» {fef7f75c-f985-4250-96f9-8183cd04238b}gw64.sys
Overview
Analysis
File Details
Behaviors (1)

{fef7f75c-f985-4250-96f9-8183cd04238b}gw64.sys

SunriseBrowse

Part of the Yontoo adware component, a web browser plugin that injects unwanted ads in the browser. The file {fef7f75c-f985-4250-96f9-8183cd04238b}gw64.sys by SunriseBrowse has been detected as adware by 27 anti-malware scanners. It runs as a Windows 64-bit kernel mode device driver named “{fef7f75c-f985-4250-96f9-8183cd04238b}Gw64”. It will plug into the web browser and display context-based advertisements by overwriting existing ads or by inserting new ones on various web pages.

File name:

Publisher:

StdLib (signed by SunriseBrowse)

Product:

StdLib

Version:

1.4.3.1 built by: WinDDK

MD5:

a668e8012ccc48f90dba64111030d948

SHA-1:

ffd02cabaaf306686d5332e9b2aee22e07e0e500

SHA-256:

6e2f16cd161c22424432dd4ff0ef66d9d13642e69cf738df82c4d895153da7c8

Scanner detections:

27 / 68

Status:

Adware

Explanation:

Injects advertising in the web browser in various formats.

Analysis date:

4/26/2024 3:54:55 PM UTC (today)

Scan engine

Detection

Engine version

Lavasoft Ad-Aware

Adware.SwiftBrowse.BV

799

Agnitum Outpost

Riskware.NetFilter

7.1.1

AhnLab V3 Security

Trojan/Win64.SwiftBrowse

2014.10.08

Avira AntiVirus

Adware/BrowseFox.aoh

7.11.182.116

AVG

Generic

2015.0.3277

Baidu Antivirus

Adware.Win64.BrowseFox

4.0.3.141128

Bitdefender

Adware.SwiftBrowse.BV

1.0.20.1660

Clam AntiVirus

Win.Adware.Swiftbrowse-284

0.98/21411

Dr.Web

Trojan.BPlug.123

9.0.1.0332

Emsisoft Anti-Malware

Adware.SwiftBrowse.BV

8.14.11.28.02

ESET NOD32

Win64/BrowseFox (variant)

8.10578

Fortinet FortiGate

Adware/BrowseFox

11/28/2014

F-Prot

W64/A-abca7297

v6.4.7.1.166

F-Secure

Adware.SwiftBrowse.BV

11.2014-28-11_6

G Data

Adware.SwiftBrowse.BV

14.11.24

IKARUS anti.virus

AdWare.SwiftBrowse

t3scan.1.7.5.0

K7 AntiVirus

Trojan

13.184.13704

McAfee

Artemis!A668E8012CCC

5600.6933

MicroWorld eScan

Adware.SwiftBrowse.BV

15.0.0.996

NANO AntiVirus

Riskware.Win64.NetFilter.dgqegm

0.28.2.62671

nProtect

Adware.SwiftBrowse.BV

14.10.07.01

Reason Heuristics

PUP.SunriseBrowse.n

14.11.28.2

Rising Antivirus

PE:Trojan.Win32.Generic.17271D65!388439397

23.00.65.141126

Sophos

BrowseSmart

4.98

Trend Micro House Call

Suspicious_GEN.F47V1002

7.2.332

VIPRE Antivirus

Trojan.Win32.Generic

33718

Zillya! Antivirus

Adware.Yotoon.Win64.3

2.0.0.1906

File size:

43.6 KB (44,696 bytes)

Product version:

1.4.3.1

Original file name:

StdLib.sys

File type:

Driver (Win64 SYS)

Language:

English (United States)

Common path:

C:\Windows\System32\drivers\{fef7f75c-f985-4250-96f9-8183cd04238b}gw64.sys

Digital Signature

Signed by:

SunriseBrowse

Authority:

VeriSign, Inc.

Valid from:

8/4/2014 5:00:00 PM

Valid to:

8/5/2015 4:59:59 PM

Subject:

CN=SunriseBrowse, O=SunriseBrowse, L=Santa Monica, S=California, C=US

Issuer:

CN=VeriSign Class 3 Code Signing 2010 CA, OU=Terms of use at https://www.verisign.com/rpa (c)10, OU=VeriSign Trust Network, O="VeriSign, Inc.", C=US

Serial number:

0EB7B556E015257902A5C4786A7BEA23

File PE Metadata

Compilation timestamp:

9/12/2014 4:33:02 PM

OS version:

6.1

OS bitness:

Win64

Subsystem:

Native (none required)

Linker version:

9.0

CTPH (ssdeep):

768:ugLmaZF8aSQ7DwZmEhzg8ClFHeDrTdRfsQCa5075YLwidHguxV:B5ZEQI8E7ClquaC759E3xV

Entry address:

0xB064

Entry point:

48, 83, EC, 28, 4C, 8B, C2, 4C, 8B, C9, E8, 95, FF, FF, FF, 49, 8B, D0, 49, 8B, C9, 48, 83, C4, 28, E9, C6, 60, FF, FF, CC, CC, 38, B2, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 1C, B6, 00, 00, 60, 81, 00, 00, 28, B1, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, BE, B9, 00, 00, 50, 80, 00, 00, D8, B0, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, B6, BA, 00, 00, 00, 80, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 9A, BA, 00, 00, 00, 00, 00, 00, 86, BA, 00, 00... 
[+]

Entropy:

6.3750

Code size:

30.5 KB (31,232 bytes)

Driver

Display name:

{fef7f75c-f985-4250-96f9-8183cd04238b}Gw64

Type:

Kernel device driver (KernelDriver)

Group:

PNP_TDI

Remove {fef7f75c-f985-4250-96f9-8183cd04238b}gw64.sys - Powered by Reason Core Security

herdProtect is a second line of defense malware removal platform powered by 68 anti-malware engines in the cloud. Since no single anti-malware program is perfect 100% of the time, herdProtect utilizes a 'herd' of multiple engines to guarantee the widest coverage and the earliest possible detection.