MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 287f87db7206d01932a38c7971c3b658e5e2fc932dff378c18bff88e215338b1. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

SweetPotato

Vendor detections: 11

Intelligence 11 IOCs YARA 5 File information Comments

SHA256 hash:	287f87db7206d01932a38c7971c3b658e5e2fc932dff378c18bff88e215338b1
SHA3-384 hash:	28615fafd79025f124f394c7c9dff790f89c70f78fd2a8767aad40efaad56e6df5f16e9783b072ef25e6b2be57de261d
SHA1 hash:	5ad186b8cec195383de1d368aa53158cb1145120
MD5 hash:	f03a17b69f4c60629ba9b9981c89deb0
humanhash:	queen-east-alabama-colorado
File name:	SweetPotato.exe
Download:	download sample
Signature	SweetPotato Create hunting rule
File size:	926'208 bytes
First seen:	2026-02-22 18:14:28 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
ssdeep	24576:Hdc8cY5G1FOPjWcjL8TxNYqEv0rODHZ/lpWUmJKfplz7XWu9q:H5cY56OaccTtsWIZ/GUm0fpB7
TLSH	T1C315F1122BAC4B52EEEE17B8E871204567FFD500609FF38F2E94E5AE664FB104945363
TrID	33.1% (.EXE) Win64 Executable (generic) (6522/11/2) 25.6% (.EXE) Win16 NE executable (generic) (5038/12/1) 10.4% (.ICL) Windows Icons Library (generic) (2059/9) 10.3% (.EXE) OS/2 Executable (generic) (2029/13) 10.1% (.EXE) Generic Win/DOS Executable (2002/3)
Magika	pebin
Reporter	juroots
Tags:	exe SweetPotato

Intelligence

File Origin

# of uploads :

# of downloads :

100

Origin country :

Vendor Threat Intelligence

No detections

Malware family:

n/a

ID:

File name:

_287f87db7206d01932a38c7971c3b658e5e2fc932dff378c18bff88e215338b1.exe

Verdict:

No threats detected

Analysis date:

2026-02-22 18:48:33 UTC

Tags:

n/a

Link:

https://app.any.run/tasks/c0840394-4fa6-4c48-b95c-77ce42dd08eb

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/54091/

Detection(s):

Win.Packed.Lazy-10025524-0

Win.Packed.Lazy-10025525-0

Verdict:

Malicious

Score:

90.9%

Link:

https://cyber-fortress.com/docs/result/index.php?id=699b47d9c950ab5d9ab087ec

Tags:

malware

Result

Verdict:

Clean

Maliciousness:

Behaviour

Creating a file

Launching a service

Launching cmd.exe command interpreter

DNS request

Verdict:

Likely Malicious

Threat level:

7.5/10

Confidence:

100%

Tags:

base64 cmd lolbin net obfuscated packed privilege

Link:

https://www.filescan.io/uploads/699b47d091ad9169e5333f08/reports/312d0937-7b99-4d0e-9e01-a24a89961624/overview

Verdict:

Malicious

Labled as:

MSILHeracles.Generic

Link:

https://www.hybrid-analysis.com/sample/287f87db7206d01932a38c7971c3b658e5e2fc932dff378c18bff88e215338b1

Result

Gathering data

Verdict:

Malicious

File Type:

exe x64

Link:

https://opentip.kaspersky.com/287f87db7206d01932a38c7971c3b658e5e2fc932dff378c18bff88e215338b1/results?tab=lookup

Malware family:

JuicyPotato

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/09dfe007-7596-42ab-b52c-a6952c1b8255

Score:

99%

Verdict:

Malware

File Type:

Link:

https://malprob.io/report/287f87db7206d01932a38c7971c3b658e5e2fc932dff378c18bff88e215338b1

Verdict:

inconclusive

YARA:

4 match(es)

Tags:

.Net Executable Managed .NET PE (Portable Executable) PE File Layout SOS: 0.37 Win 64 Exe x64

Link:

https://app.malva.re/file/f03a17b69f4c60629ba9b9981c89deb0

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/287f87db7206d01932a38c7971c3b658e5e2fc932dff378c18bff88e215338b1/

Verdict:

Malicious

Threat:

HackTool.MSIL.Inpat

Link:

https://tip.neiki.dev/file/287f87db7206d01932a38c7971c3b658e5e2fc932dff378c18bff88e215338b1

Threat name:

Win64.Hacktool.Juicypotato

Status:

Malicious

First seen:

2026-02-22 18:15:42 UTC

File Type:

PE+ (.Net Exe)

Extracted files:

AV detection:

22 of 36 (61.11%)

Threat level:

1/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=fb7ypw3sa3ibsmvdrr4xdq5wlds6f7etfx7tpdayx74i4ikthcyq._file

Result

Malware family:

n/a

Score:

3/10

Tags:

n/a

Link:

https://tria.ge/reports/260222-wv61msdt7b/

Behaviour

Suspicious use of AdjustPrivilegeToken

Unpacked files

SH256 hash:

287f87db7206d01932a38c7971c3b658e5e2fc932dff378c18bff88e215338b1

MD5 hash:

f03a17b69f4c60629ba9b9981c89deb0

SHA1 hash:

5ad186b8cec195383de1d368aa53158cb1145120

Link:

https://www.unpac.me/results/8cb2b43d-65b3-424c-ba74-49c086e1e60e/

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/287f87db7206d01932a38c7971c3b658e5e2fc932dff378c18bff88e215338b1

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	DetectEncryptedVariants Create hunting rule
Author:	Zinyth
Description:	Detects 'encrypted' in ASCII, Unicode, base64, or hex-encoded

Rule name:	HKTL_NET_GUID_SweetPotato Create hunting rule
Author:	Arnim Rupp (https://github.com/ruppde)
Description:	Detects c# red/black-team tools via typelibguid
Reference:	https://github.com/CCob/SweetPotato

Rule name:	NET Create hunting rule
Author:	malware-lu

Rule name:	pe_no_import_table Create hunting rule
Description:	Detect pe file that no import table

Rule name:	Sus_CMD_Powershell_Usage Create hunting rule
Author:	XiAnzheng
Description:	May Contain(Obfuscated or no) Powershell or CMD Command that can be abused by threat actor(can create FP)