home

{e4c6b00c-d06e-4877-9f09-d92a224047b5}w64.sys

Rock Turner

Part of the Yontoo adware component, a web browser plugin that injects unwanted ads in the browser. The file {e4c6b00c-d06e-4877-9f09-d92a224047b5}w64.sys by Rock Turner has been detected as adware by 27 anti-malware scanners. It runs as a Windows 64-bit kernel mode device driver named “{e4c6b00c-d06e-4877-9f09-d92a224047b5}w64”. It will plug into the web browser and display context-based advertisements by overwriting existing ads or by inserting new ones on various web pages.
Publisher:
StdLib  (signed by Rock Turner)

Product:
StdLib

Version:
1.4.4.6 built by: WinDDK

MD5:
cafe88ccc7579c74b74cccb14ea2fb40

SHA-1:
85abb3b17145cfe5609e5230ffe12504bb14c399

SHA-256:
c5858982e030892b8c928b423a8c01ad77d2753846b658c46bbfa0275a145a08

Scanner detections:
27 / 68

Status:
Adware

Explanation:
Injects advertising in the web browser in various formats.

Analysis date:
4/19/2024 10:45:07 AM UTC  (today)

Scan engine
Detection
Engine version

Lavasoft Ad-Aware
Adware.SwiftBrowse.CH
355

Agnitum Outpost
Riskware.Agent
7.1.1

AhnLab V3 Security
Win-PUP/BrowseFox.Gen
2015.01.11

avast!
Win32:BrowseFox-EW [PUP]
2014.9-160214

AVG
Adware AdPlugin
2017.0.2833

Baidu Antivirus
Adware.Win32.BrowseFox
4.0.3.16214

Bitdefender
Adware.SwiftBrowse.CH
1.0.20.225

Bkav FE
W64.HfsAdware
1.3.0.6379

Clam AntiVirus
Win.Adware.Swiftbrowse-497
0.98/20543

Dr.Web
Trojan.Yontoo.1734
9.0.1.045

Emsisoft Anti-Malware
Adware.SwiftBrowse.CH
8.16.02.14.03

ESET NOD32
Win64/BrowseFox.J potentially unwanted application
10.7.0.302.0

F-Prot
W64/A-59c9c70a
v6.4.7.1.166

F-Secure
Adware.SwiftBrowse.CH
11.2016-14-02_1

G Data
Adware.SwiftBrowse.CH
16.2.24

K7 AntiVirus
Adware
13.204.16122

McAfee
Program.Artemis!231184C1D706
5600.6489

MicroWorld eScan
Adware.SwiftBrowse.CH
17.0.0.135

NANO AntiVirus
Trojan.Win64.Yontoo.dqcvka
0.30.24.1636

Norman
Adware.SwiftBrowse.CH
11.20160214

nProtect
Adware.SwiftBrowse.CH
15.01.09.01

Reason Heuristics
PUP.Yontoo.RockTurner (M)
16.2.14.15

SUPERAntiSpyware
Adware.BrowseFox/Variant
9324

Trend Micro House Call
TROJ_GEN.R08NC0ODU15
7.2.45

Trend Micro
TROJ_GEN.R08NC0ODU15
10.465.14

VIPRE Antivirus
Threat.4150696
36468

Zillya! Antivirus
Adware.Yotoon.Win64.14
2.0.0.2031

File size:
47.7 KB (48,832 bytes)

Product version:
1.4.4.6

Copyright:
Copyright © 2013 StdLib

Original file name:
StdLib.sys

File type:
Driver (Win64 SYS)

Language:
English (United States)

Common path:
C:\Windows\System32\drivers\{e4c6b00c-d06e-4877-9f09-d92a224047b5}w64.sys

Digital Signature
Signed by:
Rock Turner

Authority:
VeriSign, Inc.

Valid from:
3/14/2014 7:00:00 AM

Valid to:
3/15/2015 6:59:59 AM

Subject:
CN=Rock Turner, OU=Digital ID Class 3 - Microsoft Software Validation v2, O=Rock Turner, L=Santa Monica, S=California, C=US

Issuer:
CN=VeriSign Class 3 Code Signing 2010 CA, OU=Terms of use at https://www.verisign.com/rpa (c)10, OU=VeriSign Trust Network, O="VeriSign, Inc.", C=US

Serial number:
71A33D3A2D147E26FB179221834AF81F

File PE Metadata
Compilation timestamp:
1/25/2015 10:31:19 PM

OS version:
6.1

OS bitness:
Win64

Subsystem:
Native (none required)

Linker version:
9.0

CTPH (ssdeep):
768:lD7G2EjsnyXeOUEGG0LA8tWFZuL470h6aqxcCT2kvsVRwlZD3I/F:JFID6EGnLA8AFJTNEVmDW

Entry address:
0xC064

Entry point:
48, 83, EC, 28, 4C, 8B, C2, 4C, 8B, C9, E8, 95, FF, FF, FF, 49, 8B, D0, 49, 8B, C9, 48, 83, C4, 28, E9, E2, 50, FF, FF, CC, CC, 78, C2, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 54, C6, 00, 00, A0, 91, 00, 00, 28, C1, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, DA, CA, 00, 00, 50, 90, 00, 00, D8, C0, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, D2, CB, 00, 00, 00, 90, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, B6, CB, 00, 00, 00, 00, 00, 00, A2, CB, 00, 00...
 
[+]

Entropy:
6.3949

Code size:
34.5 KB (35,328 bytes)

Driver
Display name:
{e4c6b00c-d06e-4877-9f09-d92a224047b5}w64

Type:
Kernel device driver (KernelDriver)

Group:
PNP_TDI


herdProtect is a second line of defense malware removal platform powered by 68 anti-malware engines in the cloud. Since no single anti-malware program is perfect 100% of the time, herdProtect utilizes a 'herd' of multiple engines to guarantee the widest coverage and the earliest possible detection.