MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 a16287ca396038136cc63470d0e86edf10f8f2d4946fdb84fb03c6bd978735b6. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

SHA256 hash:	a16287ca396038136cc63470d0e86edf10f8f2d4946fdb84fb03c6bd978735b6
SHA3-384 hash:	9c4873e6a342726fad883a96da4b332bfd568b1ca445afdddb27d5a3a63195c7b72359fffd7ca435838b7ee712f67ea3
SHA1 hash:	a33701a2db06030b7384d7ed21fbf420cf191fa2
MD5 hash:	52283334b1ad69f0a390de4c107dacc3
humanhash:	yankee-island-jig-bacon
File name:	doc000621026006.JS
Download:	download sample
Signature	AgentTesla Alert Create hunting rule
File size:	3'779'760 bytes
First seen:	2026-06-22 15:26:42 UTC
Last seen:	Never
File type:	js
MIME type:	text/plain
ssdeep	98304:MjFYF4r7z37eD6a15Dy2Vu9SUJhbXqQavfUiK96S+E4rSRbLeulZSl3ziFJ1HiA:t63my50duE8CA
Threatray	203 similar samples on MalwareBazaar
TLSH	T1D8062A409B209175E66DCB3DE037DFB0494E202355ABCF4E3429D318794AF8B17AA9E7
Magika	javascript
Reporter	abuse_ch
Tags:	AgentTesla js

abuse_ch

AgentTesla FTP exfil server:
ftp.avion.com.sg:21

Intelligence

---

File Origin

# of uploads :

1

# of downloads :

147

Origin country :

SE

Vendor Threat Intelligence

ACCE Unknown

No detections

ClamAV Detected

Detection(s):

Sanesecurity.Malware.31320.UNOFFICIAL

Alert

Create hunting rule

CyberFortress Malicious

Verdict:

Malicious

Score:

96.5%

Link:

https://cyber-fortress.com/docs/result/index.php?id=6a39557c86bc95245bf8b5a3

Tags:

negasteal virus lien blic

FileScan.IO Malicious

Verdict:

Malicious

Threat level:

  10/10

Confidence:

100%

Tags:

anti-debug dropper evasive obfuscated obfuscated packed repaired

Link:

https://www.filescan.io/uploads/6a3954849799578a6c461a77/reports/b40e1ac5-e9dc-46f2-ae70-3995e9d96dbe/overview

Hybrid Analysis JS/TrojanDropper.Agent

Verdict:

Malicious

Labled as:

JS/TrojanDropper.Agent

Link:

https://www.hybrid-analysis.com/sample/a16287ca396038136cc63470d0e86edf10f8f2d4946fdb84fb03c6bd978735b6

Kaspersky OpenTIP Malicious

Verdict:

Malicious

File Type:

js

First seen:

2026-06-21T08:08:00Z UTC

Last seen:

2026-06-24T12:57:00Z UTC

Hits:

~1000

Detections:

HEUR:Trojan-Downloader.Script.Generic Trojan-Dropper.JS.SDrop.sb HEUR:Trojan-Dropper.Script.Generic HEUR:Trojan.Script.Lubfus.gen HEUR:Trojan.Script.Generic

Link:

https://opentip.kaspersky.com/a16287ca396038136cc63470d0e86edf10f8f2d4946fdb84fb03c6bd978735b6/results?tab=lookup

Joe Sandbox AgentTesla, DonutLoader

Result

Threat name:

AgentTesla, DonutLoader

Alert

Create hunting rule

Detection:

malicious

Classification:

troj.spyw.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/1931706

Signature

Antivirus / Scanner detection for submitted sample

Benign windows process drops PE files

Check if machine is in data center or colocation facility

Contains functionality to check if a debugger is running (CheckRemoteDebuggerPresent)

Contains functionality to log keystrokes (.Net Source)

Drops PE files to the document folder of the user

Drops PE files with a suspicious file extension

Found API chain indicative of debugger detection

Found direct / indirect Syscall (likely to bypass EDR)

Found malware configuration

Joe Sandbox ML detected suspicious sample

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for submitted file

Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)

Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)

Sigma detected: WScript or CScript Dropper

Suricata IDS alerts for network traffic

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Tries to harvest and steal browser information (history, passwords, etc)

Tries to steal Mail credentials (via file / registry access)

Unusual module load detection (module proxying)

Windows Scripting host queries suspicious COM object (likely to drop second stage)

Yara detected AgentTesla

Yara detected DonutLoader

Yara detected Lua decrypt and execute

Behaviour

Behavior Graph:

Download SVG

Nucleon Malprob Malware

Score:

93%

Verdict:

Malware

File Type:

SCRIPT

Link:

https://malprob.io/report/a16287ca396038136cc63470d0e86edf10f8f2d4946fdb84fb03c6bd978735b6

Malva.RE

Gathering data

CERT.PL MWDB

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/a16287ca396038136cc63470d0e86edf10f8f2d4946fdb84fb03c6bd978735b6/

Neiki Family.DONUTLOADER

Verdict:

Malicious

Threat:

Family.DONUTLOADER

Link:

https://tip.neiki.dev/file/a16287ca396038136cc63470d0e86edf10f8f2d4946fdb84fb03c6bd978735b6

ReversingLabs TitaniumCloud Script-JS.Spyware.Negasteal

Threat name:

Script-JS.Spyware.Negasteal

Alert

Create hunting rule

Status:

Malicious

First seen:

2026-06-21 15:56:37 UTC

File Type:

Text (JavaScript)

AV detection:

10 of 24 (41.67%)

Threat level:

  2/5

Spamhaus Hash Blocklist Malicious file

Detection(s):

Malicious file

Link:

https://check.spamhaus.org/check/?searchterm=ufripsrzma4bg3gggrynb2do34ipr4wusrx5xbh3apdl3f4hgw3a._file

Threatray agenttesla donutloader

Verdict:

malicious

Label(s):

agenttesla

Alert

Create hunting rule

donutloader

Alert

Create hunting rule

Similar samples:

0fa25fe613da2ec00cd97ac83ccf8e5b510a423ff460be030d71cdc48befc06f

AgentTesla

1497f3ac5cea6ff1326aff8c3e774fe5a67dff656d1fb9e212307bad5300d9fe

AgentTesla

5060df36d2b6701839279f5ac009ecf132a4659afd568eafcfa3a215a2b734e8

AgentTesla

700bbe8a6f8d93252ba474406f233d41e3fe702c33ef0563f25abba14192424d

AgentTesla

76e089a21b93f2349ca1dacfd8d4fae4b57702f302103a83ca7c0d988991100e

AgentTesla

a9b214ea5cedfdd223453ad06fde148028ab31f0e6d44a37551dc1e2425125f5

AgentTesla

ebf80b076f3e450144e2d4df6a34d921e4aeafb84756601bac9b3a09d8c74093

AgentTesla

f8361430fa1ff9d98d30ce69d66fe7863ed9d0b9437c2373c83e627bfaae8145

AgentTesla

+ 193 additional samples on MalwareBazaar

Hatching Triage donutloader

Result

Malware family:

donutloader

Alert

Create hunting rule

Score:

  10/10

Tags:

family:agenttesla family:donutloader collection execution keylogger loader spyware stealer trojan

Link:

https://tria.ge/reports/260622-sw9w5sd16y/

Behaviour

Modifies registry class

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

outlook_office_path

Command and Scripting Interpreter: JavaScript

Enumerates physical storage devices

Accesses Microsoft Outlook profiles

Looks up external IP address via web service

Checks computer location settings

Executes dropped EXE

Reads user/profile data of local email clients

Reads user/profile data of web browsers

Detects DonutLoader

Family: AgentTesla

Family: DonutLoader

VirusTotal

Please note that we are no longer able to provide a coverage score for Virus Total.

YOROI YOMI Suspicious File

Threat name:

Suspicious File

Score:

0.55

Link:

https://yomi.yoroi.company/submissions/a16287ca396038136cc63470d0e86edf10f8f2d4946fdb84fb03c6bd978735b6