home

{9e8f3dfc-4537-4391-a682-16d2636a7838}w64.sys

albrechto

Part of the Yontoo adware component, a web browser plugin that injects unwanted ads in the browser. The file {9e8f3dfc-4537-4391-a682-16d2636a7838}w64.sys by albrechto has been detected as adware by 29 anti-malware scanners. It runs as a Windows 64-bit kernel mode device driver named “{9e8f3dfc-4537-4391-a682-16d2636a7838}w64”. It will plug into the web browser and display context-based advertisements by overwriting existing ads or by inserting new ones on various web pages.
Publisher:
StdLib  (signed by albrechto)

Product:
StdLib

Version:
1.4.4.6 built by: WinDDK

MD5:
f7889891c81e5b18e96dad7f034ecc62

SHA-1:
31864b5a525188a1710c35f480a0da19fdece537

SHA-256:
947c0223cfce3bac543c90b7a6c62ebc84b57fa24d41b4581e41ed1603766a01

Scanner detections:
29 / 68

Status:
Adware

Explanation:
Injects advertising in the web browser in various formats.

Analysis date:
4/16/2024 6:28:45 PM UTC  (today)

Scan engine
Detection
Engine version

Lavasoft Ad-Aware
Adware.Agent.OET
356

Agnitum Outpost
Trojan.BPlug
7.1.1

AhnLab V3 Security
Trojan/Win64.SwiftBrowse
2014.08.26

Avira AntiVirus
Adware/BrowseFox.app
7.11.196.52

avast!
Win32:BrowseFox-HN [PUP]
2014.9-160214

AVG
Alchechto
2017.0.2834

Baidu Antivirus
Adware.Win32.BrowseFox
4.0.3.16214

Bitdefender
Adware.Agent.OET
1.0.20.225

Bkav FE
W64.HfsAdware
1.3.0.6379

Clam AntiVirus
Win.Adware.Swiftbrowse-284
0.98/19793

Dr.Web
Trojan.Yontoo.1734
9.0.1.045

Emsisoft Anti-Malware
Adware.Agent.OET
8.16.02.14.07

ESET NOD32
Win64/BrowseFox.BS potentially unwanted application
10.7.0.302.0

F-Prot
W64/A-abca7297
v6.4.7.1.166

F-Secure
Adware.Agent.OET
11.2016-14-02_1

G Data
Adware.Agent.OET
16.2.24

IKARUS anti.virus
AdWare.SpadeCast
t3scan.1.6.1.0

K7 AntiVirus
Adware
13.203.15660

McAfee
Artemis!A53F672B9B9F
5600.6490

MicroWorld eScan
Adware.Agent.OET
17.0.0.135

Norman
Adware.Agent.OET
11.20160214

nProtect
Adware.Agent.OET
14.08.25.01

Reason Heuristics
PUP.Yontoo.albrechto (M)
16.2.14.7

Sophos
BrowseSmart
4.98

SUPERAntiSpyware
Adware.BrowseFox/Variant
9324

Trend Micro House Call
TROJ_GEN.F47V0610
7.2.45

Trend Micro
HS_BROWSEFOX.SM
10.465.14

VIPRE Antivirus
Trojan.Win32.Generic
30356

Zillya! Antivirus
Adware.Yotoon.Win64.3
2.0.0.1901

File size:
47.7 KB (48,824 bytes)

Product version:
1.4.4.6

Copyright:
Copyright © 2013 StdLib

Original file name:
StdLib.sys

File type:
Driver (Win64 SYS)

Language:
English (United States)

Common path:
C:\Windows\System32\drivers\{9e8f3dfc-4537-4391-a682-16d2636a7838}w64.sys

Digital Signature
Signed by:
albrechto

Authority:
VeriSign, Inc.

Valid from:
9/18/2013 8:00:00 PM

Valid to:
9/19/2015 7:59:59 PM

Subject:
CN=albrechto, OU=Digital ID Class 3 - Microsoft Software Validation v2, O=albrechto, L=San Diego, S=California, C=US

Issuer:
CN=VeriSign Class 3 Code Signing 2010 CA, OU=Terms of use at https://www.verisign.com/rpa (c)10, OU=VeriSign Trust Network, O="VeriSign, Inc.", C=US

Serial number:
0AAC8B95EA7A39BA646CDEAEEB8F189B

File PE Metadata
Compilation timestamp:
9/22/2014 3:01:54 PM

OS version:
6.1

OS bitness:
Win64

Subsystem:
Native (none required)

Linker version:
9.0

CTPH (ssdeep):
768:li7G2EjsnyXeOUEGG0LA8tWFZuL470h6aqxcCT2kvsVRwlZD3mK8u:EFID6EGnLA8AFJTNEVmDmE

Entry address:
0xC064

Entry point:
48, 83, EC, 28, 4C, 8B, C2, 4C, 8B, C9, E8, 95, FF, FF, FF, 49, 8B, D0, 49, 8B, C9, 48, 83, C4, 28, E9, E2, 50, FF, FF, CC, CC, 78, C2, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 54, C6, 00, 00, A0, 91, 00, 00, 28, C1, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, DA, CA, 00, 00, 50, 90, 00, 00, D8, C0, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, D2, CB, 00, 00, 00, 90, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, B6, CB, 00, 00, 00, 00, 00, 00, A2, CB, 00, 00...
 
[+]

Entropy:
6.3938

Code size:
34.5 KB (35,328 bytes)

Driver
Display name:
{9e8f3dfc-4537-4391-a682-16d2636a7838}w64

Type:
Kernel device driver (KernelDriver)

Group:
PNP_TDI


herdProtect is a second line of defense malware removal platform powered by 68 anti-malware engines in the cloud. Since no single anti-malware program is perfect 100% of the time, herdProtect utilizes a 'herd' of multiple engines to guarantee the widest coverage and the earliest possible detection.