MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 d3cbcd81a249212c42c752454e7b704f4b0da63f30b142ed08b60c614c91c248. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry



ValleyRAT


Vendor detections: 16


Intelligence 16 IOCs 1 YARA 15 File information Comments

SHA256 hash: d3cbcd81a249212c42c752454e7b704f4b0da63f30b142ed08b60c614c91c248
SHA3-384 hash: 4da31b53de17ced42f777aa4ee958cf272373c7a800e4be6290b412c4f598a4116895442120c7fb84bda3fb79326a049
SHA1 hash: 989adaed5f476cf9af011cdb9fe6c76b1dd55f77
MD5 hash: 719a8ef6e5dcbfbbb51efe3f12c910ca
humanhash: potato-neptune-washington-mars
File name:Seattle House.exe
Download: download sample
Signature ValleyRAT
File size:12'386'096 bytes
First seen:2025-11-16 14:28:31 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 20d446c1cb128febd23deb17efb67cf6 (11 x BlankGrabber, 8 x ValleyRAT, 5 x CrealStealer)
ssdeep 196608:P8xc9VjA1HeT39Iig7auDXURuAGCTMQ4qYUbYBzivF7OdVvcTbpBUPdPu8sls:0xcO1+TtIinuARuAWQ4qYwYS7OdV0TDQ
Threatray 377 similar samples on MalwareBazaar
TLSH T150C6229462E609E0D4E5DF77CC5082F9A7736F524664837A13BC3DF2FA32B5B0826A41
TrID 44.4% (.EXE) Win64 Executable (generic) (10522/11/4)
21.3% (.EXE) Win16 NE executable (generic) (5038/12/1)
8.7% (.ICL) Windows Icons Library (generic) (2059/9)
8.5% (.EXE) OS/2 Executable (generic) (2029/13)
8.4% (.EXE) Generic Win/DOS Executable (2002/3)
Magika pebin
Reporter smica83
Tags:exe ValleyRAT

Indicators Of Compromise (IOCs)


Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOCThreatFox Reference
192.229.116.158:447 https://threatfox.abuse.ch/ioc/1644292/

Intelligence


File Origin
# of uploads :
1
# of downloads :
115
Origin country :
HU HU
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
Seattle House.exe
Verdict:
Malicious activity
Analysis date:
2025-11-16 14:29:21 UTC
Tags:
python auto-reg payload valley winos rat silverfox golang valleyrat

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Verdict:
Malicious
Score:
99.1%
Tags:
installer extens virus
Result
Verdict:
Malware
Maliciousness:

Behaviour
Сreating synchronization primitives
Launching a process
Creating a process from a recently created file
Searching for synchronization primitives
Creating a window
Creating a file in the %temp% subdirectories
Restart of the analyzed sample
Creating a file
Loading a suspicious library
Verdict:
Likely Malicious
Threat level:
  7.5/10
Confidence:
100%
Tags:
compiled-script crypto expand go golang installer-heuristic lolbin microsoft_visual_cc overlay overlay packed packed pyinstaller pyinstaller python redcap
Verdict:
Malicious
File Type:
exe x64
First seen:
2025-11-14T00:22:00Z UTC
Last seen:
2025-11-18T02:34:00Z UTC
Hits:
~100
Detections:
PDM:Trojan.Win32.Generic Backdoor.Agent.TCP.C&C Backdoor.Win32.Xkcp.bkn Trojan.Win32.Dedok.sb Trojan.Win32.Agent.sb Trojan.Python.Locker.sba Exploit.Win64.Crun.a Backdoor.Xkcp.TCP.ServerRequest Backdoor.Win32.Xkcp.bkm
Result
Threat name:
ValleyRAT
Detection:
malicious
Classification:
troj.spyw.evad.mine
Score:
100 / 100
Signature
C2 URLs / IPs found in malware configuration
Contains functionality to capture and log keystrokes
Contains functionality to inject code into remote processes
Contains functionality to inject threads in other processes
Contains functionality to registers a callback to get notified when the system is suspended or resumed (often done by Miners)
Creates multiple autostart registry keys
Detected unpacking (creates a PE file in dynamic memory)
Found evasive API chain (may stop execution after checking mutex)
Found malware configuration
Found pyInstaller with non standard icon
Found stalling execution ending in API Sleep call
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Potentially malicious time measurement code found
Sigma detected: New RUN Key Pointing to Suspicious Folder
Suricata IDS alerts for network traffic
Unusual module load detection (module proxying)
Yara detected ValleyRAT
Behaviour
Behavior Graph:
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1814888 Sample: Seattle House.exe Startdate: 16/11/2025 Architecture: WINDOWS Score: 100 40 us1.roaming1.live.com.akadns.net 2->40 42 s-0005.dual-s-msedge.net 2->42 44 5 other IPs or domains 2->44 50 Suricata IDS alerts for network traffic 2->50 52 Found malware configuration 2->52 54 Multi AV Scanner detection for dropped file 2->54 56 14 other signatures 2->56 9 Seattle House.exe 53 2->9         started        12 xiaofeng_64 (8).exe 1 2->12         started        15 xiaofeng_64 (8).exe 2->15         started        17 11 other processes 2->17 signatures3 process4 file5 32 C:\Users\user\AppData\...\unicodedata.pyd, PE32+ 9->32 dropped 34 C:\Users\user\AppData\Local\...\ucrtbase.dll, PE32+ 9->34 dropped 36 C:\Users\user\AppData\Local\...\select.pyd, PE32+ 9->36 dropped 38 48 other files (none is malicious) 9->38 dropped 19 Seattle House.exe 5 5 9->19         started        60 Creates multiple autostart registry keys 12->60 signatures6 process7 file8 30 C:\Users\user\AppData\...\xiaofeng_64 (8).exe, PE32+ 19->30 dropped 22 xiaofeng_64 (8).exe 4 19->22         started        26 POWERPNT.EXE 219 60 19->26         started        process9 dnsIp10 46 192.229.116.158, 447, 448, 49723 LEASEWEB-USA-LAX-11US United States 22->46 58 Creates multiple autostart registry keys 22->58 48 mira-ofc.tm-4.office.com 52.110.2.196, 443, 49717 MICROSOFT-CORP-MSN-AS-BLOCKUS United States 26->48 28 ai.exe 26->28         started        signatures11 process12
Verdict:
inconclusive
YARA:
5 match(es)
Tags:
Executable PDB Path PE (Portable Executable) PE File Layout Win 64 Exe x64
Threat name:
Win64.Backdoor.Valleyrat
Status:
Malicious
First seen:
2025-11-14 03:31:21 UTC
File Type:
PE+ (Exe)
Extracted files:
123
AV detection:
16 of 24 (66.67%)
Threat level:
  5/5
Result
Malware family:
n/a
Score:
  7/10
Tags:
pyinstaller
Behaviour
Checks processor information in registry
Enumerates system info in registry
Modifies registry class
Suspicious behavior: AddClipboardFormatListener
Suspicious behavior: GetForegroundWindowSpam
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Checks computer location settings
Executes dropped EXE
Loads dropped DLL
Unpacked files
SH256 hash:
d3cbcd81a249212c42c752454e7b704f4b0da63f30b142ed08b60c614c91c248
MD5 hash:
719a8ef6e5dcbfbbb51efe3f12c910ca
SHA1 hash:
989adaed5f476cf9af011cdb9fe6c76b1dd55f77
SH256 hash:
048d4c5a51e45777ba15facdaddbf7702594a2268e8de1768ab0f5f4e4d7e733
MD5 hash:
05f2140c1a8a139f2e9866aa2c3166f1
SHA1 hash:
9170cff11f3b91f552ac09a186a3bae7ea7cda25
SH256 hash:
8d650a77712323087efa4b0d3e331036a23a815f73bb53702d593ae71d83ec5f
MD5 hash:
0c6871a75f7cee3e41df9a3a43a7e287
SHA1 hash:
880a4e85cfabd1c414bd3aad803e5966d343212d
Malware family:
ValleyRAT
Verdict:
Malicious
Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures


MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:CP_Script_Inject_Detector
Author:DiegoAnalytics
Description:Detects attempts to inject code into another process across PE, ELF, Mach-O binaries
Rule name:DebuggerCheck__API
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:DebuggerException__SetConsoleCtrl
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:Detect_PyInstaller
Author:Obscurity Labs LLC
Description:Detects PyInstaller compiled executables across platforms
Rule name:FreddyBearDropper
Author:Dwarozh Hoshiar
Description:Freddy Bear Dropper is dropping a malware through base63 encoded powershell scrip.
Rule name:Gh0stKCP
Author:Netresec
Description:Detects HP-Socket ARQ and KCP implementations, which are used in Gh0stKCP. Forked from @stvemillertime's KCP catchall rule.
Reference:https://netresec.com/?b=259a5af
Rule name:golang_bin_JCorn_CSC846
Author:Justin Cornwell
Description:CSC-846 Golang detection ruleset
Rule name:malware_shellcode_hash
Author:JPCERT/CC Incident Response Group
Description:detect shellcode api hash value
Rule name:MD5_Constants
Author:phoul (@phoul)
Description:Look for MD5 constants
Rule name:pe_no_import_table
Description:Detect pe file that no import table
Rule name:PyInstaller
Author:@bartblaze
Description:Identifies executable converted using PyInstaller. This rule by itself does NOT necessarily mean the detected file is malicious.
Rule name:ThreadControl__Context
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:upxHook
Author:@r3dbU7z
Description:Detect artifacts from 'upxHook' - modification of UPX packer
Reference:https://bazaar.abuse.ch/sample/6352be8aa5d8063673aa428c3807228c40505004320232a23d99ebd9ef48478a/
Rule name:Windows_Generic_Threat_3055c14a
Author:Elastic Security

File information


The table below shows additional information about this malware sample such as delivery method and external references.

Comments