» {0e56f9ed-d36e-4176-bfbd-2bd7c7a74afa}w64.sys
Overview
Analysis
File Details
Behaviors (1)

{0e56f9ed-d36e-4176-bfbd-2bd7c7a74afa}w64.sys

UpperFind

Part of the Yontoo adware component, a web browser plugin that injects unwanted ads in the browser. The file {0e56f9ed-d36e-4176-bfbd-2bd7c7a74afa}w64.sys by UpperFind has been detected as adware by 6 anti-malware scanners. It runs as a Windows 64-bit kernel mode device driver named “{0e56f9ed-d36e-4176-bfbd-2bd7c7a74afa}w64”.

File name:

Publisher:

StdLib (signed by UpperFind)

Product:

StdLib

Version:

1.4.3.1 built by: WinDDK

MD5:

50f49cd443d9ce23d9e2ba6d33dff726

SHA-1:

e8e260bc886776ab5b9b16adaeffe5731f37dc61

SHA-256:

d1ebdec4931864ea62b3424f71abf619930a6e141ce21287e45b473db9fb4b3b

Scanner detections:

6 / 68

Status:

Adware

Explanation:

Belongs to the Sambreel/Yontoo progam that inserts various forms of advertising in the user's web browser, installed with minimal or no user consent.

Analysis date:

4/25/2024 11:20:49 PM UTC (a few moments ago)

Scan engine

Detection

Engine version

Agnitum Outpost

Trojan.BPlug

7.1.1

Dr.Web

Trojan.BPlug.123

9.0.1.0234

IKARUS anti.virus

AdWare.SpadeCast

t3scan.1.7.5.0

Reason Heuristics

PUP.UpperFind.m

14.8.22.23

Sophos

BrowseSmart

4.98

VIPRE Antivirus

Trojan.Win32.Generic

32380

File size:

59.6 KB (61,072 bytes)

Product version:

1.4.3.1

Original file name:

StdLib.sys

File type:

Driver (Win64 SYS)

Language:

English (United States)

Common path:

C:\Windows\System32\drivers\{0e56f9ed-d36e-4176-bfbd-2bd7c7a74afa}w64.sys

Digital Signature

Signed by:

UpperFind

Authority:

VeriSign, Inc.

Valid from:

7/28/2014 5:00:00 PM

Valid to:

7/29/2015 4:59:59 PM

Subject:

CN=UpperFind, O=UpperFind, L=Santa Monica, S=California, C=US

Issuer:

CN=VeriSign Class 3 Code Signing 2010 CA, OU=Terms of use at https://www.verisign.com/rpa (c)10, OU=VeriSign Trust Network, O="VeriSign, Inc.", C=US

Serial number:

3A4B94588F27E0C6A4333D91A636BC24

File PE Metadata

Compilation timestamp:

1/30/2014 4:45:30 PM

OS version:

6.1

OS bitness:

Win64

Subsystem:

Native (none required)

Linker version:

9.0

CTPH (ssdeep):

768:vot2dxF9O8ZF33iqiIy938bWp9XcfBvJkowidI/h:v9JRicy938ip9ea1jp

Entry address:

0xF064

Entry point:

48, 83, EC, 28, 4C, 8B, C2, 4C, 8B, C9, E8, 95, FF, FF, FF, 49, 8B, D0, 49, 8B, C9, 48, 83, C4, 28, E9, 2E, 20, FF, FF, CC, CC, 38, F2, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 1C, F6, 00, 00, 60, C1, 00, 00, 28, F1, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, BE, F9, 00, 00, 50, C0, 00, 00, D8, F0, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, B6, FA, 00, 00, 00, C0, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 9A, FA, 00, 00, 00, 00, 00, 00, 86, FA, 00, 00... 
[+]

Entropy:

5.9628

Code size:

46.5 KB (47,616 bytes)

Driver

Display name:

{0e56f9ed-d36e-4176-bfbd-2bd7c7a74afa}w64

Type:

Kernel device driver (KernelDriver)

Group:

PNP_TDI

Remove {0e56f9ed-d36e-4176-bfbd-2bd7c7a74afa}w64.sys - Powered by Reason Core Security

herdProtect is a second line of defense malware removal platform powered by 68 anti-malware engines in the cloud. Since no single anti-malware program is perfect 100% of the time, herdProtect utilizes a 'herd' of multiple engines to guarantee the widest coverage and the earliest possible detection.