Severity
High
Analysis Summary
GuLoader is a downloader written partly in Visual Basic 6 and originally seen being used to deliver Parallax RAT. Multiple threat actors are currently using it to download a variety of RATs and information stealers. The executable is typically delivered either embedded in an ISO or RAR file or via direct download from cloud hosting platforms, such as Google Drive or Microsoft OneDrive. Once downloaded, the VB6 wrapper decrypts the shellcode that provides the main functionality. In order to do this while making analysis more difficult, the loader leverages sophisticated injection techniques. Once decrypted, the shellcode downloads a PE executable from a remote URL with a filename in the pattern of “_encrypted_XXXXXX.bin” where “XXXXXXX” are hexadecimal digits. The downloaded file is XOR-encoded with a XOR key stored in the GuLoader shellcode. Examples of dropped payloads include Agent Tesla/Origin Logger, FormBook, NanoCore RAT, Netwire RAT, Remcos RAT, Ave Maria/Warzone RAT and Parallax RAT.
Impact
- Unauthorized Remote Access
- System Takeover
- Credential Theft
- Command Execution
- Information Theft
Indicators of Compromise
Domain Name
- droptop1[.]com
- droptop2[.]com
- droptop3[.]com
- droptop4[.]com
- droptop5[.]com
- droptop6[.]com
- droptop7[.]com
- droptop8[.]com
- droptop9[.]com
- droptop10[.]com
MD5
- 913fc7a8a80e209997ad142ffce2d619
- b5479869c1ae14084526161cc002036c
SHA-256
- e8f8cc178425c55c03c76d0a2a11918371bba8f2d6f400752ca1cea5e663da2e
- 26f7bfe041a3d8a2b620d0ed2af4e2ef54b004202ec479362939b9154b1c8758
Source IP
185[.]140[.]53[.]134
URL
- https[:]//drive[.]google[.]com/uc?export=download&id=1N8gVOM5p8Ubm1HwolChxHidT7YoN29EE
- https[:]//drive[.]google[.]com/uc?export=download&id=1dtlMCyozUPBepc-AtEdirGENZBpWesAi
Remediation
- Block the threat indicators at their respective controls.
- Do not download unnecessary files from any source, whether emails or cloud hosting platforms.