home

{47351c22-0d6c-4658-a617-795d251145e2}w64.sys

SerialTrunc

Part of the Yontoo adware component, a web browser plugin that injects unwanted ads in the browser. The file {47351c22-0d6c-4658-a617-795d251145e2}w64.sys by SerialTrunc has been detected as adware by 31 anti-malware scanners. It runs as a Windows 64-bit kernel mode device driver named “{47351c22-0d6c-4658-a617-795d251145e2}w64”. It will plug into the web browser and display context-based advertisements by overwriting existing ads or by inserting new ones on various web pages.
Publisher:
StdLib  (signed by SerialTrunc)

Product:
StdLib

Version:
1.4.4.6 built by: WinDDK

MD5:
8304e3211ff22296389fb0604d389fd0

SHA-1:
0befa316545ee5e58c58e7441769395b5f3af1a4

SHA-256:
3804fd085aacad776eaadbebe2bcb928175d5a80985b5321b18699c9310a1d6b

Scanner detections:
31 / 68

Status:
Adware

Explanation:
Injects advertising in the web browser in various formats.

Analysis date:
4/24/2024 2:16:42 PM UTC  (today)

Scan engine
Detection
Engine version

Lavasoft Ad-Aware
Adware.SwiftBrowse.CH
356

Agnitum Outpost
Riskware.NetFilter
7.1.1

AhnLab V3 Security
Trojan/Win64.SwiftBrowse
2014.09.19

Avira AntiVirus
APPL/BrowseFox.zta
7.11.171.22

avast!
Win64:Malware-gen
2014.9-160213

AVG
Adware AdPlugin
2017.0.2834

Baidu Antivirus
Adware.Win32.BrowseFox
4.0.3.16213

Bitdefender
Adware.SwiftBrowse.L
1.0.20.220

Bkav FE
W64.HfsAdware
1.3.0.6379

Clam AntiVirus
Win.Adware.Swiftbrowse-497
0.98/20566

Comodo Security
UnclassifiedMalware
18740

Dr.Web
Trojan.Yontoo.1742
9.0.1.044

Emsisoft Anti-Malware
Adware.SwiftBrowse.CH
8.16.02.13.03

ESET NOD32
Win64/Riskware.NetFilter (variant)
10.10439

F-Prot
W64/A-59c9c70a
v6.4.7.1.166

F-Secure
Adware.SwiftBrowse.CH
11.2016-13-02_7

G Data
Adware.SwiftBrowse
16.2.24

IKARUS anti.virus
AdWare.SwiftBrowse
t3scan.1.7.5.0

K7 AntiVirus
Adware
13.205.16247

Malwarebytes
PUP.Optional.NetFilter
v2016.02.13.03

McAfee
Artemis!B122C03B432F
5600.6490

MicroWorld eScan
Adware.SwiftBrowse.L
17.0.0.132

Norman
Adware.SwiftBrowse.CH
11.20160213

nProtect
Adware.SwiftBrowse.L
14.05.23.01

Qihoo 360 Security
Win32/Trojan.RiskWare.a25
1.0.0.1015

Reason Heuristics
PUP.Yontoo.SerialTrunc (M)
16.2.13.15

Sophos
BrowseSmart
4.98

SUPERAntiSpyware
Adware.BrowseFox/Variant
9326

Trend Micro House Call
TROJ_GEN.F47V0523
7.2.44

VIPRE Antivirus
Yontoo
33236

Zillya! Antivirus
Adware.Yotoon.Win64.3
2.0.0.1913

File size:
47.7 KB (48,832 bytes)

Product version:
1.4.4.6

Copyright:
Copyright © 2013 StdLib

Original file name:
StdLib.sys

File type:
Driver (Win64 SYS)

Language:
English (United States)

Common path:
C:\Windows\System32\drivers\{47351c22-0d6c-4658-a617-795d251145e2}w64.sys

Digital Signature
Signed by:
SerialTrunc

Authority:
VeriSign, Inc.

Valid from:
1/2/2014 9:00:00 PM

Valid to:
1/3/2015 8:59:59 PM

Subject:
CN=SerialTrunc, OU=Digital ID Class 3 - Microsoft Software Validation v2, O=SerialTrunc, L=San Diego, S=California, C=US

Issuer:
CN=VeriSign Class 3 Code Signing 2010 CA, OU=Terms of use at https://www.verisign.com/rpa (c)10, OU=VeriSign Trust Network, O="VeriSign, Inc.", C=US

Serial number:
167D55FA84ED98E4D7F5933FEC5E95BA

File PE Metadata
Compilation timestamp:
9/22/2014 4:01:54 PM

OS version:
6.1

OS bitness:
Win64

Subsystem:
Native (none required)

Linker version:
9.0

CTPH (ssdeep):
768:l67G2EjsnyXeOUEGG0LA8tWFZuL470h6aqxcCT2kvsVRwlZD3aW8LIOf:8FID6EGnLA8AFJTNEVmDaUOf

Entry address:
0xC064

Entry point:
48, 83, EC, 28, 4C, 8B, C2, 4C, 8B, C9, E8, 95, FF, FF, FF, 49, 8B, D0, 49, 8B, C9, 48, 83, C4, 28, E9, E2, 50, FF, FF, CC, CC, 78, C2, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 54, C6, 00, 00, A0, 91, 00, 00, 28, C1, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, DA, CA, 00, 00, 50, 90, 00, 00, D8, C0, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, D2, CB, 00, 00, 00, 90, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, B6, CB, 00, 00, 00, 00, 00, 00, A2, CB, 00, 00...
 
[+]

Code size:
34.5 KB (35,328 bytes)

Driver
Display name:
{47351c22-0d6c-4658-a617-795d251145e2}w64

Type:
Kernel device driver (KernelDriver)

Group:
PNP_TDI


herdProtect is a second line of defense malware removal platform powered by 68 anti-malware engines in the cloud. Since no single anti-malware program is perfect 100% of the time, herdProtect utilizes a 'herd' of multiple engines to guarantee the widest coverage and the earliest possible detection.