raidcall.exe

raidcall

KORAM GAMES LIMITED

The application raidcall.exe by KORAM GAMES LIMITED has been detected as a potentially unwanted program by 1 anti-malware scanner with very strong indications that the file is a potential threat. It is set to automatically execute when any user logs into Windows (through the local user run registry setting) with the name ‘RaidCall’. While running, it connects to the Internet address d4.2b.9905.ip4.static.sl-reverse.com on port 80 using the HTTP protocol.
Publisher:
RAIDCALL.COM  (signed by KORAM GAMES LIMITED)

Product:
raidcall

Version:
1.0.2409.253

MD5:
07a41f82e084eeff6522b4e78d1654ff

SHA-1:
27ea722c2b2430c5d03dd6586035f847ac3649b4

SHA-256:
3e7d2b4cf6edfb896927311d0a77636e0c9672988399c46a9c1e9a5d9cc94ee1

Scanner detections:
1 / 68

Status:
Potentially unwanted

Analysis date:
10/23/2017 3:45:29 AM UTC  (a few moments ago)

Scan engine
Detection
Engine version

Reason Heuristics
PUP.Optional.Startup.KORAMGAMESLIMITED.I
14.2.21.19

File size:
3 MB (3,153,592 bytes)

Product version:
1.0.2409.253

Copyright:
Copyright (C) 2009-2010 RAIDCALL.COM, All rights reserved

Original file name:
raidcall.exe

File type:
Executable application (Win32 EXE)

Common path:
C:\Program Files\raidcall\raidcall.exe

Digital Signature
Authority:
VeriSign, Inc.

Valid from:
12/8/2010 10:00:00 PM

Valid to:
12/8/2012 9:59:59 PM

Subject:
CN=KORAM GAMES LIMITED, OU=Digital ID Class 3 - Microsoft Software Validation v2, O=KORAM GAMES LIMITED, L=HongKong, S=HongKong, C=HK

Issuer:
CN=VeriSign Class 3 Code Signing 2010 CA, OU=Terms of use at https://www.verisign.com/rpa (c)10, OU=VeriSign Trust Network, O="VeriSign, Inc.", C=US

Serial number:
6E9C3D39106B14390C185EF2DFCEB11B

File PE Metadata
Compilation timestamp:
10/29/2012 12:34:14 AM

OS version:
4.0

OS bitness:
Win32

Subsystem:
Windows GUI

Linker version:
7.10

CTPH (ssdeep):
98304:qNV4pCEBY0HP7Z+YVa/cVttm+Ro6H3WeTZdM/ozOjzOUyzF7:9YYx4ozOzSV

Entry address:
0x1A1AE0

Entry point:
6A, 74, 68, 80, 5E, 67, 00, E8, 88, FB, FF, FF, 33, FF, 89, 7D, E0, 57, 8B, 1D, D0, 51, 64, 00, FF, D3, 66, 81, 38, 4D, 5A, 75, 1F, 8B, 48, 3C, 03, C8, 81, 39, 50, 45, 00, 00, 75, 12, 0F, B7, 41, 18, 3D, 0B, 01, 00, 00, 74, 1F, 3D, 0B, 02, 00, 00, 74, 05, 89, 7D, E4, EB, 27, 83, B9, 84, 00, 00, 00, 0E, 76, F2, 33, C0, 39, B9, F8, 00, 00, 00, EB, 0E, 83, 79, 74, 0E, 76, E2, 33, C0, 39, B9, E8, 00, 00, 00, 0F, 95, C0, 89, 45, E4, 89, 7D, FC, 6A, 02, FF, 15, C4, 56, 64, 00, 59, 83, 0D, 84, 5A, 72, 00, FF, 83...
 
[+]

Developed / compiled with:
Microsoft Visual C++ v7.1

Code size:
2.3 MB (2,375,680 bytes)

Startup File (All Users Run)
Registry location:
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run

Name:
RaidCall

Command:
C:\Program Files\raidcall\raidcall.exe


The executing file has been seen to make the following network communications in live environments.

TCP (HTTP):
Connects to d4.2b.9905.ip4.static.sl-reverse.com  (5.153.43.212:80)

TCP (HTTP):
Connects to 2.3e.9905.ip4.static.sl-reverse.com  (5.153.62.2:80)

TCP (HTTP):
Connects to 42.9c.7e4b.ip4.static.sl-reverse.com  (75.126.156.66:80)

Remove raidcall.exe - Powered by Reason Core Security