home

{6b320d34-648f-46d8-8353-a4300db1c49c}w64.sys

Laflurla

Part of the Yontoo adware component, a web browser plugin that injects unwanted ads in the browser. The file {6b320d34-648f-46d8-8353-a4300db1c49c}w64.sys by Laflurla has been detected as adware by 33 anti-malware scanners. It runs as a Windows 64-bit kernel mode device driver named “{6b320d34-648f-46d8-8353-a4300db1c49c}w64”. It will plug into the web browser and display context-based advertisements by overwriting existing ads or by inserting new ones on various web pages.
Publisher:
StdLib  (signed by Laflurla)

Product:
StdLib

Version:
1.4.4.6 built by: WinDDK

MD5:
3cc80933b8959526cc4ec3dc214fe432

SHA-1:
178bcb9f6dcea89a06a54ce1ba9e2075a81fc1e4

SHA-256:
a5e31a8bb7c300292bbb69fb79a8a79978063b20d730c0cd66f14b5cde2a98c0

Scanner detections:
33 / 68

Status:
Adware

Explanation:
Injects advertising in the web browser in various formats.

Analysis date:
4/16/2024 3:35:52 PM UTC  (today)

Scan engine
Detection
Engine version

Lavasoft Ad-Aware
Adware.SwiftBrowse.CT
364

Agnitum Outpost
PUA.Yotoon
7.1.1

AhnLab V3 Security
Trojan/Win64.SwiftBrowse
2014.09.15

Avira AntiVirus
APPL/BrowseFox.zta
7.11.171.22

avast!
Win32:BrowseFox-CH [PUP]
2014.9-160205

AVG
Adware Generic6
2017.0.2842

Baidu Antivirus
Adware.Win32.BrowseFox
4.0.3.1625

Bitdefender
Adware.SwiftBrowse.L
1.0.20.180

Clam AntiVirus
Win.Adware.Swiftbrowse-773
0.98/20126

Comodo Security
UnclassifiedMalware
18740

Dr.Web
Trojan.BPlug.123
9.0.1.036

Emsisoft Anti-Malware
Adware.SwiftBrowse.CT
8.16.02.05.07

ESET NOD32
Win64/Komodia.A potentially unsafe application
10.7.0.302.0

Fortinet FortiGate
Riskware/PUP_z
2/5/2016

F-Prot
W64/A-a8e2f748
v6.4.7.1.166

F-Secure
Adware.SwiftBrowse.CT
11.2016-05-02_6

G Data
Adware.SwiftBrowse
16.2.24

IKARUS anti.virus
AdWare.SwiftBrowse
t3scan.1.7.8.0

K7 AntiVirus
Adware
13.1915113

Malwarebytes
PUP.Optional.NetFilter
v2016.02.05.07

McAfee
Artemis!EB4C2DE4F874
5600.6498

MicroWorld eScan
Adware.SwiftBrowse.L
17.0.0.108

Norman
Adware.SwiftBrowse.CT
11.20160205

nProtect
Adware.SwiftBrowse.L
14.05.23.01

Qihoo 360 Security
Win32/Trojan.RiskWare.a25
1.0.0.1015

Reason Heuristics
PUP.Yontoo.Laflurla (M)
16.2.5.19

Rising Antivirus
PE:Trojan.Win32.Generic.1764F718!392492824
23.00.65.16203

Sophos
BrowseSmart
4.98

SUPERAntiSpyware
Adware.BrowseFox/Variant
9341

Trend Micro House Call
TROJ_GEN.F47V0523
7.2.36

Trend Micro
TROJ_SPNV.03I614
10.465.05

VIPRE Antivirus
Trojan.Win32.Generic
33126

Zillya! Antivirus
Adware.Yotoon.Win64.3
2.0.0.1922

File size:
47.7 KB (48,824 bytes)

Product version:
1.4.4.6

Copyright:
Copyright © 2013 StdLib

Original file name:
StdLib.sys

File type:
Driver (Win64 SYS)

Language:
English (United States)

Common path:
C:\Windows\System32\drivers\{6b320d34-648f-46d8-8353-a4300db1c49c}w64.sys

Digital Signature
Signed by:
Laflurla

Authority:
VeriSign, Inc.

Valid from:
2/3/2014 4:00:00 PM

Valid to:
2/4/2015 3:59:59 PM

Subject:
CN=Laflurla, OU=Digital ID Class 3 - Microsoft Software Validation v2, O=Laflurla, L=Santa Monica, S=California, C=US

Issuer:
CN=VeriSign Class 3 Code Signing 2010 CA, OU=Terms of use at https://www.verisign.com/rpa (c)10, OU=VeriSign Trust Network, O="VeriSign, Inc.", C=US

Serial number:
0541E25DBE69A2BC84C39AB35093A301

File PE Metadata
Compilation timestamp:
9/22/2014 12:01:54 PM

OS version:
6.1

OS bitness:
Win64

Subsystem:
Native (none required)

Linker version:
9.0

CTPH (ssdeep):
768:lP7G2EjsnyXeOUEGG0LA8tWFZuL470h6aqxcCT2kvsVRwlZD3LpcuG:NFID6EGnLA8AFJTNEVmDLJG

Entry address:
0xC064

Entry point:
48, 83, EC, 28, 4C, 8B, C2, 4C, 8B, C9, E8, 95, FF, FF, FF, 49, 8B, D0, 49, 8B, C9, 48, 83, C4, 28, E9, E2, 50, FF, FF, CC, CC, 78, C2, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 54, C6, 00, 00, A0, 91, 00, 00, 28, C1, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, DA, CA, 00, 00, 50, 90, 00, 00, D8, C0, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, D2, CB, 00, 00, 00, 90, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, B6, CB, 00, 00, 00, 00, 00, 00, A2, CB, 00, 00...
 
[+]

Entropy:
6.3918

Code size:
34.5 KB (35,328 bytes)

Driver
Display name:
{6b320d34-648f-46d8-8353-a4300db1c49c}w64

Type:
Kernel device driver (KernelDriver)

Group:
PNP_TDI


herdProtect is a second line of defense malware removal platform powered by 68 anti-malware engines in the cloud. Since no single anti-malware program is perfect 100% of the time, herdProtect utilizes a 'herd' of multiple engines to guarantee the widest coverage and the earliest possible detection.