home

{47351c22-0d6c-4658-a617-795d251145e2}w64.sys

SerialTrunc

Part of the Yontoo adware component, a web browser plugin that injects unwanted ads in the browser. The file {47351c22-0d6c-4658-a617-795d251145e2}w64.sys by SerialTrunc has been detected as adware by 31 anti-malware scanners. It runs as a Windows 64-bit kernel mode device driver named “{47351c22-0d6c-4658-a617-795d251145e2}w64”. It will plug into the web browser and display context-based advertisements by overwriting existing ads or by inserting new ones on various web pages.
Publisher:
StdLib  (signed by SerialTrunc)

Product:
StdLib

Version:
1.4.3.1 built by: WinDDK

MD5:
41fda7524b9c65584b6946c1908a26f2

SHA-1:
7ae1581d4016197f9a27f4528c5e15ed4eb4d750

SHA-256:
9ebe40f8ec09be8b212bcdf70204a6d861b9b55b2c78f5ebf6cdd1b1b7b9efc9

Scanner detections:
31 / 68

Status:
Adware

Explanation:
Injects advertising in the web browser in various formats.

Analysis date:
4/20/2024 2:41:32 AM UTC  (today)

Scan engine
Detection
Engine version

Lavasoft Ad-Aware
Adware.SwiftBrowse.CH
357

Agnitum Outpost
Riskware.NetFilter
7.1.1

AhnLab V3 Security
Trojan/Win64.SwiftBrowse
2014.09.19

Avira AntiVirus
APPL/BrowseFox.zta
7.11.171.22

avast!
Win64:Malware-gen
2014.9-160213

AVG
Adware AdPlugin
2017.0.2835

Baidu Antivirus
Adware.Win32.BrowseFox
4.0.3.16213

Bitdefender
Adware.SwiftBrowse.L
1.0.20.220

Bkav FE
W64.HfsAdware
1.3.0.6379

Clam AntiVirus
Win.Adware.Swiftbrowse-497
0.98/20566

Comodo Security
UnclassifiedMalware
18740

Dr.Web
Trojan.Yontoo.1742
9.0.1.044

Emsisoft Anti-Malware
Adware.SwiftBrowse.CH
8.16.02.13.06

ESET NOD32
Win64/Riskware.NetFilter (variant)
10.10439

F-Prot
W64/A-59c9c70a
v6.4.7.1.166

F-Secure
Adware.SwiftBrowse.CH
11.2016-13-02_7

G Data
Adware.SwiftBrowse
16.2.24

IKARUS anti.virus
AdWare.SwiftBrowse
t3scan.1.7.5.0

K7 AntiVirus
Adware
13.205.16247

Malwarebytes
PUP.Optional.NetFilter
v2016.02.13.06

McAfee
Artemis!B122C03B432F
5600.6491

MicroWorld eScan
Adware.SwiftBrowse.L
17.0.0.132

Norman
Adware.SwiftBrowse.CH
11.20160213

nProtect
Adware.SwiftBrowse.L
14.05.23.01

Qihoo 360 Security
Win32/Trojan.RiskWare.a25
1.0.0.1015

Reason Heuristics
PUP.Yontoo.SerialTrunc (M)
16.2.13.6

Sophos
BrowseSmart
4.98

SUPERAntiSpyware
Adware.BrowseFox/Variant
9326

Trend Micro House Call
TROJ_GEN.F47V0523
7.2.44

VIPRE Antivirus
Yontoo
33236

Zillya! Antivirus
Adware.Yotoon.Win64.3
2.0.0.1913

File size:
43.7 KB (44,736 bytes)

Product version:
1.4.3.1

Copyright:
Copyright © 2013 StdLib

Original file name:
StdLib.sys

File type:
Driver (Win64 SYS)

Language:
English (United States)

Common path:
C:\Windows\System32\drivers\{47351c22-0d6c-4658-a617-795d251145e2}w64.sys

Digital Signature
Signed by:
SerialTrunc

Authority:
VeriSign, Inc.

Valid from:
1/2/2014 10:00:00 PM

Valid to:
1/3/2015 9:59:59 PM

Subject:
CN=SerialTrunc, OU=Digital ID Class 3 - Microsoft Software Validation v2, O=SerialTrunc, L=San Diego, S=California, C=US

Issuer:
CN=VeriSign Class 3 Code Signing 2010 CA, OU=Terms of use at https://www.verisign.com/rpa (c)10, OU=VeriSign Trust Network, O="VeriSign, Inc.", C=US

Serial number:
167D55FA84ED98E4D7F5933FEC5E95BA

File PE Metadata
Compilation timestamp:
9/12/2014 8:33:02 PM

OS version:
6.1

OS bitness:
Win64

Subsystem:
Native (none required)

Linker version:
9.0

CTPH (ssdeep):
768:4gLmaZF8aSQ7DwZmEhzg8ClFHeDrTdRfsQCa5075YLwidHI8LItC:D5ZEQI8E7ClquaC759Ea8

Entry address:
0xB064

Entry point:
48, 83, EC, 28, 4C, 8B, C2, 4C, 8B, C9, E8, 95, FF, FF, FF, 49, 8B, D0, 49, 8B, C9, 48, 83, C4, 28, E9, C6, 60, FF, FF, CC, CC, 38, B2, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 1C, B6, 00, 00, 60, 81, 00, 00, 28, B1, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, BE, B9, 00, 00, 50, 80, 00, 00, D8, B0, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, B6, BA, 00, 00, 00, 80, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 9A, BA, 00, 00, 00, 00, 00, 00, 86, BA, 00, 00...
 
[+]

Code size:
30.5 KB (31,232 bytes)

Driver
Display name:
{47351c22-0d6c-4658-a617-795d251145e2}w64

Type:
Kernel device driver (KernelDriver)

Group:
PNP_TDI


herdProtect is a second line of defense malware removal platform powered by 68 anti-malware engines in the cloud. Since no single anti-malware program is perfect 100% of the time, herdProtect utilizes a 'herd' of multiple engines to guarantee the widest coverage and the earliest possible detection.