home

{3560b757-0519-45b3-a215-cfb94afd0821}w64.sys

Girafarri

Part of the Yontoo adware component, a web browser plugin that injects unwanted ads in the browser. The file {3560b757-0519-45b3-a215-cfb94afd0821}w64.sys by Girafarri has been detected as adware by 27 anti-malware scanners. It runs as a Windows 64-bit kernel mode device driver named “{3560b757-0519-45b3-a215-cfb94afd0821}w64”. It will plug into the web browser and display context-based advertisements by overwriting existing ads or by inserting new ones on various web pages.
Publisher:
StdLib  (signed by Girafarri)

Product:
StdLib

Version:
1.4.4.6 built by: WinDDK

MD5:
8ec41813ea40561ab211a39db054d5ac

SHA-1:
6ba8842c6e477ac8d74782e4150502356e20c2e8

SHA-256:
b6dca066aa74d2a78320af1f3952f277c2457ea7c8d9ebe67cec90d7cb71c7da

Scanner detections:
27 / 68

Status:
Adware

Explanation:
Injects advertising in the web browser in various formats.

Analysis date:
4/24/2024 11:06:32 PM UTC  (a few moments ago)

Scan engine
Detection
Engine version

Lavasoft Ad-Aware
Adware.SwiftBrowse.CH
655

Agnitum Outpost
Riskware.Agent
7.1.1

avast!
Win32:BrowseFox-GZ [PUP]
2014.9-150421

AVG
Girafarri
2016.0.3133

Bitdefender
Adware.SwiftBrowse.CH
1.0.20.555

Clam AntiVirus
Win.Adware.Swiftbrowse-497
0.98/19745

Dr.Web
hacktool program Tool.NetFilter.313
9.0.1.0111

Emsisoft Anti-Malware
Adware.SwiftBrowse.CH
8.15.04.21.09

ESET NOD32
Win64/BrowseFox.BM potentially unwanted application
9.7.0.302.0

Fortinet FortiGate
Adware/BrowseFox
4/21/2015

F-Prot
W64/A-59c9c70a
v6.4.7.1.166

F-Secure
Adware.SwiftBrowse.CH
11.2015-21-04_3

G Data
Adware.SwiftBrowse.CH
15.4.25

herdProtect (fuzzy)
variant of {92d0f63c-2254-43e5-b936-35fe30e940e1}gw64.sys (Adware)
2015.7.22.14

K7 AntiVirus
Adware
13.200.15187

Malwarebytes
PUP.Optional.Girafarri
v2015.04.21.09

McAfee
Artemis!8EC41813EA40
5600.6789

MicroWorld eScan
Adware.SwiftBrowse.CH
16.0.0.333

NANO AntiVirus
Riskware.Win64.NetFilter.dnsblq
0.30.0.296

Norman
Adware.SwiftBrowse.CH
11.20150722

nProtect
Adware.SwiftBrowse.CH
14.12.05.01

Reason Heuristics
Threat.Yontoo.Girafarri
15.4.21.5

SUPERAntiSpyware
Adware.BrowseFox/Variant
9922

Trend Micro House Call
TROJ_GEN.R00UC0OBG15
7.2.111

Trend Micro
TROJ_GEN.R00UC0OBG15
10.465.21

VIPRE Antivirus
Threat.4150696
35418

Zillya! Antivirus
Adware.Yotoon.Win64.14
2.0.0.2000

File size:
47.7 KB (48,832 bytes)

Product version:
1.4.4.6

Copyright:
Copyright © 2013 StdLib

Original file name:
StdLib.sys

File type:
Driver (Win64 SYS)

Common path:
C:\Windows\System32\drivers\{3560b757-0519-45b3-a215-cfb94afd0821}w64.sys

Digital Signature
Signed by:
Girafarri

Authority:
VeriSign, Inc.

Valid from:
4/22/2014 3:00:00 AM

Valid to:
4/23/2015 2:59:59 AM

Subject:
CN=Girafarri, OU=Digital ID Class 3 - Microsoft Software Validation v2, O=Girafarri, L=Santa Monica, S=California, C=US

Issuer:
CN=VeriSign Class 3 Code Signing 2010 CA, OU=Terms of use at https://www.verisign.com/rpa (c)10, OU=VeriSign Trust Network, O="VeriSign, Inc.", C=US

Serial number:
2FB197284297D52000599AA2F7D0668F

File PE Metadata
Compilation timestamp:
2/4/2015 12:29:55 PM

OS version:
6.1

OS bitness:
Win64

Subsystem:
Native (none required)

Linker version:
9.0

CTPH (ssdeep):
768:lc7G2EjsnyXeOUEGG0LA8tWFZuL470h6aqxcCT2kvsVRwlZD3f93:yFID6EGnLA8AFJTNEVmDB

Entry address:
0xC064

Entry point:
48, 83, EC, 28, 4C, 8B, C2, 4C, 8B, C9, E8, 95, FF, FF, FF, 49, 8B, D0, 49, 8B, C9, 48, 83, C4, 28, E9, E2, 50, FF, FF, CC, CC, 78, C2, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 54, C6, 00, 00, A0, 91, 00, 00, 28, C1, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, DA, CA, 00, 00, 50, 90, 00, 00, D8, C0, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, D2, CB, 00, 00, 00, 90, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, B6, CB, 00, 00, 00, 00, 00, 00, A2, CB, 00, 00...
 
[+]

Code size:
34.5 KB (35,328 bytes)

Driver
Display name:
{3560b757-0519-45b3-a215-cfb94afd0821}w64

Type:
Kernel device driver (KernelDriver)

Group:
PNP_TDI


herdProtect is a second line of defense malware removal platform powered by 68 anti-malware engines in the cloud. Since no single anti-malware program is perfect 100% of the time, herdProtect utilizes a 'herd' of multiple engines to guarantee the widest coverage and the earliest possible detection.