SYMBOLCOMMON_NAMEaka. SYNONYMS
win.guloader (Back to overview)

GuLoader

aka: vbdropper

GuLoader is a small VB5/6 downloader. It typically downloads RATs/Stealers, such as Agent Tesla, Arkei/Vidar, Formbook, Lokibot, Netwire and Remcos, often but not always from Google Drive. The downloaded payload is xored.

References
2020-03-20BitdefenderLiviu Arsene
@online{arsene:20200320:5:46813c6, author = {Liviu Arsene}, title = {{5 Times More Coronavirus-themed Malware Reports during March}}, date = {2020-03-20}, organization = {Bitdefender}, url = {https://labs.bitdefender.com/2020/03/5-times-more-coronavirus-themed-malware-reports-during-march/?utm_campaign=twitter&utm_medium=twitter&utm_source=twitter}, language = {English}, urldate = {2020-03-26} } 5 Times More Coronavirus-themed Malware Reports during March
ostap GuLoader HawkEye Keylogger Koadic Loki Password Stealer (PWS) Nanocore RAT Remcos
2020-03-18ProofpointAxel F, Sam Scholten
@online{f:20200318:coronavirus:8fe12a3, author = {Axel F and Sam Scholten}, title = {{Coronavirus Threat Landscape Update}}, date = {2020-03-18}, organization = {Proofpoint}, url = {https://www.proofpoint.com/us/threat-insight/post/coronavirus-threat-landscape-update}, language = {English}, urldate = {2020-03-26} } Coronavirus Threat Landscape Update
Agent Tesla Get2 GuLoader ISFB Remcos
2020-03-05ProofpointProofpoint Threat Research Team
@online{team:20200305:guloader:9972f51, author = {Proofpoint Threat Research Team}, title = {{GuLoader: A Popular New VB6 Downloader that Abuses Cloud Services}}, date = {2020-03-05}, organization = {Proofpoint}, url = {https://www.proofpoint.com/us/threat-insight/post/guloader-popular-new-vb6-downloader-abuses-cloud-services}, language = {English}, urldate = {2020-03-05} } GuLoader: A Popular New VB6 Downloader that Abuses Cloud Services
GuLoader
2020-02-040x00secDan Lisichkin
@online{lisichkin:20200204:analyzing:bba72ea, author = {Dan Lisichkin}, title = {{Analyzing Modern Malware Techniques - Part 3: A case of Powershell, Excel 4 Macros and VB6}}, date = {2020-02-04}, organization = {0x00sec}, url = {https://0x00sec.org/t/analyzing-modern-malware-techniques-part-3/18943}, language = {English}, urldate = {2020-02-08} } Analyzing Modern Malware Techniques - Part 3: A case of Powershell, Excel 4 Macros and VB6
GuLoader
2020-01-14MalpediaMalpedia
@online{malpedia:20200114:family:940a88a, author = {Malpedia}, title = {{Family Page for GuLoader}}, date = {2020-01-14}, organization = {Malpedia}, url = {https://malpedia.caad.fkie.fraunhofer.de/details/win.guloader}, language = {English}, urldate = {2020-01-14} } Family Page for GuLoader
GuLoader
Yara Rules
[TLP:WHITE] win_guloader_w0 (20200204 | Shellcode injector and downloader via RegAsm.exe payload)
rule win_guloader_w0 {
    meta:
        author = "ditekshen"
        description = "Shellcode injector and downloader via RegAsm.exe payload"
        source = "https://github.com/kevoreilly/CAPEv2/blob/master/data/yara/CAPE/SCInject.yar"
        malpedia_version = "20200204"
        malpedia_sharing = "TLP:WHITE"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.guloader"
    strings:
        $s1 = "wininet.dll" fullword ascii
        $s2 = "ShellExecuteW" fullword ascii
        $s3 = "SHCreateDirectoryExW" fullword ascii
        $s4 = "Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce" fullword ascii
        $s5 = "Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko" fullword ascii

        $o1 = "msvbvm60.dll" fullword wide
        $o2 = "\\syswow64\\" fullword wide
        $o3 = "\\system32\\" fullword wide
        $o4 = "\\Microsoft.NET\\Framework\\" fullword wide
        $o5 = "USERPROFILE=" wide nocase
        $o6 = "windir=" fullword wide
        $o7 = "APPDATA=" nocase wide
        $o8 = "RegAsm.exe" fullword wide

        $url1 = "https://drive.google.com/uc?export=download&id=" ascii
        $url2 = "https://onedrive.live.com/download?cid=" ascii
        $url3 = "http://myurl/myfile.bin" fullword ascii
        $url4 = "http" ascii // fallback
    condition:
        all of ($s*) and 2 of ($o*) and 1 of ($url*)
}
Download all Yara Rules