» visualdiscovery.exe
Overview
Analysis
File Details
Behaviors (1)
Network (65)

visualdiscovery.exe

VisualDiscovery.exe

Superfish Inc.

The application visualdiscovery.exe by Superfish has been detected as adware by 17 anti-malware scanners. It runs as a separate (within the context of its own process) windows Service named “VisualDiscovery”. While running, it connects to the Internet address 45.32.128.122.vultr.com on port 80 using the HTTP protocol.

File name:

visualdiscovery.exe

Publisher:

Superfish, Inc. (signed by Superfish Inc.)

Product:

VisualDiscovery.exe

Version:

2.3.0.2

MD5:

41c9b823f8c8a8af02075fe21a6bb50b

SHA-1:

f0b0cd0227ba302ac9ab4f30d837422c7ae66c46

SHA-256:

e7ad06ceea93de4cb8990f8c4522c5b7b0a8035cd74c9704170c46746f524e80

Scanner detections:

17 / 68

Status:

Adware

Analysis date:

4/20/2024 12:52:45 AM UTC (today)

Scan engine

Detection

Engine version

Lavasoft Ad-Aware

Gen:Adware.Superfish.1

712

Avira AntiVirus

Adware/SuperFish.B.6

7.11.211.180

avast!

Win32:Adware-gen [Adw]

2014.9-150223

Bitdefender

Gen:Adware.Superfish.1

1.0.20.270

Dr.Web

Adware.Superfish.1

9.0.1.054

Emsisoft Anti-Malware

Gen:Adware.Superfish

8.15.02.23.12

ESET NOD32

Win32/Adware.SuperFish

9.11207

F-Secure

Gen:Adware.Superfish.1

11.2015-23-02_2

G Data

Gen:Adware.Superfish

15.2.25

K7 AntiVirus

Adware

13.197.15035

Malwarebytes

PUP.Optional.SuperFish

v2015.02.23.12

MicroWorld eScan

Gen:Adware.Superfish.1

16.0.0.162

NANO AntiVirus

Riskware.Win32.Loadshop.dgvoaq

0.30.0.64448

Reason Heuristics

PUP.Service.Superfish

15.3.1.9

Trend Micro House Call

Suspicious_GEN.F47V1226

7.2.3

Trend Micro

ADW_SUPERFISH

10.465.23

Zillya! Antivirus

Adware.Loadshop.Win32.3

2.0.0.2024

File size:

1.2 MB (1,304,360 bytes)

Product version:

2.3.0.2

File type:

Executable application (Win32 EXE)

Language:

Language Neutral

Common path:

C:\Program Files\lenovo\visualdiscovery\visualdiscovery.exe

Digital Signature

Signed by:

Superfish Inc.

Authority:

Thawte, Inc.

Valid from:

7/15/2014 5:00:00 PM

Valid to:

7/26/2016 4:59:59 PM

Subject:

CN=Superfish Inc., O=Superfish Inc., L=Grandville, S=Michigan, C=US

Issuer:

CN=Thawte Code Signing CA - G2, O="Thawte, Inc.", C=US

Serial number:

6811B38827E880329B97481639E08413

File PE Metadata

Compilation timestamp:

9/28/2014 9:29:21 AM

OS version:

5.0

OS bitness:

Win32

Subsystem:

Windows Console

Linker version:

9.0

CTPH (ssdeep):

24576:LGi1VTnukpQtBX7jCYFcNe9C10R3Kd7wEbVs1OsQSKBRsNyAQvWdZPn:LGwT5sjpFCr1zwEbVs1OsfyeMrvWdZ/

Entry address:

0x3755

Entry point:

E8, 02, 4C, 00, 00, E9, A4, FE, FF, FF, 8B, FF, 55, 8B, EC, 5D, E9, 63, 0C, 00, 00, 8B, FF, 56, 6A, 01, 68, 74, A0, 41, 00, 8B, F1, E8, 97, 0F, 00, 00, C7, 06, FC, 42, 41, 00, 8B, C6, 5E, C3, C7, 01, FC, 42, 41, 00, E9, FC, 0F, 00, 00, 8B, FF, 55, 8B, EC, 56, 8B, F1, C7, 06, FC, 42, 41, 00, E8, E9, 0F, 00, 00, F6, 45, 08, 01, 74, 07, 56, E8, B0, FF, FF, FF, 59, 8B, C6, 5E, 5D, C2, 04, 00, 8B, FF, 55, 8B, EC, 56, FF, 75, 08, 8B, F1, E8, 68, 0F, 00, 00, C7, 06, FC, 42, 41, 00, 8B, C6, 5E, 5D, C2, 04, 00, 8B... 
[+]

Entropy:

7.9769 (probably packed)

Code size:

68.5 KB (70,144 bytes)

Service

Display name:

VisualDiscovery

Description:

VisualDiscovery Service

Type:

Win32OwnProcess

Depends on:

RPCSS

The executing file has been seen to make the following network communications in live environments.

TCP (HTTP):

Connects to webportal.citrine.cmh.synacor.com (69.168.97.233:80)

TCP (HTTP):

Connects to a104-81-60-81.deploy.static.akamaitechnologies.com (104.81.60.81:80)

TCP (HTTP):

Connects to blob.am5prdstr07a.store.core.windows.net (13.95.96.184:80)

TCP (HTTP):

Connects to i91.158.178.82.omantel.net.om (82.178.158.91:80)

TCP (HTTP):

Connects to a172-227-120-200.deploy.static.akamaitechnologies.com (172.227.120.200:80)

TCP (HTTP):

Connects to nl.redir.opera.com (82.145.215.91:80)

TCP (HTTP):

Connects to i58.158.178.82.omantel.net.om (82.178.158.58:80)

TCP (HTTP):

Connects to a23-214-116-50.deploy.static.akamaitechnologies.com (23.214.116.50:80)

TCP (HTTP):

Connects to ec2-52-51-154-85.eu-west-1.compute.amazonaws.com (52.51.154.85:80)

TCP (HTTP):

Connects to arbo.hit.gemius.pl (195.42.113.232:80)

TCP (HTTP):

Connects to 213-241-89-24.static.ip.netia.com.pl (213.241.89.24:80)

TCP (HTTP):

Connects to host-66-96-226-234.myrepublic.co.id (66.96.226.234:80)

TCP (HTTP):

Connects to xx-fbcdn-shv-01-waw1.fbcdn.net (31.13.81.13:80)

TCP (HTTP):

Connects to single-europe20.banahosting.com (107.6.184.133:80)

TCP (HTTP):

Connects to server-54-230-230-144.waw50.r.cloudfront.net (54.230.230.144:80)

TCP (HTTP):

Connects to server-52-84-194-235.waw50.r.cloudfront.net (52.84.194.235:80)

TCP (HTTP):

Connects to ns3027602.ip-149-202-90.eu (149.202.90.49:80)

TCP (HTTP):

Connects to hzn-564757.hardns.net (138.201.139.211:80)

TCP (HTTP):

Connects to https-178-79-232-14.dus.llnw.net (178.79.232.14:80)

TCP (HTTP):

Connects to ec2-184-73-235-25.compute-1.amazonaws.com (184.73.235.25:80)

Remove visualdiscovery.exe - Powered by Reason Core Security

herdProtect is a second line of defense malware removal platform powered by 68 anti-malware engines in the cloud. Since no single anti-malware program is perfect 100% of the time, herdProtect utilizes a 'herd' of multiple engines to guarantee the widest coverage and the earliest possible detection.