» {215f3947-4d13-46f7-95aa-328779d361ce}w64.sys
Overview
Analysis
File Details
Behaviors (1)

{215f3947-4d13-46f7-95aa-328779d361ce}w64.sys

Lizardlink

Part of the Yontoo adware component, a web browser plugin that injects unwanted ads in the browser. The file {215f3947-4d13-46f7-95aa-328779d361ce}w64.sys by Lizardlink has been detected as adware by 10 anti-malware scanners. It runs as a Windows 64-bit kernel mode device driver named “{215f3947-4d13-46f7-95aa-328779d361ce}w64”. It will plug into the web browser and display context-based advertisements by overwriting existing ads or by inserting new ones on various web pages.

File name:

Publisher:

StdLib (signed by Lizardlink)

Product:

StdLib

Version:

1.4.3.1 built by: WinDDK

MD5:

2a2b084faf18cd9454b4a311f791d53f

SHA-1:

34df0b4ef9b6bc4484d1aacb79c1dd75ffdb2600

SHA-256:

cb6679d8216ebe5d6469c8cb9e0836da6e920244ee9d4feb49488f8a62d24e1a

Scanner detections:

10 / 68

Status:

Adware

Explanation:

Injects advertising in the web browser in various formats.

Analysis date:

4/27/2024 12:05:04 AM UTC (today)

Scan engine

Detection

Engine version

Agnitum Outpost

Trojan.BPlug

7.1.1

AVG

MalSign.Skodna.BuzzSearch

2017.0.2834

Baidu Antivirus

Adware.Win32.BrowseFox

4.0.3.16213

Dr.Web

Trojan.BPlug.123

9.0.1.044

IKARUS anti.virus

AdWare.SpadeCast

t3scan.1.6.1.0

McAfee

Artemis!C515D124E11C

5600.6490

Reason Heuristics

PUP.Yontoo.Lizardlink (M)

16.2.13.15

Sophos

BrowseSmart

4.98

Trend Micro House Call

Suspicious_GEN.F47V0702

7.2.44

VIPRE Antivirus

Trojan.Win32.Generic

31318

File size:

59.7 KB (61,120 bytes)

Product version:

1.4.3.1

Original file name:

StdLib.sys

File type:

Driver (Win64 SYS)

Language:

English (United States)

Common path:

C:\Windows\System32\drivers\{215f3947-4d13-46f7-95aa-328779d361ce}w64.sys

Digital Signature

Signed by:

Lizardlink

Authority:

VeriSign, Inc.

Valid from:

8/13/2013 2:00:00 AM

Valid to:

8/14/2015 1:59:59 AM

Subject:

CN=Lizardlink, OU=Digital ID Class 3 - Microsoft Software Validation v2, O=Lizardlink, L=San Diego, S=California, C=US

Issuer:

CN=VeriSign Class 3 Code Signing 2010 CA, OU=Terms of use at https://www.verisign.com/rpa (c)10, OU=VeriSign Trust Network, O="VeriSign, Inc.", C=US

Serial number:

75D65D3F9991F633C8AC64A5AE9E34EE

File PE Metadata

Compilation timestamp:

1/31/2014 1:45:30 AM

OS version:

6.1

OS bitness:

Win64

Subsystem:

Native (none required)

Linker version:

9.0

CTPH (ssdeep):

768:dot2dxF9O8ZF33iqiIy938bWp9XcfBvJkowidIb:d9JRicy938ip9ea1j

Entry address:

0xF064

Entry point:

48, 83, EC, 28, 4C, 8B, C2, 4C, 8B, C9, E8, 95, FF, FF, FF, 49, 8B, D0, 49, 8B, C9, 48, 83, C4, 28, E9, 2E, 20, FF, FF, CC, CC, 38, F2, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 1C, F6, 00, 00, 60, C1, 00, 00, 28, F1, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, BE, F9, 00, 00, 50, C0, 00, 00, D8, F0, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, B6, FA, 00, 00, 00, C0, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 9A, FA, 00, 00, 00, 00, 00, 00, 86, FA, 00, 00... 
[+]

Code size:

46.5 KB (47,616 bytes)

Driver

Display name:

{215f3947-4d13-46f7-95aa-328779d361ce}w64

Type:

Kernel device driver (KernelDriver)

Group:

PNP_TDI

Remove {215f3947-4d13-46f7-95aa-328779d361ce}w64.sys - Powered by Reason Core Security

herdProtect is a second line of defense malware removal platform powered by 68 anti-malware engines in the cloud. Since no single anti-malware program is perfect 100% of the time, herdProtect utilizes a 'herd' of multiple engines to guarantee the widest coverage and the earliest possible detection.