» {82d31bd7-bfa9-4508-a691-a2ea6b39195b}gw64.sys
Overview
Analysis
File Details
Behaviors (1)

{82d31bd7-bfa9-4508-a691-a2ea6b39195b}gw64.sys

Greener Web

Part of the Yontoo adware component, a web browser plugin that injects unwanted ads in the browser. The file {82d31bd7-bfa9-4508-a691-a2ea6b39195b}gw64.sys by Greener Web has been detected as adware by 8 anti-malware scanners. It runs as a Windows 64-bit kernel mode device driver named “{82d31bd7-bfa9-4508-a691-a2ea6b39195b}Gw64”.

File name:

Publisher:

StdLib (signed by Greener Web)

Product:

StdLib

Version:

1.4.3.1 built by: WinDDK

MD5:

91587d8edea137214a1eaf8b4456ef49

SHA-1:

700df9c6afa01bb8dd47fd90b557e5f974d6b605

SHA-256:

44d21f59b6d6c1bce6faa6b1f829b83cb0002ebffd0d9c131d8410333a4b51c1

Scanner detections:

8 / 68

Status:

Adware

Explanation:

Belongs to the Sambreel/Yontoo progam that inserts various forms of advertising in the user's web browser, installed with minimal or no user consent.

Analysis date:

4/16/2024 10:59:22 PM UTC (today)

Scan engine

Detection

Engine version

Agnitum Outpost

Trojan.BPlug

7.1.1

AVG

Greeneb

2015.0.3390

Dr.Web

Trojan.BPlug.123

9.0.1.05190

herdProtect (fuzzy)

variant of {a3f28269-ad17-41a8-b032-3e0313ef8979}gw64.sys (Adware)

2014.9.28.17

IKARUS anti.virus

AdWare.SpadeCast

t3scan.1.6.1.0

Reason Heuristics

PUP.GreenerWeb.n

14.8.6.21

Sophos

BrowseSmart

4.98

VIPRE Antivirus

Threat.4150696

31208

File size:

59.6 KB (61,016 bytes)

Product version:

1.4.3.1

Original file name:

StdLib.sys

File type:

Driver (Win64 SYS)

Language:

English (United States)

Common path:

C:\Windows\System32\drivers\{82d31bd7-bfa9-4508-a691-a2ea6b39195b}gw64.sys

Digital Signature

Signed by:

Greener Web

Authority:

DigiCert Inc

Valid from:

6/4/2014 8:00:00 PM

Valid to:

6/10/2015 8:00:00 AM

Subject:

CN=Greener Web, O=Greener Web, L=Santa Monica, S=California, C=US

Issuer:

CN=DigiCert Assured ID Code Signing CA-1, OU=www.digicert.com, O=DigiCert Inc, C=US

Serial number:

07CF8E3C70EA58D06FE678225FF74862

File PE Metadata

Compilation timestamp:

1/30/2014 7:45:30 PM

OS version:

6.1

OS bitness:

Win64

Subsystem:

Native (none required)

Linker version:

9.0

CTPH (ssdeep):

768:Yot2dxF9O8ZF33iqiIy938bWp9XcfBvJkowidIx4w2GMIsc:Y9JRicy938ip9ea1jmwoIsc

Entry address:

0xF064

Entry point:

48, 83, EC, 28, 4C, 8B, C2, 4C, 8B, C9, E8, 95, FF, FF, FF, 49, 8B, D0, 49, 8B, C9, 48, 83, C4, 28, E9, 2E, 20, FF, FF, CC, CC, 38, F2, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 1C, F6, 00, 00, 60, C1, 00, 00, 28, F1, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, BE, F9, 00, 00, 50, C0, 00, 00, D8, F0, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, B6, FA, 00, 00, 00, C0, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 9A, FA, 00, 00, 00, 00, 00, 00, 86, FA, 00, 00... 
[+]

Entropy:

5.9400

Code size:

46.5 KB (47,616 bytes)

Driver

Display name:

{82d31bd7-bfa9-4508-a691-a2ea6b39195b}Gw64

Type:

Kernel device driver (KernelDriver)

Group:

PNP_TDI

Remove {82d31bd7-bfa9-4508-a691-a2ea6b39195b}gw64.sys - Powered by Reason Core Security

herdProtect is a second line of defense malware removal platform powered by 68 anti-malware engines in the cloud. Since no single anti-malware program is perfect 100% of the time, herdProtect utilizes a 'herd' of multiple engines to guarantee the widest coverage and the earliest possible detection.