home

{b525993a-167d-44eb-9f03-5966d1af451f}w64.sys

crimsolite

Part of the Yontoo adware component, a web browser plugin that injects unwanted ads in the browser. The file {b525993a-167d-44eb-9f03-5966d1af451f}w64.sys by crimsolite has been detected as adware by 25 anti-malware scanners. It runs as a Windows 64-bit kernel mode device driver named “{b525993a-167d-44eb-9f03-5966d1af451f}w64”. It will plug into the web browser and display context-based advertisements by overwriting existing ads or by inserting new ones on various web pages.
Publisher:
StdLib  (signed by crimsolite)

Product:
StdLib

Version:
1.4.4.6 built by: WinDDK

MD5:
200cd8dda78eddb70babd62fef141f87

SHA-1:
89f3248c7472bea5fbb7d3e4c2110079feb827d6

SHA-256:
0eafcc8eb44a9fd1a2ad0fdf9e273df3db0e45bea1271d54160f14ca1c8e4bdf

Scanner detections:
25 / 68

Status:
Adware

Explanation:
Injects advertising in the web browser in various formats.

Analysis date:
4/27/2024 1:11:06 AM UTC  (today)

Scan engine
Detection
Engine version

Lavasoft Ad-Aware
Adware.SwiftBrowse.CH
361

Agnitum Outpost
Riskware.Agent
7.1.1

Avira AntiVirus
TR/Dropper.Gen
7.11.30.172

avast!
Win32:BrowseFox-DC [PUP]
2014.9-160209

AVG
Adware AdPlugin
2017.0.2839

Baidu Antivirus
Adware.Win32.BrowseFox
4.0.3.1629

Bitdefender
Adware.SwiftBrowse.CH
1.0.20.200

Bkav FE
W64.HfsAdware
1.3.0.6379

Clam AntiVirus
Win.Adware.Swiftbrowse-497
0.98/21411

Dr.Web
Trojan.BPlug.123
9.0.1.040

Emsisoft Anti-Malware
Adware.SwiftBrowse.CH
8.16.02.09.03

F-Prot
W64/A-89938c80
v6.4.7.1.166

F-Secure
Adware.SwiftBrowse.CH
11.2016-09-02_3

G Data
Adware.SwiftBrowse.CH
16.2.25

IKARUS anti.virus
AdWare.SpadeCast
t3scan.1.6.1.0

K7 AntiVirus
Trojan
13.185.13888

McAfee
Artemis!222D1202CD73
5600.6495

MicroWorld eScan
Adware.SwiftBrowse.CH
17.0.0.120

Norman
Adware.SwiftBrowse.CH
11.20160209

nProtect
Adware.SwiftBrowse.CH
14.11.04.01

Reason Heuristics
PUP.Yontoo.crimsolite (M)
16.2.9.3

Sophos
BrowseSmart
4.98

SUPERAntiSpyware
Adware.BrowseFox/Variant
9335

VIPRE Antivirus
Threat.4150696
39676

Zillya! Antivirus
Adware.Yotoon.Win64.14
2.0.0.1975

File size:
47.7 KB (48,832 bytes)

Product version:
1.4.4.6

Copyright:
Copyright © 2013 StdLib

Original file name:
StdLib.sys

File type:
Driver (Win64 SYS)

Language:
English (United States)

Common path:
C:\Windows\System32\drivers\{b525993a-167d-44eb-9f03-5966d1af451f}w64.sys

Digital Signature
Signed by:
crimsolite

Authority:
VeriSign, Inc.

Valid from:
11/26/2013 10:00:00 PM

Valid to:
11/27/2014 9:59:59 PM

Subject:
CN=crimsolite, OU=Digital ID Class 3 - Microsoft Software Validation v2, O=crimsolite, L=San Diego, S=California, C=US

Issuer:
CN=VeriSign Class 3 Code Signing 2010 CA, OU=Terms of use at https://www.verisign.com/rpa (c)10, OU=VeriSign Trust Network, O="VeriSign, Inc.", C=US

Serial number:
02CCA1F2B8F504106134601E82CFA150

File PE Metadata
Compilation timestamp:
9/22/2014 4:01:54 PM

OS version:
6.1

OS bitness:
Win64

Subsystem:
Native (none required)

Linker version:
9.0

CTPH (ssdeep):
768:lW7G2EjsnyXeOUEGG0LA8tWFZuL470h6aqxcCT2kvsVRwlZD348Z:YFID6EGnLA8AFJTNEVmD4

Entry address:
0xC064

Entry point:
48, 83, EC, 28, 4C, 8B, C2, 4C, 8B, C9, E8, 95, FF, FF, FF, 49, 8B, D0, 49, 8B, C9, 48, 83, C4, 28, E9, E2, 50, FF, FF, CC, CC, 78, C2, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 54, C6, 00, 00, A0, 91, 00, 00, 28, C1, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, DA, CA, 00, 00, 50, 90, 00, 00, D8, C0, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, D2, CB, 00, 00, 00, 90, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, B6, CB, 00, 00, 00, 00, 00, 00, A2, CB, 00, 00...
 
[+]

Code size:
34.5 KB (35,328 bytes)

Driver
Display name:
{b525993a-167d-44eb-9f03-5966d1af451f}w64

Type:
Kernel device driver (KernelDriver)

Group:
PNP_TDI


herdProtect is a second line of defense malware removal platform powered by 68 anti-malware engines in the cloud. Since no single anti-malware program is perfect 100% of the time, herdProtect utilizes a 'herd' of multiple engines to guarantee the widest coverage and the earliest possible detection.