Skip to content

S0561 GuLoader

GuLoader is a file downloader that has been used since at least December 2019 to distribute a variety of remote administration tool (RAT) malware, including NETWIRE, Agent Tesla, NanoCore, FormBook, and Parallax RAT.12

Item Value
ID S0561
Associated Names
Version 2.0
Created 11 January 2021
Last Modified 15 October 2021
Navigation Layer View In ATT&CK® Navigator

Techniques Used

Domain ID Name Use
enterprise T1071 Application Layer Protocol -
enterprise T1071.001 Web Protocols GuLoader can use HTTP to retrieve additional binaries.12
enterprise T1547 Boot or Logon Autostart Execution -
enterprise T1547.001 Registry Run Keys / Startup Folder GuLoader can establish persistence via the Registry under HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnce.1
enterprise T1070 Indicator Removal -
enterprise T1070.004 File Deletion GuLoader can delete its executable from the AppData\Local\Temp directory on the compromised host.1
enterprise T1105 Ingress Tool Transfer GuLoader can download further malware for execution on the victim’s machine.2
enterprise T1106 Native API GuLoader can use a number of different APIs for discovery and execution.2
enterprise T1566 Phishing -
enterprise T1566.002 Spearphishing Link GuLoader has been spread in phishing campaigns using malicious web links.1
enterprise T1055 Process Injection GuLoader has the ability to inject shellcode into a donor processes that is started in a suspended state. GuLoader has previously used RegAsm as a donor process.2
enterprise T1204 User Execution -
enterprise T1204.001 Malicious Link GuLoader has relied upon users clicking on links to malicious documents.1
enterprise T1204.002 Malicious File The GuLoader executable has been retrieved via embedded macros in malicious Word documents.1
enterprise T1497 Virtualization/Sandbox Evasion -
enterprise T1497.001 System Checks GuLoader has the ability to perform anti-VM and anti-sandbox checks using string hashing, the API call EnumWindows, and checking for Qemu guest agent.2
enterprise T1497.003 Time Based Evasion GuLoader has the ability to perform anti-debugging based on time checks, API calls, and CPUID.2
enterprise T1102 Web Service GuLoader has the ability to download malware from Google Drive.2