» tstlibg64.sys
Overview
Analysis
File Details
Behaviors (1)

tstlibg64.sys

lucky leap

Part of the Yontoo adware component, a web browser plugin that injects unwanted ads in the browser. The file tstlibg64.sys by lucky leap has been detected as adware by 18 anti-malware scanners. It runs as a Windows 64-bit kernel mode device driver named “tStLibG64”. It will plug into the web browser and display context-based advertisements by overwriting existing ads or by inserting new ones on various web pages.

File name:

tstlibg64.sys

Publisher:

StdLib (signed by lucky leap)

Product:

StdLib

Version:

1.4.3.1 built by: WinDDK

MD5:

fba150f2aa1fb4914c7607c122fedd97

SHA-1:

5351820e4811e2b0c50026e9cfdc89627fca2544

SHA-256:

0395d713aedf7e5d99f88327c23647dcb31cf3115972fb5e4a19284a44ac30fa

Scanner detections:

18 / 68

Status:

Adware

Explanation:

Injects advertising in the web browser in various formats.

Analysis date:

4/19/2024 8:55:21 AM UTC (today)

Scan engine

Detection

Engine version

Agnitum Outpost

PUA.Agent

7.1.1

AhnLab V3 Security

Win-PUP/BrowseFox.Gen

2015.03.31

avast!

Win32:BrowseFox-CY [PUP]

150319-1

AVG

NetCrawl

2016.0.3154

Baidu Antivirus

Adware.Win32.BrowseFox

4.0.3.1574

Bkav FE

W64.HfsAdware

1.3.0.6379

Clam AntiVirus

Win.Adware.Swiftbrowse-8

0.98/21411

Dr.Web

Trojan.BPlug.123

9.0.1.0185

ESET NOD32

Win64/NetFilter.A potentially unsafe application

7.0.302.0

F-Prot

W64/A-7883d091

v6.4.7.1.166

herdProtect (fuzzy)

variant of {57f143ae-1ecd-493d-9ddb-32c45a3cecd5}gt64.sys (Adware)

2015.7.4.20

IKARUS anti.virus

PUA.Elex

t3scan.1.7.5.0

McAfee

Artemis!0DAFC2CAD167

5600.6714

Reason Heuristics

PUP.Yontoo

15.3.30.22

Sophos

Lucky Leap

4.98

Trend Micro House Call

Suspicious_GEN.F47V0807

7.2.185

VIPRE Antivirus

Trojan.Win32.Generic

32220

Zillya! Antivirus

Adware.Yotoon.Win64.9

2.0.0.2122

File size:

58.7 KB (60,096 bytes)

Product version:

1.4.3.1

Original file name:

StdLib.sys

File type:

Driver (Win64 SYS)

Language:

English (United States)

Common path:

C:\Windows\System32\drivers\tstlibg64.sys

Digital Signature

Signed by:

lucky leap

Authority:

VeriSign, Inc.

Valid from:

8/12/2013 7:00:00 PM

Valid to:

8/13/2015 6:59:59 PM

Subject:

CN=lucky leap, OU=Digital ID Class 3 - Microsoft Software Validation v2, O=lucky leap, L=San Diego, S=California, C=US

Issuer:

CN=VeriSign Class 3 Code Signing 2010 CA, OU=Terms of use at https://www.verisign.com/rpa (c)10, OU=VeriSign Trust Network, O="VeriSign, Inc.", C=US

Serial number:

6A5011DFCDBB457548BCC92ED7587788

File PE Metadata

Compilation timestamp:

1/30/2014 6:46:41 PM

OS version:

6.1

OS bitness:

Win64

Subsystem:

Native (none required)

Linker version:

9.0

CTPH (ssdeep):

1536:ZA0Ep72J9xc1JUzUPU/qnIy4fNwQKZzrtW+DGt:S0G72J8YvqIy4fNwQKNrtNDGt

Entry address:

0x10064

Entry point:

48, 83, EC, 28, 4C, 8B, C2, 4C, 8B, C9, E8, 95, FF, FF, FF, 49, 8B, D0, 49, 8B, C9, 48, 83, C4, 28, E9, 8E, B3, FF, FF, CC, CC, D0, 00, 01, 00, 00, 00, 00, 00, 00, 00, 00, 00, 40, 05, 01, 00, 10, C0, 00, 00, C0, 00, 01, 00, 00, 00, 00, 00, 00, 00, 00, 00, 62, 05, 01, 00, 00, C0, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 4E, 05, 01, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 3C, 02, 01, 00, 00, 00, 00, 00, 50, 02, 01, 00, 00, 00, 00, 00, 6E, 02, 01, 00... 
[+]

Entropy:

6.4031

Code size:

45 KB (46,080 bytes)

Driver

Display name:

tStLibG64

Type:

Kernel device driver (KernelDriver)

Group:

PNP_TDI

Remove tstlibg64.sys - Powered by Reason Core Security

herdProtect is a second line of defense malware removal platform powered by 68 anti-malware engines in the cloud. Since no single anti-malware program is perfect 100% of the time, herdProtect utilizes a 'herd' of multiple engines to guarantee the widest coverage and the earliest possible detection.