visualdiscovery.exe

VisualDiscovery.exe

Superfish Inc.

The application visualdiscovery.exe by Superfish has been detected as adware by 1 anti-malware scanner with very strong indications that the file is a potential threat. It runs as a separate (within the context of its own process) windows Service named “VisualDiscovery”. While running, it connects to the Internet address edge-z-1-p2-shv-01-hkg3.facebook.com on port 443.
Publisher:
Superfish, Inc.  (signed by Superfish Inc.)

Product:
VisualDiscovery.exe

Version:
2.2.9.5

MD5:
63b249ab601b5f8496691ae2954c4677

SHA-1:
cbce16cb808a5d36246c1db8b4e47fdfea6373fa

SHA-256:
171edc09a13ab9d54e90a97b6ab88674534c06970fe2938c25c678dee9f3773f

Scanner detections:
1 / 68

Status:
Adware

Note:
Our current pool of anti-malware engines have not currently detected this file, however based on our own detection heuristics we feel that this file is unwanted.

Analysis date:
12/25/2024 9:08:15 PM UTC  (today)

Scan engine
Detection
Engine version

Reason Heuristics
PUP.Service.Superfish
15.3.1.9

File size:
1.3 MB (1,348,808 bytes)

Product version:
2.2.9.5

File type:
Executable application (Win32 EXE)

Common path:
C:\Program Files\lenovo\visualdiscovery\visualdiscovery.exe

Digital Signature
Signed by:

Authority:
Thawte, Inc.

Valid from:
7/29/2013 3:00:00 AM

Valid to:
7/28/2014 2:59:59 AM

Subject:
CN=Superfish Inc., O=Superfish Inc., L=Grandville, S=Michigan, C=US

Issuer:
CN=Thawte Code Signing CA - G2, O="Thawte, Inc.", C=US

Serial number:
3E32431476CFB3E1F90955B25396A6F4

File PE Metadata
Compilation timestamp:
7/8/2014 3:43:50 AM

OS version:
5.0

OS bitness:
Win32

Subsystem:
Windows Console

Linker version:
9.0

CTPH (ssdeep):
24576:DQ/1uT4QXcNSA9VuAvJ306ZToKTgzmRrcnxnzsGeps/nPcf0VeOEiMAgElpNyjb:DQYT4Q4uAh3KMgiRWJsGey3c8w5+g0bE

Entry address:
0x3705

Entry point:
E8, 02, 4C, 00, 00, E9, A4, FE, FF, FF, 8B, FF, 55, 8B, EC, 5D, E9, 63, 0C, 00, 00, 8B, FF, 56, 6A, 01, 68, 74, A0, 41, 00, 8B, F1, E8, 97, 0F, 00, 00, C7, 06, FC, 42, 41, 00, 8B, C6, 5E, C3, C7, 01, FC, 42, 41, 00, E9, FC, 0F, 00, 00, 8B, FF, 55, 8B, EC, 56, 8B, F1, C7, 06, FC, 42, 41, 00, E8, E9, 0F, 00, 00, F6, 45, 08, 01, 74, 07, 56, E8, B0, FF, FF, FF, 59, 8B, C6, 5E, 5D, C2, 04, 00, 8B, FF, 55, 8B, EC, 56, FF, 75, 08, 8B, F1, E8, 68, 0F, 00, 00, C7, 06, FC, 42, 41, 00, 8B, C6, 5E, 5D, C2, 04, 00, 8B...
 
[+]

Code size:
68.5 KB (70,144 bytes)

Service
Display name:
VisualDiscovery

Description:
VisualDiscovery Service

Type:
Win32OwnProcess

Depends on:
RPCSS


The executing file has been seen to make the following network communications in live environments.

TCP (HTTP SSL):
Connects to a104-101-44-51.deploy.static.akamaitechnologies.com  (104.101.44.51:443)

TCP (HTTP SSL):
Connects to rtr3.l7.search.vip.sg3.yahoo.com  (106.10.162.43:443)

TCP (HTTP SSL):
Connects to edge-z-1-p2-shv-01-hkg3.facebook.com  (31.13.95.46:443)

TCP (HTTP SSL):
Connects to edge-star-mini-shv-01-hkg3.facebook.com  (31.13.95.36:443)

TCP (HTTP):
Connects to ec2-54-83-55-118.compute-1.amazonaws.com  (54.83.55.118:80)

TCP (HTTP SSL):

Remove visualdiscovery.exe - Powered by Reason Core Security