GuLoader is a relatively new downloader partly written in Visual Basic 6 (VB6) and is now being used by multiple threat actors to deliver their payloads, mostly RATs and information stealers.
Proofpoint has published a short analysis on the downloader on their blog.
The executable is typically delivered either embedded in an ISO or RAR file or via direct download from cloud hosting platforms, such as Google Drive or Microsoft OneDrive. Once downloaded, the VB6 wrapper decrypts the shellcode that provides the main functionality. In order to do this while making analysis more difficult, the loader leverages sophisticated injection techniques.
Once decrypted, the shellcode downloads a PE executable from a remote URL with a filename in the pattern of “<something>_encrypted_XXXXXX.bin” where “XXXXXXX” are hexadecimal digits. The downloaded file is XOR-encoded with an XOR key stored in the GuLoader shellcode.
Examples of dropped payloads include Agent Tesla/Origin Logger, FormBook, NanoCore RAT, Netwire RAT, Remcos RAT, Ave Maria/Warzone RAT and Parallax RAT.