raidcall.exe

raidcall

KORAM GAMES LIMITED

The application raidcall.exe by KORAM GAMES LIMITED has been detected as a potentially unwanted program by 2 anti-malware scanners. It is set to automatically execute when any user logs into Windows (through the local user run registry setting) with the name ‘RaidCall’. While running, it connects to the Internet address 2.3e.9905.ip4.static.sl-reverse.com on port 80 using the HTTP protocol.
Publisher:
RAIDCALL.COM  (signed by KORAM GAMES LIMITED)

Product:
raidcall

Version:
1.0.8500.20

MD5:
f7c8cc7e8bbe6854489c4c94f87a158c

SHA-1:
008ef5ed36cfc4a5ec14fd86a70d3de5e662593e

SHA-256:
3150eeb7b60b7e9198eb475d3369272298fc44a39b439d89fddc737438690488

Scanner detections:
2 / 68

Status:
Potentially unwanted

Analysis date:
12/25/2024 1:07:31 PM UTC  (today)

Scan engine
Detection
Engine version

Reason Heuristics
PUP.Optional.KORAMGAMESLIMITED.I
14.2.21.2

Rising Antivirus
PE:Malware.XPACK/RDM!5.1
23.00.65.14101

File size:
3.3 MB (3,428,024 bytes)

Product version:
1.0.8500.20

Copyright:
Copyright (C) 2009-2010 RAIDCALL.COM, All rights reserved

Original file name:
raidcall.exe

File type:
Executable application (Win32 EXE)

Common path:
C:\Program Files\raidcall\raidcall.exe

Digital Signature
Authority:
VeriSign, Inc.

Valid from:
11/7/2012 5:00:00 PM

Valid to:
1/7/2014 4:59:59 PM

Subject:
CN=KORAM GAMES LIMITED, OU=Digital ID Class 3 - Microsoft Software Validation v2, O=KORAM GAMES LIMITED, L=HongKong, S=HongKong, C=HK

Issuer:
CN=VeriSign Class 3 Code Signing 2010 CA, OU=Terms of use at https://www.verisign.com/rpa (c)10, OU=VeriSign Trust Network, O="VeriSign, Inc.", C=US

Serial number:
6DE680510AEC828B17AC57B14D7A0CE3

File PE Metadata
Compilation timestamp:
8/27/2013 12:59:10 AM

OS version:
4.0

OS bitness:
Win32

Subsystem:
Windows GUI

Linker version:
7.10

CTPH (ssdeep):
98304:mCopfggASL482eOciwuGorYUb4WiGz4qxi8Gb3rr0XVrIhi3zID/H9aqjIx/Ncs6:uog3acwYg4W4q8xvUr2oeIxVcNT

Entry address:
0x1CF520

Entry point:
6A, 74, 68, F0, 10, 6B, 00, E8, 98, FB, FF, FF, 33, FF, 89, 7D, E0, 57, 8B, 1D, FC, 81, 67, 00, FF, D3, 66, 81, 38, 4D, 5A, 75, 1F, 8B, 48, 3C, 03, C8, 81, 39, 50, 45, 00, 00, 75, 12, 0F, B7, 41, 18, 3D, 0B, 01, 00, 00, 74, 1F, 3D, 0B, 02, 00, 00, 74, 05, 89, 7D, E4, EB, 27, 83, B9, 84, 00, 00, 00, 0E, 76, F2, 33, C0, 39, B9, F8, 00, 00, 00, EB, 0E, 83, 79, 74, 0E, 76, E2, 33, C0, 39, B9, E8, 00, 00, 00, 0F, 95, C0, 89, 45, E4, 89, 7D, FC, 6A, 02, FF, 15, E0, 86, 67, 00, 59, 83, 0D, 64, 9F, 76, 00, FF, 83...
 
[+]

Entropy:
6.4709

Developed / compiled with:
Microsoft Visual C++ v7.1

Code size:
2.5 MB (2,584,576 bytes)

Startup File (All Users Run)
Registry location:
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run

Name:
RaidCall

Command:
C:\Program Files\raidcall\raidcall.exe


The executing file has been seen to make the following network communications in live environments.

TCP (HTTP SSL):
Connects to edge-star-shv-13-frc1.facebook.com  (173.252.110.27:443)

TCP (HTTP):
Connects to d4.2b.9905.ip4.static.sl-reverse.com  (5.153.43.212:80)

TCP:
Connects to 75.126.52.40-static.reverse.softlayer.com  (75.126.52.40:81)

TCP:
Connects to 75.126.20.79-static.reverse.softlayer.com  (75.126.20.79:446)

TCP (HTTP):
Connects to 75.126.20.67-static.reverse.softlayer.com  (75.126.20.67:80)

TCP (HTTP):
Connects to 2.3e.9905.ip4.static.sl-reverse.com  (5.153.62.2:80)

Remove raidcall.exe - Powered by Reason Core Security