raidcall.exe

raidcall

KORAM GAMES LIMITED

The application raidcall.exe by KORAM GAMES LIMITED has been detected as a potentially unwanted program by 2 anti-malware scanners. It is set to automatically execute when any user logs into Windows (through the local user run registry setting) with the name ‘RaidCall’. While running, it connects to the Internet address 42.9c.7e4b.ip4.static.sl-reverse.com on port 80 using the HTTP protocol.
Publisher:
RAIDCALL.COM  (signed by KORAM GAMES LIMITED)

Product:
raidcall

Version:
1.0.4843.13

MD5:
2cbd20c9792bf6f7448f9680d7690c59

SHA-1:
40047ae2ca0fab3d4704c42b1e216642fc25087f

SHA-256:
d9523736fe373e77891e9aa035aed53fc7b082cc184c69efdcfe49c61810a354

Scanner detections:
2 / 68

Status:
Potentially unwanted

Analysis date:
12/25/2024 1:10:46 PM UTC  (today)

Scan engine
Detection
Engine version

Reason Heuristics
PUP.Optional.Startup.KORAMGAMESLIMITED.I
14.2.17.3

Rising Antivirus
PE:Malware.XPACK/RDM!5.1
23.00.65.131228

File size:
3.3 MB (3,448,504 bytes)

Product version:
1.0.4843.13

Copyright:
Copyright (C) 2009-2010 RAIDCALL.COM, All rights reserved

Original file name:
raidcall.exe

File type:
Executable application (Win32 EXE)

Common path:
C:\Program Files\raidcall\raidcall.exe

Digital Signature
Authority:
VeriSign, Inc.

Valid from:
11/8/2012 4:00:00 AM

Valid to:
1/8/2014 3:59:59 AM

Subject:
CN=KORAM GAMES LIMITED, OU=Digital ID Class 3 - Microsoft Software Validation v2, O=KORAM GAMES LIMITED, L=HongKong, S=HongKong, C=HK

Issuer:
CN=VeriSign Class 3 Code Signing 2010 CA, OU=Terms of use at https://www.verisign.com/rpa (c)10, OU=VeriSign Trust Network, O="VeriSign, Inc.", C=US

Serial number:
6DE680510AEC828B17AC57B14D7A0CE3

File PE Metadata
Compilation timestamp:
3/14/2013 4:40:22 PM

OS version:
4.0

OS bitness:
Win32

Subsystem:
Windows GUI

Linker version:
7.10

CTPH (ssdeep):
98304:xRyXwCTiqrZEBOw2gu5GBRN6/9ccmSIF0D7SjIfVFJ6jojnYoPvL9f8zRF:R5TxujbjYgvL90L

Entry address:
0x1D5090

Entry point:
6A, 74, 68, A0, 68, 6B, 00, E8, 94, FB, FF, FF, 33, FF, 89, 7D, E0, 57, 8B, 1D, 7C, E2, 67, 00, FF, D3, 66, 81, 38, 4D, 5A, 75, 1F, 8B, 48, 3C, 03, C8, 81, 39, 50, 45, 00, 00, 75, 12, 0F, B7, 41, 18, 3D, 0B, 01, 00, 00, 74, 1F, 3D, 0B, 02, 00, 00, 74, 05, 89, 7D, E4, EB, 27, 83, B9, 84, 00, 00, 00, 0E, 76, F2, 33, C0, 39, B9, F8, 00, 00, 00, EB, 0E, 83, 79, 74, 0E, 76, E2, 33, C0, 39, B9, E8, 00, 00, 00, 0F, 95, C0, 89, 45, E4, 89, 7D, FC, 6A, 02, FF, 15, 8C, E8, 67, 00, 59, 83, 0D, 64, ED, 76, 00, FF, 83...
 
[+]

Developed / compiled with:
Microsoft Visual C++ v7.1

Code size:
2.5 MB (2,609,152 bytes)

Startup File (All Users Run)
Registry location:
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run

Name:
RaidCall

Command:
C:\Program Files\raidcall\raidcall.exe


The executing file has been seen to make the following network communications in live environments.

TCP (HTTP):
Connects to f2.c9.a86c.ip4.static.sl-reverse.com  (108.168.201.242:80)

TCP (HTTP):
Connects to d4.2b.9905.ip4.static.sl-reverse.com  (5.153.43.212:80)

TCP (HTTP):
Connects to 42.9c.7e4b.ip4.static.sl-reverse.com  (75.126.156.66:80)

Remove raidcall.exe - Powered by Reason Core Security