected from January to April 2020 showing the increase in GuLoader related samples\r\nSpam emails containing GuLoader\r\nFigure 2.0 Spam emails containing GuLoader\r\nGuloader is popular for distributing Remote Access Trojan (RAT) tools. These allow the attackers to control,\r\nmonitor, or steal information from the infected machine. This malware downloader utilizes cloud hosting services\r\n(Microsoft OneDrive or Google Drive) to keep its payload encrypted.\r\nDig Deeper Inside of GuLoader\r\nAnalyzing the GuLoader sample, the malware is indeed a VB5/6 executable. Also, a compiled Visual Basic\r\nsample can be recognized by an imported DLL called MSVBVM60.DLL.\r\nGuLoader sample written in VB5/6 and the msvbvm60.dll\r\nFigure 3.0 GuLoader sample written in VB5/6 and the msvbvm60.dll\r\nAnalyzing further, we’ve found the malware’s encrypted malicious code. This malware allocates virtual memory\r\nand decrypts the encrypted malicious code using XOR.\r\nThe decryption routine\r\nFigure 4.0 The decryption routine\r\nThe encrypted malicious code (left) and the decrypted malicious code in allocated virtual\r\nmemory (right)\r\nFigure 5.0 The encrypted malicious code (left) and the decrypted malicious code in allocated virtual memory\r\n(right).\r\nhttps://labs.vipre.com/unloading-the-guloader/\r\nPage 1 of 4\n\nThe decrypted code will be in virtual memory 0x350000. Checking this memory in memory map, it has read,\r\nwrite, and execute (RWE) access. We’ve now dumped the decrypted code to conduct analysis.\r\nThe dumped memory and the familiar strings that were found in the decrypted code\r\nFigure 6.0 The dumped memory and the familiar strings that were found in the decrypted code\r\nChecking the strings on the decrypted code, we can see clearly the cloud hosting service URL that stores the\r\nencrypted payload (hxxps://drive[.]google[.]com/uc?export=download\u0026id=19sVk-ZTWHVl3_ITBst1x51qX2L28yNlw). We can also see familiar DLLs like wininet.dll and APIs like InternetOpenA,\r\nInternetOpenUrlA, InternetSetOptionA etc. The wininet.dll contains internet related functions like InternetOpenA\r\nand these functions will probably be used to connect to the URL that contains the encrypted payload.\r\nAnalyzing what’s inside of the decrypted code, we can see that the malware will find the GetProcAddress function\r\nin kernel32.dll because GetProcAddress is important in finding and calling other API functions. In order to do\r\nthis, the malware will first access the Process Environment Block (PEB) -\u003e LDR data -\u003e\r\nInMemoryOrderModuleList and then get the address of the module kernel32.dll.\r\nAccessing the PEB and getting the address of kernel32.dll\r\nFigure 7.0 Accessing the PEB and getting the address of kernel32.dll\r\nAfter obtaining the address of kernel32.dll and finding GetProcAddress in kernel32.dll, the malware will resolve\r\nthe following series of APIs:\r\nLoadLibraryA\r\nTerminateProcess\r\nEnumWindows\r\nNtProtectVirtualMemory\r\nNtSetInformationThread\r\nNtAllocateVirtualMemory\r\nDbgBreakPoint\r\nDbgUiRemoteBreakin\r\nAfter this, we ran into some anti-analysis techniques. The anti-analysis was used by malware authors to make it\r\nmore difficult to analyze the malware.\r\nHere are some of the techniques we encountered:\r\nAn anti-debugger that hides the thread from the debugger. In order to perform this, the API\r\nNtSetInformationThread is needed. They set the second parameter (ThreadInformationClass) to 0x11\r\nwhich is equivalent to ThreadHideFromDebugger. It will hide the thread from the debugger so it can’t be\r\neasily debugged. For example, the thread will continue to run, but the debugger will not be able to receive\r\nany events related to the thread.\r\nCalling of NtSetInformationThread to hide the thread from the debugger\r\nhttps://labs.vipre.com/unloading-the-guloader/\r\nPage 2 of 4\n\nFigure 8.0 Calling of NtSetInformationThread to hide the thread from the debugger\r\nThread attach in a debugger can be seen in the thread window. On figure 9.0, we can see the before and\r\nafter the thread is hidden from the debugger. The before part is where we can see the main thread and its\r\nthread ID which is 11DC. The after part is where the main thread is hidden from the debugger.\r\nBefore and after the hiding of thread\r\nFigure 9.0 Before and after the hiding of thread\r\nThere’s another technique that will first call the NtProtectVirtualMemory function to set the\r\npermission of ntdll’s .text section as PAGE_EXECUTE_READWRITE. The ntdll.dll contains the following\r\nAPIs, DbgBreakPoint and DbgUiRemoteBreakin, that will be used to perform anti-attach. The malware\r\nprevents the debugger from attaching to a process by hooking the DbgBreakPoint and\r\nDbgUiRemoteBreakin functions. For example, it will patch DbgBreakPoint and\r\nDbgUIRemoteBreakin functions that will trigger the process to exit or to designate an unknown location.\r\nLike in figure 12.0, DbgUIRemoteBreakin will call 0x00000000 address and exit.\r\nCalling of NtProtectVirtualMemory to set the permission of NTDLL.DLL\r\nFigure 10.0 Calling of NtProtectVirtualMemory to set the permission of NTDLL.DLL\r\nPatching of DbgBreakPoint and DbgUiRemoteBreakin for anti-attach technique\r\nFigure 11.0 Patching of DbgBreakPoint and DbgUiRemoteBreakin for anti-attach technique\r\nBefore and after patching the DbgUlRemote Breakin function\r\nFigure 12.0 Before and after patching the DbgUlRemote Breakin function\r\nGuLoader will create a folder in the C:\\Users directory and the created folder contains a copy of the malware\r\nitself. It will also achieve persistence by modifying the registry key\r\nHKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce\r\nThe created folder containing the created malware copy\r\nFigure 13.0  The created folder containing the created malware copy\r\nNow GuLoader implements process hollowing:\r\nThe child process (for this sample it’s RegAsm.exe) downloads and decrypts the encrypted\r\npayload\r\nThe child process (for this sample it’s RegAsm.exe) downloads and decrypts the encrypted payload from a cloud\r\nhosting service, and maps the decrypted payload into memory to execute.\r\nhttps://labs.vipre.com/unloading-the-guloader/\r\nPage 3 of 4\n\nFigure 15.0 The cloud hosting service storing the encrypted payload\r\nThe common GuLoader payloads are Formbook, NetWire, Remcos, Lokibot etc.\r\nIOCs:\r\nURLs\r\n hxxps://onedrive[.]live[.]com/download?\r\ncid=1491235303209D1A\u0026resid=1491235303209D1A!109\u0026authkey=ACw2GiM8jfgliBs\r\nhxxps://drive[.]google[.]com/uc?export=download\u0026id=1EQ7DIlAk9lk2E52DQLELmB02ADqw-62s\r\nhxxps://drive[.]google[.]com/uc?export=download\u0026id=19sVk-ZTWHVl3_ITBst1x51qX2L28yNlw\r\nSamples\r\nIMG and ISO Files\r\n466a8de97917fdbc706ccad735ef08a4b049f802d01a03e4f611f75a132e4839\r\n7aadacc7c5bb0c0319f8943d3c65ef2d41d49b1c470210e70e250dd665f167fe\r\nEXE Files\r\n503f94f00304bc18900c3494f2da5bcb1d8a103a0b15ce00bbdaeb5dfd8d9b7b\r\ncbffd8f471de9728610b1edd4519f65399a8e64e46177e1178685ef6b081065b\r\n  VIPRE detects and prevents this kind of malware and associated infections.\r\nAnalysis by #Farrallel\r\nSource: https://labs.vipre.com/unloading-the-guloader/\r\nhttps://labs.vipre.com/unloading-the-guloader/\r\nPage 4 of 4",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"origins": [
		"web"
	],
	"references": [
		"https://labs.vipre.com/unloading-the-guloader/"
	],
	"report_names": [
		"unloading-the-guloader"
	],
	"threat_actors": [],
	"ts_created_at": 1775434604,
	"ts_updated_at": 1775826748,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/e8b86c1c03e1c3fd3ba0fb4a5b631d5aa0c68bce.pdf",
		"text": "https://archive.orkl.eu/e8b86c1c03e1c3fd3ba0fb4a5b631d5aa0c68bce.txt",
		"img": "https://archive.orkl.eu/e8b86c1c03e1c3fd3ba0fb4a5b631d5aa0c68bce.jpg"
	}
}