Guloader Shellcode

Malware Profile Updated 3 months ago

Download STIX

Preview STIX

GuLoader shellcode is a type of malware that utilizes various techniques to infiltrate systems, disrupt operations, and potentially steal personal information. The malicious software has been observed in encrypted forms such as the GuLoader VBScript and NSIS, both identified with unique MD5 hashes. These scripts contain XOR encoded strings responsible for downloading the GuLoader shellcode. The malware also deploys payloads like Remcos, which have been found encrypted and decrypted with distinct MD5 identifiers. Despite being uploaded to VirusTotal (VT) three weeks prior to this report, the URLs for downloading both the GuLoader shellcode and the Remcos payload remain active. The GuLoader shellcode has been extensively analyzed in previous research, with a focus on its evolution and cloud-based delivery mechanisms. It has been noted that the malware uses GitHub to stage or distribute malicious files. This was evidenced in several instances reported by Qualys, Morphisec Labs, and independent security researcher 0xToxin throughout 2023. These cases involved the use of Excel spreadsheets, PowerShell scripts, and phishing campaigns to deliver the GuLoader shellcode, highlighting the versatility of this malware's distribution methods. Starting from late 2022, the GuLoader shellcode began employing a new anti-analysis technique. This method involves disrupting the normal flow of code execution by intentionally triggering a large number of exceptions. These exceptions are then managed in a vector exception handler that redirects control to a dynamically calculated address. This innovative approach further complicates the process of analyzing and mitigating the threat posed by the GuLoader shellcode, necessitating ongoing vigilance and sophisticated countermeasures from cybersecurity professionals.

What's your take? (Question 1 of 5)

Help tune the shared Cybergeist dataset, assist your peers, and earn karma. Expand the panel to get started.

Possible Aliases / Cluster overlaps

It's hard to track cluster overlaps and naming conventions between vendors, so here are some possible overlapping names / profiles you also may want to look at.

ID	Votes	Profile Description
Formbook	1	Formbook is a type of malware known for its ability to steal personal information, disrupt operations, and potentially hold data for ransom. The malware is commonly spread through suspicious downloads, emails, or websites, often without the user's knowledge. In June 2023, Formbook was observed being

Miscellaneous Associations

Other elements of context that could aid in the identification of relevance

Payload

Shellcode

Phishing

PowerShell

Github

Associated Malware

To see the evidence that has resulted in this association, create a free account

ID	Type	Votes	Profile Description
GuLoader	Unspecified	4	GuLoader is a type of malware that infiltrates systems through suspicious downloads, emails, or websites, often unbeknownst to the user. Once inside a system, it can steal personal information, disrupt operations, or even hold data hostage for ransom. GuLoader is encrypted with NSIS Crypter and has
Remcos Payload	Unspecified	1	The Remcos payload is a type of malware that is designed to exploit and damage computer systems. It can infiltrate your system through suspicious downloads, emails, or websites, often without the user's knowledge. Once inside, it has the potential to steal personal information, disrupt operations, o
Formbook Payload	Unspecified	1	None
Guloader Vbscript	Unspecified	1	GuLoader VBScript is a sophisticated form of malware designed to infiltrate and exploit computer systems. This malicious software can access systems through suspicious downloads, emails, or websites, often without the user's knowledge. Once inside, it has the potential to steal personal information,

Associated Threat Actors

To see the evidence that has resulted in this association, create a free account

ID	Type	Votes	Profile Description
No associations to display

Associated Vulnerabilities

To see the evidence that has resulted in this association, create a free account

ID	Type	Votes	Profile Description
No associations to display

Source Document References

Information about the Guloader Shellcode Malware was read from the documents corpus below. This display is limited to 20 results, create a free account to see more

Source	CreatedAt	Title
CERT-EU	a year ago	GULoader Campaigns: A Deep Dive Analysis of a highly evasive Shellcode based loader \| McAfee Blog
CERT-EU	a year ago	GuLoader Campaign Targets Law Firms in the US
CERT-EU	6 months ago	Miscreants absolutely love using GitHub to sling malware
Checkpoint	a year ago	Cloud-Based Malware Delivery: The Evolution of GuLoader - Check Point Research
Unit42	a year ago	Machine Learning Versus Memory Resident Evil