» {f2944598-b89f-4e10-b544-5173761572df}w.sys
Overview
Analysis
File Details
Behaviors (1)

{f2944598-b89f-4e10-b544-5173761572df}w.sys

Ace Race

Part of the Yontoo adware component, a web browser plugin that injects unwanted ads in the browser. The file {f2944598-b89f-4e10-b544-5173761572df}w.sys by Ace Race has been detected as adware by 26 anti-malware scanners. It runs as a Windows kernel mode device driver named “{f2944598-b89f-4e10-b544-5173761572df}w”. It will plug into the web browser and display context-based advertisements by overwriting existing ads or by inserting new ones on various web pages.

File name:

Publisher:

StdLib (signed by Ace Race)

Product:

StdLib

Version:

1.4.4.6 built by: WinDDK

MD5:

973767f9f841db608ba5093293d27e04

SHA-1:

5b2fbf4ab3f6aed8167e8bd15ae4b5ded9654e8c

SHA-256:

c6a062396a93714c198de3f280d6055133c10b01df4f9d768a8e9211beb5f8ca

Scanner detections:

26 / 68

Status:

Adware

Explanation:

Injects advertising in the web browser in various formats.

Analysis date:

4/26/2024 7:18:24 PM UTC (today)

Scan engine

Detection

Engine version

Lavasoft Ad-Aware

Adware.BrowseFox.V

551

Agnitum Outpost

PUA.BrowseFox

7.1.1

AhnLab V3 Security

Win-PUP/BrowseFox.Gen

2015.01.30

Avira AntiVirus

Adware/BrowseFox.A.1227

7.11.205.220

AVG

Generic

2016.0.3029

Baidu Antivirus

Adware.Win32.BrowseFox

4.0.3.1583

Bitdefender

Adware.BrowseFox.V

1.0.20.1075

Bkav FE

W32.HfsAdware

1.3.0.6379

Clam AntiVirus

Win.Adware.Netfilter-134

0.98/20296

Comodo Security

TrojWare.Win32.AltBrowse.IZZV

20890

Dr.Web

Trojan.Yontoo.1742

9.0.1.0215

Emsisoft Anti-Malware

Adware.BrowseFox.V

8.15.08.03.05

ESET NOD32

Win32/NetFilter.A potentially unsafe application

9.7.0.302.0

F-Prot

W32/S-a7161e1c

v6.4.7.1.166

F-Secure

Adware.BrowseFox.V

11.2015-03-08_2

G Data

Adware.BrowseFox

15.8.25

herdProtect (fuzzy)

variant of {4b1f8235-df79-4cc2-9ff4-ac6c20154eb5}gw.sys (Adware)

2015.9.8.1

K7 AntiVirus

Unwanted-Program

13.193.14803

MicroWorld eScan

Adware.BrowseFox.V

16.0.0.645

NANO AntiVirus

Riskware.Win32.NetFilter.dgkdox

0.30.0.65070

Norman

Adware.BrowseFox.V

11.20150908

nProtect

Adware.BrowseFox.V

15.04.07.01

Reason Heuristics

PUP.Yontoo.AceRace (M)

15.8.3.5

Vba32 AntiVirus

AdWare.Win64.Yotoon

3.12.26.3

VIPRE Antivirus

Threat.4150696

38882

Zillya! Antivirus

Backdoor.CPEX.Win32.29350

2.0.0.2049

File size:

42.1 KB (43,152 bytes)

Product version:

1.4.4.6

Original file name:

StdLib.sys

File type:

Driver (Win32 SYS)

Language:

English (United States)

Common path:

C:\Windows\System32\drivers\{f2944598-b89f-4e10-b544-5173761572df}w.sys

Digital Signature

Signed by:

Ace Race

Authority:

VeriSign, Inc.

Valid from:

10/7/2014 5:00:00 AM

Valid to:

10/8/2015 4:59:59 AM

Subject:

CN=Ace Race, O=Ace Race, L=Santa Monica, S=California, C=US

Issuer:

CN=VeriSign Class 3 Code Signing 2010 CA, OU=Terms of use at https://www.verisign.com/rpa (c)10, OU=VeriSign Trust Network, O="VeriSign, Inc.", C=US

Serial number:

47DF877938071D6194F321723076892E

File PE Metadata

Compilation timestamp:

1/29/2015 11:34:18 PM

OS version:

6.1

OS bitness:

Win32

Subsystem:

Native (none required)

Linker version:

9.0

CTPH (ssdeep):

768:DN0457WBZwpHs63E+X7BIrTsCEziDH+JgrVJddhuX:JhUcpH/0+LCf7EziDHhdQ

Entry address:

0xA03E

Entry point:

8B, FF, 55, 8B, EC, E8, BD, FF, FF, FF, 5D, E9, 20, 70, FF, FF, CC, CC, 94, A1, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, CE, A4, 00, 00, E0, 80, 00, 00, B4, A0, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 24, A5, 00, 00, 00, 80, 00, 00, EC, A0, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, A4, A9, 00, 00, 38, 80, 00, 00, C4, A0, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 9C, AA, 00, 00, 10, 80, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, FC, A4, 00, 00, 10, A5, 00, 00, E8, A4... 
[+]

Entropy:

6.6139

Code size:

28 KB (28,672 bytes)

Driver

Display name:

{f2944598-b89f-4e10-b544-5173761572df}w

Type:

Kernel device driver (KernelDriver)

Group:

PNP_TDI

Remove {f2944598-b89f-4e10-b544-5173761572df}w.sys - Powered by Reason Core Security

herdProtect is a second line of defense malware removal platform powered by 68 anti-malware engines in the cloud. Since no single anti-malware program is perfect 100% of the time, herdProtect utilizes a 'herd' of multiple engines to guarantee the widest coverage and the earliest possible detection.