» wstlibg.sys
Overview
Analysis
File Details
Behaviors (1)

wstlibg.sys

ResultsAlpha

Part of the Yontoo adware component, a web browser plugin that injects unwanted ads in the browser. The file wstlibg.sys by ResultsAlpha has been detected as adware by 10 anti-malware scanners. It runs as a Windows kernel mode device driver named “wStLibG”.

File name:

wstlibg.sys

Publisher:

StdLib (signed by ResultsAlpha)

Product:

StdLib

Version:

1.4.3.1 built by: WinDDK

MD5:

c5fb3e3d6765403c8159d629a4a9d9d8

SHA-1:

8afd0b3a9e17ddfeaaa7b15f791af2b86d6e05f8

SHA-256:

b47ff95eb692d7d794e730e3efc245f92379f9e0d00b7184b5dd1f8e8e839529

Scanner detections:

10 / 68

Status:

Adware

Explanation:

Belongs to the Sambreel/Yontoo progam that inserts various forms of advertising in the user's web browser, installed with minimal or no user consent.

Analysis date:

5/10/2024 7:24:17 PM UTC (today)

Scan engine

Detection

Engine version

Lavasoft Ad-Aware

Adware.SwiftBrowse.J

945

AVG

Generic

2015.0.3423

Bitdefender

Adware.SwiftBrowse.J

1.0.20.930

Emsisoft Anti-Malware

Adware.SwiftBrowse

8.14.07.05.05

F-Secure

Adware.SwiftBrowse.J

11.2014-05-07_7

G Data

Adware.SwiftBrowse

14.7.24

MicroWorld eScan

Adware.SwiftBrowse.J

15.0.0.558

nProtect

Adware.SwiftBrowse.J

14.07.04.01

Reason Heuristics

PUP.ResultsAlpha.K

14.8.8.0

VIPRE Antivirus

Threat.4150696

29708

File size:

51.7 KB (52,928 bytes)

Product version:

1.4.3.1

Original file name:

StdLib.sys

File type:

Driver (Win32 SYS)

Language:

English (United States)

Common path:

C:\Windows\System32\drivers\wstlibg.sys

Digital Signature

Signed by:

ResultsAlpha

Authority:

VeriSign, Inc.

Valid from:

10/7/2013 2:00:00 AM

Valid to:

10/8/2014 1:59:59 AM

Subject:

CN=ResultsAlpha, OU=Digital ID Class 3 - Microsoft Software Validation v2, O=ResultsAlpha, L=San Diego, S=California, C=US

Issuer:

CN=VeriSign Class 3 Code Signing 2010 CA, OU=Terms of use at https://www.verisign.com/rpa (c)10, OU=VeriSign Trust Network, O="VeriSign, Inc.", C=US

Serial number:

469743F6036CB7B569DBDE100D5C126B

File PE Metadata

Compilation timestamp:

1/31/2014 1:45:28 AM

OS version:

6.1

OS bitness:

Win32

Subsystem:

Native (none required)

Linker version:

9.0

CTPH (ssdeep):

768:AIsHpnKHCBSqUPJHKQpkJxpKwT2bcWiJmOtX3g2rp3lnryHrtv:3sHRKHLJqQpkYwTsiTtXxtyrp

Entry address:

0xC03E

Entry point:

8B, FF, 55, 8B, EC, E8, BD, FF, FF, FF, 5D, E9, 62, 50, FF, FF, CC, CC, 74, C1, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, BC, C4, 00, 00, C0, A0, 00, 00, B4, C0, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 12, C5, 00, 00, 00, A0, 00, 00, EC, C0, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, AE, C8, 00, 00, 38, A0, 00, 00, C4, C0, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, A6, C9, 00, 00, 10, A0, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, EA, C4, 00, 00, FE, C4, 00, 00, D6, C4... 
[+]

Code size:

37 KB (37,888 bytes)

Driver

Display name:

wStLibG

Type:

Kernel device driver (KernelDriver)

Group:

PNP_TDI

Remove wstlibg.sys - Powered by Reason Core Security

herdProtect is a second line of defense malware removal platform powered by 68 anti-malware engines in the cloud. Since no single anti-malware program is perfect 100% of the time, herdProtect utilizes a 'herd' of multiple engines to guarantee the widest coverage and the earliest possible detection.