Severity

Medium

Analysis Summary

Since 2019, Guloader has been in operation as a downloader. GuLoader spreads through spam campaigns with malicious archived attachments. GuLoader downloads the bulk of malware, with the most frequent being AgentTesla, FormBook, and NanoCore. The encrypted payloads of this downloader are usually saved on Google Drive. It also acquired its payloads from Microsoft OneDrive and an attacker-controlled website.

GuLoader can avoid network-based detection by using genuine file-sharing websites, which aren’t often filtered or inspected in corporate contexts.

Impact

• Information Theft
• Security Bypass

Indicators of Compromise

MD5

• 4cb9e2f765041f74d74e4635144ce621

SHA-256

• bd068442713d668c544ed7c9b439e27121b33ac1573b12c95c7ff7ca8003d283

SHA-1

• 472ee254ad0196a8a80517d19d2d2f3f0df1fdd7

Remediation

• Block the threat indicators at their respective controls.
• Search for IOCs in your environment.