home

{f551efce-3692-4ed5-8201-c1c7dbef1744}w64.sys

GreyGray

Part of the Yontoo adware component, a web browser plugin that injects unwanted ads in the browser. The file {f551efce-3692-4ed5-8201-c1c7dbef1744}w64.sys by GreyGray has been detected as adware by 25 anti-malware scanners. It runs as a Windows 64-bit kernel mode device driver named “{f551efce-3692-4ed5-8201-c1c7dbef1744}w64”. It will plug into the web browser and display context-based advertisements by overwriting existing ads or by inserting new ones on various web pages.
Publisher:
StdLib  (signed by GreyGray)

Product:
StdLib

Version:
1.4.3.1 built by: WinDDK

MD5:
5958cbaeb9b9e599f4b92ebdb047f292

SHA-1:
a76ef786c52a97114b929cf69a9b49a2a4f387e8

SHA-256:
41b1a55fb3e6e12a69b26343c5ff1230d1086b62cdd209804be018014c6d6fb7

Scanner detections:
25 / 68

Status:
Adware

Explanation:
Injects advertising in the web browser in various formats.

Analysis date:
4/19/2024 11:16:50 AM UTC  (today)

Scan engine
Detection
Engine version

Lavasoft Ad-Aware
Adware.SwiftBrowse.BV
368

Agnitum Outpost
Trojan.BPlug
7.1.1

AhnLab V3 Security
Trojan/Win64.SwiftBrowse
2014.09.25

avast!
Win32:BrowseFox-ED [PUP]
2014.9-160201

AVG
MalSign.GreyGray
2017.0.2846

Baidu Antivirus
Adware.Win32.BrowseFox
4.0.3.1621

Bitdefender
Adware.NetFilter.E
1.0.20.160

Bkav FE
W64.HfsAdware
1.3.0.6379

Clam AntiVirus
Win.Adware.Swiftbrowse-75
0.98/21411

Dr.Web
Trojan.Yontoo.1734
9.0.1.032

Emsisoft Anti-Malware
Adware.SwiftBrowse.BV
8.16.02.01.05

ESET NOD32
Win64/Riskware.NetFilter.F application
10.7.0.302.0

F-Prot
W64/A-a8e2f748
v6.4.7.1.166

F-Secure
Adware.SwiftBrowse.BV
11.2016-01-02_2

G Data
Adware.NetFilter
16.2.24

IKARUS anti.virus
AdWare.SpadeCast
t3scan.1.6.1.0

McAfee
Artemis!68667DA03360
5600.6502

MicroWorld eScan
Adware.NetFilter.E
17.0.0.96

Norman
Adware.SwiftBrowse.BV
11.20160201

nProtect
Adware.NetFilter.E
14.09.24.01

Reason Heuristics
PUP.Yontoo.GreyGray (M)
16.2.1.17

Sophos
PUA 'BrowseSmart' (of type Adware)
59

Trend Micro House Call
Suspicious_GEN.F47V0622
7.2.32

VIPRE Antivirus
Trojan.Win32.Generic
33398

Zillya! Antivirus
Adware.Yotoon.Win64.3
2.0.0.1930

File size:
43.7 KB (44,728 bytes)

Product version:
1.4.3.1

Copyright:
Copyright © 2013 StdLib

Original file name:
StdLib.sys

File type:
Driver (Win64 SYS)

Language:
English (United States)

Common path:
C:\Windows\System32\drivers\{f551efce-3692-4ed5-8201-c1c7dbef1744}w64.sys

Digital Signature
Signed by:
GreyGray

Authority:
VeriSign, Inc.

Valid from:
9/19/2013 2:00:00 AM

Valid to:
9/20/2015 1:59:59 AM

Subject:
CN=GreyGray, OU=Digital ID Class 3 - Microsoft Software Validation v2, O=GreyGray, L=San Diego, S=California, C=US

Issuer:
CN=VeriSign Class 3 Code Signing 2010 CA, OU=Terms of use at https://www.verisign.com/rpa (c)10, OU=VeriSign Trust Network, O="VeriSign, Inc.", C=US

Serial number:
23FF62A16C638B371A4AB98A8F876E8B

File PE Metadata
Compilation timestamp:
9/13/2014 1:33:02 AM

OS version:
6.1

OS bitness:
Win64

Subsystem:
Native (none required)

Linker version:
9.0

CTPH (ssdeep):
768:0gLmaZF8aSQ7DwZmEhzg8ClFHeDrTdRfsQCa5075YLwidHgLM8:H5ZEQI8E7ClquaC759E6t

Entry address:
0xB064

Entry point:
48, 83, EC, 28, 4C, 8B, C2, 4C, 8B, C9, E8, 95, FF, FF, FF, 49, 8B, D0, 49, 8B, C9, 48, 83, C4, 28, E9, C6, 60, FF, FF, CC, CC, 38, B2, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 1C, B6, 00, 00, 60, 81, 00, 00, 28, B1, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, BE, B9, 00, 00, 50, 80, 00, 00, D8, B0, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, B6, BA, 00, 00, 00, 80, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 9A, BA, 00, 00, 00, 00, 00, 00, 86, BA, 00, 00...
 
[+]

Code size:
30.5 KB (31,232 bytes)

Driver
Display name:
{f551efce-3692-4ed5-8201-c1c7dbef1744}w64

Type:
Kernel device driver (KernelDriver)

Group:
PNP_TDI


herdProtect is a second line of defense malware removal platform powered by 68 anti-malware engines in the cloud. Since no single anti-malware program is perfect 100% of the time, herdProtect utilizes a 'herd' of multiple engines to guarantee the widest coverage and the earliest possible detection.