raidcall.exe

raidcall

KORAM GAMES LIMITED

The application raidcall.exe by KORAM GAMES LIMITED has been detected as a potentially unwanted program by 2 anti-malware scanners. It is set to automatically execute when any user logs into Windows (through the local user run registry setting) with the name ‘RaidCall’. While running, it connects to the Internet address 25.8c.5177.ip4.static.sl-reverse.com on port 80 using the HTTP protocol.
Publisher:
RAIDCALL.COM  (signed by KORAM GAMES LIMITED)

Product:
raidcall

Version:
1.0.10123.247

MD5:
40eb2730d0d2785f0a1238e325e616c6

SHA-1:
a9fa55c03630611ffb82534368a43aeb0bc54a70

SHA-256:
1e269e8117a0ea049591d6f7fa3053beb77f7f43555c509b7bd791928ac64e64

Scanner detections:
2 / 68

Status:
Potentially unwanted

Analysis date:
12/26/2024 4:55:52 AM UTC  (today)

Scan engine
Detection
Engine version

Reason Heuristics
PUP.Optional.Startup.KORAMGAMESLIMITED.I
14.2.21.6

Rising Antivirus
PE:Malware.XPACK/RDM!5.1
23.00.65.14106

File size:
5 MB (5,201,592 bytes)

Product version:
8.0.2

Copyright:
Copyright (C) 2009-2010 RAIDCALL.COM, All rights reserved

Original file name:
raidcall.exe

File type:
Executable application (Win32 EXE)

Common path:
C:\Program Files\rc語音\raidcall.exe

Digital Signature
Authority:
VeriSign, Inc.

Valid from:
11/8/2012 8:00:00 AM

Valid to:
1/8/2014 7:59:59 AM

Subject:
CN=KORAM GAMES LIMITED, OU=Digital ID Class 3 - Microsoft Software Validation v2, O=KORAM GAMES LIMITED, L=HongKong, S=HongKong, C=HK

Issuer:
CN=VeriSign Class 3 Code Signing 2010 CA, OU=Terms of use at https://www.verisign.com/rpa (c)10, OU=VeriSign Trust Network, O="VeriSign, Inc.", C=US

Serial number:
6DE680510AEC828B17AC57B14D7A0CE3

File PE Metadata
Compilation timestamp:
9/16/2013 11:45:38 AM

OS version:
4.0

OS bitness:
Win32

Subsystem:
Windows GUI

Linker version:
7.10

CTPH (ssdeep):
98304:c6XeF3/PEeUS/QvCiqk/QYg3xorNc/CjJ5I2Fkth5zD40hc:UpezNACjJS2FwQ0hc

Entry address:
0x2B8A30

Entry point:
6A, 74, 68, 20, C2, 82, 00, E8, DC, F9, FF, FF, 33, FF, 89, 7D, E0, 57, 8B, 1D, E4, 21, 7F, 00, FF, D3, 66, 81, 38, 4D, 5A, 75, 1F, 8B, 48, 3C, 03, C8, 81, 39, 50, 45, 00, 00, 75, 12, 0F, B7, 41, 18, 3D, 0B, 01, 00, 00, 74, 1F, 3D, 0B, 02, 00, 00, 74, 05, 89, 7D, E4, EB, 27, 83, B9, 84, 00, 00, 00, 0E, 76, F2, 33, C0, 39, B9, F8, 00, 00, 00, EB, 0E, 83, 79, 74, 0E, 76, E2, 33, C0, 39, B9, E8, 00, 00, 00, 0F, 95, C0, 89, 45, E4, 89, 7D, FC, 6A, 02, FF, 15, 98, 28, 7F, 00, 59, 83, 0D, C4, B3, 91, 00, FF, 83...
 
[+]

Entropy:
6.5239

Developed / compiled with:
Microsoft Visual C++ v7.1

Code size:
3.9 MB (4,132,864 bytes)

Startup File (All Users Run)
Registry location:
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run

Name:
RaidCall

Command:
C:\Program Files\rc語音\raidcall.exe


Windows Firewall Allowed Program
Name:
C:\Program Files\RC語音\raidcall.exe


The executing file has been seen to make the following network communications in live environments.

TCP (HTTP):
Connects to 25.8c.5177.ip4.static.sl-reverse.com  (119.81.140.37:80)

TCP (HTTP):
Connects to f9.d3.5177.ip4.static.sl-reverse.com  (119.81.211.249:80)

Remove raidcall.exe - Powered by Reason Core Security