MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 16f0b77fa4508cbf1e11f11ff7d22bfc6b5c5ce997320ddeb58cbbdff6572605. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry



Threat unknown


Vendor detections: 7


Intelligence 7 IOCs YARA 3 File information Comments

SHA256 hash: 16f0b77fa4508cbf1e11f11ff7d22bfc6b5c5ce997320ddeb58cbbdff6572605
SHA3-384 hash: 22adcf7b7fb8d36e8a91a779fffd48ef1394bba1f97683c2ff16f7932680e07296ca725ccafdff0e6832ec3cea802e71
SHA1 hash: 44dc47e80a9d6a8ba6d19c20d6521df28b2132f8
MD5 hash: bb4f892713157b9a4db7ef66aa798826
humanhash: utah-beer-white-three
File name:RTK_NIC_DRIVER_INSTALLER.sfx.exe
Download: download sample
File size:1'111'792 bytes
First seen:2026-07-03 19:15:47 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash b5a014d7eeb4c2042897567e1288a095 (24 x HijackLoader, 15 x GhostPulse, 14 x ValleyRAT)
ssdeep 24576:P2yePUjJdPVOqP8sY3yQQ3KaJVn81V+2oDFRY0vV6kY:PpfNDOqPZFQMJeoDDYEV6kY
TLSH T1B93523427BD08CB9C7DB66B051826DF4D1A9F7350504864BBBD08E0AAFB9391FB4E127
TrID 42.7% (.EXE) Microsoft Visual C++ compiled executable (generic) (16529/12/5)
16.8% (.EXE) Win64 Executable (generic) (6522/11/2)
13.0% (.EXE) Win16 NE executable (generic) (5038/12/1)
11.6% (.EXE) Win32 Executable (generic) (4504/4/1)
5.2% (.EXE) OS/2 Executable (generic) (2029/13)
Magika pebin
dhash icon 5486b6d4cc2b8a82
Reporter lschab
Tags:dropper exe RTK

Intelligence


File Origin
# of uploads :
1
# of downloads :
143
Origin country :
PL PL
Vendor Threat Intelligence
No detections
Malware family:
n/a
ID:
1
File name:
exe
Verdict:
Malicious activity
Analysis date:
2026-07-03 19:16:18 UTC
Tags:
n/a

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Creating a file in the %temp% subdirectories
Creating a process from a recently created file
Creating a file in the Windows subdirectories
Modifying a system file
Moving a file to the %temp% subdirectory
Launching a service
Moving a file to the system32 subdirectory
Creating a file in the system32 subdirectories
Enabling the 'hidden' option for recently created files
Deleting a recently created file
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
adaptive-context evasive expired-cert fingerprint installer installer installer-heuristic invalid-signature masquerade microsoft_visual_cc overlay packed reconnaissance signed
Verdict:
Clean
File Type:
exe x32
First seen:
2026-07-03T18:25:00Z UTC
Last seen:
2026-07-03T20:28:00Z UTC
Hits:
~10
Gathering data
Result
Malware family:
n/a
Score:
  7/10
Tags:
discovery
Behaviour
Checks SCSI registry key(s)
Modifies data under HKEY_USERS
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
System Location Discovery: System Language Discovery
Drops file in Windows directory
Drops file in System32 directory
Checks computer location settings
Executes dropped EXE
Unpacked files
SH256 hash:
16f0b77fa4508cbf1e11f11ff7d22bfc6b5c5ce997320ddeb58cbbdff6572605
MD5 hash:
bb4f892713157b9a4db7ef66aa798826
SHA1 hash:
44dc47e80a9d6a8ba6d19c20d6521df28b2132f8
SH256 hash:
6239fb0ac53a7275d023068589ceacd4c5d68cab21d1e7ae635c6f99594274cd
MD5 hash:
321596eec6e629db479378935dd0a25c
SHA1 hash:
181733f4c0c87bda086f2d7877406d6059074f10
SH256 hash:
76b9b189f2ebeae671fb8034087faa68211ff00871d269fc32a8846a42dd1b2f
MD5 hash:
ed2620df96b5af25d96a643aebd42030
SHA1 hash:
1fb220ef425de734f7ce0a336fd0755815a4927b
SH256 hash:
fa2c206eea547e59ba37d18204db5f979650f2de39759eab07c231f5e1c990ba
MD5 hash:
3be8f19005dd412b81505164d67df4ed
SHA1 hash:
4cd95e7b59f9e0787fd7642eb2c2b4fa4387e2e9
SH256 hash:
8c5257f1dd1abcebbc3d5f5bac7dd9a48794e51da4ba9360e79360f532fdce1c
MD5 hash:
8afb6d38beba21798453aeb72ad3c9b1
SHA1 hash:
9d4993e0da988e031669edf48ad09ae3efb146ac
SH256 hash:
e4eb02f7600c0cef5b94c6c53cde45a5e69077bab2492161d3a3ca1196ed91df
MD5 hash:
4edbb379e6bfaae1f48591da56ff4705
SHA1 hash:
bcb052f1ca9de19db9a6c438edb0cb9806f7a655
SH256 hash:
3a2f26caefac26464c482d659535e4ad2993e5515e0d038c1f1a5d768c921436
MD5 hash:
8545079f70a102545da42af597ae408c
SHA1 hash:
c0ca24796721574a7f4ed573612028f3acb4e384
SH256 hash:
110a095a274191e3a7bfa52b728884cd4e6bc48d4ac5aabf21c58ee3aef848d4
MD5 hash:
b30de344afc04f45ba825a01977b9841
SHA1 hash:
4d537eeac41b2d1fd7ea7abb282e069fdf57152a
Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures


MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:PE_Digital_Certificate
Author:albertzsigovits
Rule name:TH_AntiVM_MassHunt_Win_Malware_2026_CYFARE
Author:CYFARE
Description:Detects Windows malware employing anti-VM / anti-sandbox evasion techniques across VMware, VirtualBox, Hyper-V, QEMU, Xen, and generic sandbox environments
Reference:https://cyfare.net/
Rule name:VECT_Ransomware
Author:Mustafa Bakhit
Description:Detects activity associated with VECT ransomware. This includes registry modifications and deletions, execution of system and defense-evasion commands, suspicious API usage, mutex creation, file and memory manipulation, ransomware note generation, anti-debugging and anti-analysis techniques, and embedded cryptographic constants (SHA256) characteristic of this malware family. Designed for threat intelligence and malware detection environments.

File information


The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Executable exe 16f0b77fa4508cbf1e11f11ff7d22bfc6b5c5ce997320ddeb58cbbdff6572605

(this sample)

  
Delivery method
Distributed via web download

Comments