visualdiscovery.exe

VisualDiscovery.exe

Superfish Inc.

The application visualdiscovery.exe by Superfish has been detected as adware by 17 anti-malware scanners. It runs as a separate (within the context of its own process) windows Service named “VisualDiscovery”. While running, it connects to the Internet address 45.32.128.122.vultr.com on port 80 using the HTTP protocol.
Publisher:
Superfish, Inc.  (signed by Superfish Inc.)

Product:
VisualDiscovery.exe

Version:
2.3.0.2

MD5:
41c9b823f8c8a8af02075fe21a6bb50b

SHA-1:
f0b0cd0227ba302ac9ab4f30d837422c7ae66c46

SHA-256:
e7ad06ceea93de4cb8990f8c4522c5b7b0a8035cd74c9704170c46746f524e80

Scanner detections:
17 / 68

Status:
Adware

Analysis date:
11/23/2024 2:50:56 AM UTC  (today)

Scan engine
Detection
Engine version

Lavasoft Ad-Aware
Gen:Adware.Superfish.1
712

Avira AntiVirus
Adware/SuperFish.B.6
7.11.211.180

avast!
Win32:Adware-gen [Adw]
2014.9-150223

Bitdefender
Gen:Adware.Superfish.1
1.0.20.270

Dr.Web
Adware.Superfish.1
9.0.1.054

Emsisoft Anti-Malware
Gen:Adware.Superfish
8.15.02.23.12

ESET NOD32
Win32/Adware.SuperFish
9.11207

F-Secure
Gen:Adware.Superfish.1
11.2015-23-02_2

G Data
Gen:Adware.Superfish
15.2.25

K7 AntiVirus
Adware
13.197.15035

Malwarebytes
PUP.Optional.SuperFish
v2015.02.23.12

MicroWorld eScan
Gen:Adware.Superfish.1
16.0.0.162

NANO AntiVirus
Riskware.Win32.Loadshop.dgvoaq
0.30.0.64448

Reason Heuristics
PUP.Service.Superfish
15.3.1.9

Trend Micro House Call
Suspicious_GEN.F47V1226
7.2.3

Trend Micro
ADW_SUPERFISH
10.465.23

Zillya! Antivirus
Adware.Loadshop.Win32.3
2.0.0.2024

File size:
1.2 MB (1,304,360 bytes)

Product version:
2.3.0.2

File type:
Executable application (Win32 EXE)

Language:
Language Neutral

Common path:
C:\Program Files\lenovo\visualdiscovery\visualdiscovery.exe

Digital Signature
Signed by:

Authority:
Thawte, Inc.

Valid from:
7/15/2014 5:00:00 PM

Valid to:
7/26/2016 4:59:59 PM

Subject:
CN=Superfish Inc., O=Superfish Inc., L=Grandville, S=Michigan, C=US

Issuer:
CN=Thawte Code Signing CA - G2, O="Thawte, Inc.", C=US

Serial number:
6811B38827E880329B97481639E08413

File PE Metadata
Compilation timestamp:
9/28/2014 9:29:21 AM

OS version:
5.0

OS bitness:
Win32

Subsystem:
Windows Console

Linker version:
9.0

CTPH (ssdeep):
24576:LGi1VTnukpQtBX7jCYFcNe9C10R3Kd7wEbVs1OsQSKBRsNyAQvWdZPn:LGwT5sjpFCr1zwEbVs1OsfyeMrvWdZ/

Entry address:
0x3755

Entry point:
E8, 02, 4C, 00, 00, E9, A4, FE, FF, FF, 8B, FF, 55, 8B, EC, 5D, E9, 63, 0C, 00, 00, 8B, FF, 56, 6A, 01, 68, 74, A0, 41, 00, 8B, F1, E8, 97, 0F, 00, 00, C7, 06, FC, 42, 41, 00, 8B, C6, 5E, C3, C7, 01, FC, 42, 41, 00, E9, FC, 0F, 00, 00, 8B, FF, 55, 8B, EC, 56, 8B, F1, C7, 06, FC, 42, 41, 00, E8, E9, 0F, 00, 00, F6, 45, 08, 01, 74, 07, 56, E8, B0, FF, FF, FF, 59, 8B, C6, 5E, 5D, C2, 04, 00, 8B, FF, 55, 8B, EC, 56, FF, 75, 08, 8B, F1, E8, 68, 0F, 00, 00, C7, 06, FC, 42, 41, 00, 8B, C6, 5E, 5D, C2, 04, 00, 8B...
 
[+]

Entropy:
7.9769  (probably packed)

Code size:
68.5 KB (70,144 bytes)

Service
Display name:
VisualDiscovery

Description:
VisualDiscovery Service

Type:
Win32OwnProcess

Depends on:
RPCSS


The executing file has been seen to make the following network communications in live environments.

TCP (HTTP):
Connects to webportal.citrine.cmh.synacor.com  (69.168.97.233:80)

TCP (HTTP):

TCP (HTTP):
Connects to blob.am5prdstr07a.store.core.windows.net  (13.95.96.184:80)

TCP (HTTP):
Connects to i91.158.178.82.omantel.net.om  (82.178.158.91:80)

TCP (HTTP):
Connects to a172-227-120-200.deploy.static.akamaitechnologies.com  (172.227.120.200:80)

TCP (HTTP):
Connects to nl.redir.opera.com  (82.145.215.91:80)

TCP (HTTP):
Connects to i58.158.178.82.omantel.net.om  (82.178.158.58:80)

TCP (HTTP):
Connects to a23-214-116-50.deploy.static.akamaitechnologies.com  (23.214.116.50:80)

TCP (HTTP):
Connects to ec2-52-51-154-85.eu-west-1.compute.amazonaws.com  (52.51.154.85:80)

TCP (HTTP):
Connects to arbo.hit.gemius.pl  (195.42.113.232:80)

TCP (HTTP):
Connects to 213-241-89-24.static.ip.netia.com.pl  (213.241.89.24:80)

TCP (HTTP):
Connects to host-66-96-226-234.myrepublic.co.id  (66.96.226.234:80)

TCP (HTTP):
Connects to xx-fbcdn-shv-01-waw1.fbcdn.net  (31.13.81.13:80)

TCP (HTTP):
Connects to single-europe20.banahosting.com  (107.6.184.133:80)

TCP (HTTP):
Connects to server-54-230-230-144.waw50.r.cloudfront.net  (54.230.230.144:80)

TCP (HTTP):
Connects to server-52-84-194-235.waw50.r.cloudfront.net  (52.84.194.235:80)

TCP (HTTP):
Connects to ns3027602.ip-149-202-90.eu  (149.202.90.49:80)

TCP (HTTP):
Connects to hzn-564757.hardns.net  (138.201.139.211:80)

TCP (HTTP):
Connects to https-178-79-232-14.dus.llnw.net  (178.79.232.14:80)

TCP (HTTP):
Connects to ec2-184-73-235-25.compute-1.amazonaws.com  (184.73.235.25:80)

Remove visualdiscovery.exe - Powered by Reason Core Security