visualdiscovery.exe

VisualDiscovery.exe

Superfish Inc.

The application visualdiscovery.exe by Superfish has been detected as adware by 19 anti-malware scanners. It runs as a separate (within the context of its own process) windows Service named “VisualDiscovery”. While running, it connects to the Internet address 123-125-232-198.static.unitasglobal.net on port 443.
Publisher:
Superfish, Inc.  (signed by Superfish Inc.)

Product:
VisualDiscovery.exe

Version:
2.2.9.3

MD5:
090506c596d1dd52ddfa70c22217b259

SHA-1:
99af9cfc7ab47f847103b5497b746407dc566963

SHA-256:
5c0b244ca49b193ace33417d2ea40fc9761daa91f1d32229d345205d591a0d83

Scanner detections:
19 / 68

Status:
Adware

Analysis date:
12/25/2024 4:54:25 PM UTC  (today)

Scan engine
Detection
Engine version

Lavasoft Ad-Aware
Adware.Agent.PHZ
712

Avira AntiVirus
TR/Spy.ZBot.ams
7.11.168.254

avast!
Win32:Adware-gen [Adw]
2014.9-150223

AVG
Superfish.4d6
2016.0.3190

Bitdefender
Adware.Agent.PHZ
1.0.20.270

Dr.Web
Adware.Superfish.1
9.0.1.054

Emsisoft Anti-Malware
Adware.Agent.PHZ
8.15.02.23.12

ESET NOD32
Win32/Adware.SuperFish
9.11211

F-Secure
Adware.Agent.PHZ
11.2015-23-02_2

G Data
Adware.Agent.PHZ
15.2.25

IKARUS anti.virus
Trojan.Spy.ZBot
t3scan.1.7.5.0

K7 AntiVirus
Adware
13.197.15041

Malwarebytes
PUP.Optional.SuperFish
v2015.02.23.12

MicroWorld eScan
Adware.Agent.PHZ
16.0.0.162

Qihoo 360 Security
Win32/Trojan.Spy.ec5
1.0.0.1015

Reason Heuristics
PUP.Service.Superfish
15.3.1.9

Sophos
SuperFish
4.98

Trend Micro House Call
ADW_SUPERFISH
7.2.54

Trend Micro
ADW_SUPERFISH
10.465.23

File size:
1.3 MB (1,354,296 bytes)

Product version:
2.2.9.3

File type:
Executable application (Win32 EXE)

Language:
Language Neutral

Common path:
C:\Program Files\lenovo\visualdiscovery\visualdiscovery.exe

Digital Signature
Signed by:

Authority:
Thawte, Inc.

Valid from:
7/28/2013 8:00:00 PM

Valid to:
7/27/2014 7:59:59 PM

Subject:
CN=Superfish Inc., O=Superfish Inc., L=Grandville, S=Michigan, C=US

Issuer:
CN=Thawte Code Signing CA - G2, O="Thawte, Inc.", C=US

Serial number:
3E32431476CFB3E1F90955B25396A6F4

File PE Metadata
Compilation timestamp:
6/21/2014 11:35:25 AM

OS version:
5.0

OS bitness:
Win32

Subsystem:
Windows Console

Linker version:
9.0

CTPH (ssdeep):
24576:cgezVaT9rWd9G8MuGqx0jpD2NMPaA5SN6Yw5CPZ4cUoKH+ugJ8EDL:cfATlWdauGqx0uoBCPdUoU8DL

Entry address:
0x359F

Entry point:
E8, E8, 3B, 00, 00, E9, A4, FE, FF, FF, 8B, FF, 55, 8B, EC, 5D, E9, 69, 0C, 00, 00, 8B, FF, 56, 6A, 01, 68, 68, 90, 41, 00, 8B, F1, E8, 23, 10, 00, 00, C7, 06, F4, 32, 41, 00, 8B, C6, 5E, C3, C7, 01, F4, 32, 41, 00, E9, 88, 10, 00, 00, 8B, FF, 55, 8B, EC, 56, 8B, F1, C7, 06, F4, 32, 41, 00, E8, 75, 10, 00, 00, F6, 45, 08, 01, 74, 07, 56, E8, B0, FF, FF, FF, 59, 8B, C6, 5E, 5D, C2, 04, 00, 8B, FF, 55, 8B, EC, 56, FF, 75, 08, 8B, F1, E8, F4, 0F, 00, 00, C7, 06, F4, 32, 41, 00, 8B, C6, 5E, 5D, C2, 04, 00, 8B...
 
[+]

Entropy:
7.9798  (probably packed)

Code size:
64.5 KB (66,048 bytes)

Service
Display name:
VisualDiscovery

Description:
VisualDiscovery Service

Type:
Win32OwnProcess

Depends on:
RPCSS


The executing file has been seen to make the following network communications in live environments.

TCP (HTTP):
Connects to unknown.telstraglobal.net  (210.176.156.35:80)

TCP (HTTP):

TCP (HTTP):
Connects to usve252756.serverprofi24.net  (209.126.98.209:80)

TCP (HTTP):
Connects to a23-35-214-194.deploy.static.akamaitechnologies.com  (23.35.214.194:80)

TCP (HTTP SSL):
Connects to edge-star-mini-shv-01-lhr3.facebook.com  (31.13.90.36:443)

TCP (HTTP SSL):
Connects to a23-0-179-83.deploy.static.akamaitechnologies.com  (23.0.179.83:443)

TCP (HTTP SSL):
Connects to xx-fbcdn-shv-01-fra3.fbcdn.net  (31.13.93.7:443)

TCP (HTTP SSL):
Connects to xx-fbcdn-shv-01-amt2.fbcdn.net  (31.13.64.21:443)

TCP:
Connects to tw142-static150.tw1.com  (119.63.142.150:8989)

TCP (HTTP):
Connects to s-prd-umpxl-adcom-scd-blue-b.evip.aol.com  (149.174.66.131:80)

TCP (HTTP SSL):
Connects to edge-z-1-p2-shv-01-amt2.facebook.com  (31.13.64.41:443)

TCP (HTTP SSL):
Connects to edge-z-1-p2-shv-01-ams3.facebook.com  (31.13.91.40:443)

TCP (HTTP SSL):
Connects to edge-star-shv-01-amt2.facebook.com  (31.13.64.16:443)

TCP (HTTP SSL):
Connects to edge-star-shv-01-ams3.facebook.com  (31.13.91.2:443)

TCP (HTTP SSL):
Connects to ec2-52-213-128-10.eu-west-1.compute.amazonaws.com  (52.213.128.10:443)

TCP (HTTP SSL):
Connects to dh-in-f138.1e100.net  (209.85.203.138:443)

TCP (HTTP):
Connects to a23-74-228-201.deploy.static.akamaitechnologies.com  (23.74.228.201:80)

TCP (HTTP):

TCP (HTTP):
Connects to a23-51-139-205.deploy.static.akamaitechnologies.com  (23.51.139.205:80)

TCP (HTTP):
Connects to a23-35-213-109.deploy.static.akamaitechnologies.com  (23.35.213.109:80)

Remove visualdiscovery.exe - Powered by Reason Core Security