» {fc8decf5-c269-4b18-87f1-c395dfcbd88f}w.sys
Overview
Analysis
File Details
Behaviors (1)

{fc8decf5-c269-4b18-87f1-c395dfcbd88f}w.sys

Source App

Part of the Yontoo adware component, a web browser plugin that injects unwanted ads in the browser. The file {fc8decf5-c269-4b18-87f1-c395dfcbd88f}w.sys by Source App has been detected as adware by 20 anti-malware scanners. It runs as a Windows kernel mode device driver named “{fc8decf5-c269-4b18-87f1-c395dfcbd88f}w”. It will plug into the web browser and display context-based advertisements by overwriting existing ads or by inserting new ones on various web pages.

File name:

Publisher:

StdLib (signed by Source App)

Product:

StdLib

Version:

1.4.4.6 built by: WinDDK

MD5:

23b38b2ea0a30d84c666da741ae3cca8

SHA-1:

6d903c685757a6b1cedbedfe5bdca372fff3b545

SHA-256:

7d6cccb8f8438cfc9759292add6b7392796c4fd5150797d4ee4b2b314ed2cceb

Scanner detections:

20 / 68

Status:

Adware

Explanation:

Injects advertising in the web browser in various formats.

Analysis date:

4/26/2024 1:30:00 AM UTC (today)

Scan engine

Detection

Engine version

Lavasoft Ad-Aware

Adware.BrowseFox.V

735

Agnitum Outpost

PUA.BrowseFox

7.1.1

Avira AntiVirus

Adware/BrowseFox.A.1227

7.11.200.92

AVG

Generic

2016.0.3213

Baidu Antivirus

Adware.Win32.BrowseFox

4.0.3.15131

Bitdefender

Adware.BrowseFox.V

1.0.20.155

Clam AntiVirus

Win.Adware.Netfilter-134

0.98/21511

Comodo Security

TrojWare.Win32.AltBrowse.IZZV

20652

Emsisoft Anti-Malware

Adware.BrowseFox.V

8.15.01.31.07

F-Prot

W32/S-a7161e1c

v6.4.7.1.166

F-Secure

Adware.BrowseFox.V

11.2015-31-01_7

G Data

Adware.BrowseFox

15.1.24

Kaspersky

not-a-virus:AdWare.Win32.Yotoon

14.0.0.2558

MicroWorld eScan

Adware.BrowseFox.V

16.0.0.93

NANO AntiVirus

Riskware.Win32.NetFilter.dgkdox

0.30.0.64448

nProtect

Adware.BrowseFox.V

15.01.09.01

Reason Heuristics

PUP.Yontoo

15.1.31.7

Vba32 AntiVirus

AdWare.Win64.Yotoon

3.12.26.3

VIPRE Antivirus

Trojan.Win32.Generic

36502

Zillya! Antivirus

Backdoor.CPEX.Win32.29350

2.0.0.2029

File size:

42.1 KB (43,152 bytes)

Product version:

1.4.4.6

Original file name:

StdLib.sys

File type:

Driver (Win32 SYS)

Common path:

C:\Windows\System32\drivers\{fc8decf5-c269-4b18-87f1-c395dfcbd88f}w.sys

Digital Signature

Signed by:

Source App

Authority:

VeriSign, Inc.

Valid from:

10/16/2014 3:00:00 AM

Valid to:

10/17/2015 2:59:59 AM

Subject:

CN=Source App, O=Source App, L=San Diego, S=California, C=US

Issuer:

CN=VeriSign Class 3 Code Signing 2010 CA, OU=Terms of use at https://www.verisign.com/rpa (c)10, OU=VeriSign Trust Network, O="VeriSign, Inc.", C=US

Serial number:

5436973D688F7AF7E3F875CD8B463EDD

File PE Metadata

Compilation timestamp:

1/8/2015 8:36:28 PM

OS version:

6.1

OS bitness:

Win32

Subsystem:

Native (none required)

Linker version:

9.0

CTPH (ssdeep):

768:WN0457WBZwpHs63E+X7BIrTsCEziDH+JgrVJddA/Ie:ahUcpH/0+LCf7EziDHhdgIe

Entry address:

0xA03E

Entry point:

8B, FF, 55, 8B, EC, E8, BD, FF, FF, FF, 5D, E9, 20, 70, FF, FF, CC, CC, 94, A1, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, CE, A4, 00, 00, E0, 80, 00, 00, B4, A0, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 24, A5, 00, 00, 00, 80, 00, 00, EC, A0, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, A4, A9, 00, 00, 38, 80, 00, 00, C4, A0, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 9C, AA, 00, 00, 10, 80, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, FC, A4, 00, 00, 10, A5, 00, 00, E8, A4... 
[+]

Entropy:

6.6138

Code size:

28 KB (28,672 bytes)

Driver

Display name:

{fc8decf5-c269-4b18-87f1-c395dfcbd88f}w

Type:

Kernel device driver (KernelDriver)

Group:

PNP_TDI

Remove {fc8decf5-c269-4b18-87f1-c395dfcbd88f}w.sys - Powered by Reason Core Security

herdProtect is a second line of defense malware removal platform powered by 68 anti-malware engines in the cloud. Since no single anti-malware program is perfect 100% of the time, herdProtect utilizes a 'herd' of multiple engines to guarantee the widest coverage and the earliest possible detection.