MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 4d169cc73f0389c86d0e4d3df5a38042f38da00a3fe474275a2a1894fbbbee66. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

Mirai

Vendor detections: 7

Intelligence 7 IOCs YARA 1 File information Comments

SHA256 hash:	4d169cc73f0389c86d0e4d3df5a38042f38da00a3fe474275a2a1894fbbbee66
SHA3-384 hash:	f0cb855b5326f08586a81904caecf3f43d0b0f9038d0bb1e69f58a21ac3870b73c7b8958fd1b46a10cfc217b6e9b0311
SHA1 hash:	99bef53f8886ad92234995cfe26866a691b5b635
MD5 hash:	e1af8abd9f7747840e62b243b8ce889f
humanhash:	louisiana-may-helium-don
File name:	Sassy-Cats.sh
Download:	download sample
Signature	Mirai Create hunting rule
File size:	2'174 bytes
First seen:	2026-04-15 23:37:44 UTC
Last seen:	Never
File type:	sh
MIME type:	text/x-shellscript
ssdeep	24:Rv/vpbEGEPvFH2kEkEpvqv+cE6mfvBvvVE3hvqv+cE6FgvgRFvgRTgRBEgR/zgRK:TXcHPyPzBRA+rbdULSy0lZJoJHAjCI
TLSH	T12D41338947E0238EF5C48E07FC9D8D7960D7A5A015AC5900E0780DF2A2BF987B6F9667
TrID	70.0% (.SH) Linux/UNIX shell script (7000/1) 30.0% (.) Unix-like shebang (var.3) (gen) (3000/1)
Magika	shell
Reporter	abuse_ch
Tags:	sh

Shell script dropper

This file seems to be a shell script dropper, using wget, ftpget and/or curl. More information about the corresponding payload URLs are shown below.

URL	Malware sample (SHA256 hash)	Signature	Tags
http://46.101.46.29/.Sassy/.Sassy.x86_64	ecf3db15e6f1b63848133bf3bcbd2159e54469886c1088630d789cba08ddacca	Mirai	elf mirai opendir ua-wget
http://46.101.46.29/.Sassy.aarch64	n/a	n/a	elf opendir ua-wget
http://46.101.46.29/.Sassy/.Sassy.m68k	ce9a05f2f5ce82cd3a4345423047209e347fb64d7c7cb2c34510e4a4186e3d58	Mirai	elf mirai opendir ua-wget
http://46.101.46.29/.Sassy/.Sassy.mips	7bf180a23a1791906926eeba7b9a1221eafec493a8f17ef728e684d5c32d9afd	Mirai	elf mirai opendir ua-wget
http://46.101.46.29/.Sassy/.Sassy.mipsel	ab49bad666a613ef9463a859c84d2784190b679056c7ea8d73708dd63342d4dc	Mirai	elf mirai opendir ua-wget
http://46.101.46.29/.Sassy/.Sassy.powerpc	f98ead1adc036df4db2dc85d929868b1a2a4f928bc21f3289c62789638d8895a	Mirai	elf mirai opendir ua-wget
http://46.101.46.29/.Sassy/.Sassy.sparc	cce4491ecb2ed2904d0ca07e99fea9c2d2e7a6bebc89832258f0e0e7cb754e85	Mirai	elf mirai opendir ua-wget
http://46.101.46.29/.Sassy/.Sassy.sh4	3b45af43b673ee124c89887e3aad20e888a5e645d7cfc7279f24278f4352a5c1	Mirai	elf mirai opendir ua-wget
http://46.101.46.29/.Sassy/.Sassy.arc	cbad2d84ad74e4a952f8a76dc0393c4957789b0b57ba928851c6958a44a832e0	Mirai	elf mirai opendir ua-wget
http://46.101.46.29/.Sassy/.Sassy.i486	6bc2a651fe1fa718397d940038c2dd042dc8713067b89d9b27c223b1f599c553	Mirai	elf mirai opendir ua-wget
http://46.101.46.29/.Sassy/.Sassy.armv4l	0a420f2779dc2b65ca5ac612b9d2d506fca39a7b2f1f52378156927a9dee72b7	Mirai	elf mirai opendir ua-wget
http://46.101.46.29/.Sassy/.Sassy.armv5l	5260262c2e02485e8d13eaad74c36ec4e5043f41a9484d4e76395b4cc91130a6	Mirai	elf mirai opendir ua-wget
http://46.101.46.29/.Sassy/.Sassy.armv6l	aba7bc64fa57c4acb34a72b172b79add710a327b54d3ce3a01d77c2bf3ec31d1	Mirai	elf mirai opendir ua-wget
http://46.101.46.29/.Sassy/.Sassy.armv7l	8deeea0a052e3acd8818c4cd95825347ccdb37d0870befccc6027a21d937819d	Mirai	elf mirai opendir ua-wget

Intelligence

File Origin

# of uploads :

# of downloads :

Origin country :

Vendor Threat Intelligence

No detections

Verdict:

Malicious

Threat level:

10/10

Confidence:

100%

Tags:

mirai

Link:

https://www.filescan.io/uploads/69e0217e5ea31bc68a2ed9a6/reports/f74cc59b-46c1-40a4-b70f-1eb70d308ed8/overview

Result

Gathering data

Verdict:

Malicious

File Type:

UnixScript

First seen:

2026-04-15T15:34:00Z UTC

Last seen:

2026-04-15T15:34:00Z UTC

Hits:

~10

Link:

https://opentip.kaspersky.com/4d169cc73f0389c86d0e4d3df5a38042f38da00a3fe474275a2a1894fbbbee66/results?tab=lookup

Score:

100%

Verdict:

Malware

File Type:

SCRIPT

Link:

https://malprob.io/report/4d169cc73f0389c86d0e4d3df5a38042f38da00a3fe474275a2a1894fbbbee66

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/4d169cc73f0389c86d0e4d3df5a38042f38da00a3fe474275a2a1894fbbbee66/

Verdict:

Malicious

Threat:

Family.MIRAI

Link:

https://tip.neiki.dev/file/4d169cc73f0389c86d0e4d3df5a38042f38da00a3fe474275a2a1894fbbbee66

Threat name:

Script-Shell.Downloader.Heuristic

Status:

Malicious

First seen:

2026-04-15 23:38:42 UTC

File Type:

Text (Shell)

AV detection:

8 of 36 (22.22%)

Threat level:

2/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=juljzrz7aoe4q3ioju67li4ailzy3iakh7shij22fimjj6535zta._file

Result

Malware family:

n/a

Score:

7/10

Tags:

defense_evasion discovery linux upx

Link:

https://tria.ge/reports/260415-3m18rabz7k/

Behaviour

Reads runtime system information

System Network Configuration Discovery

Writes file to tmp directory

Changes its process name

UPX packed file

Enumerates running processes

File and Directory Permissions Modification

Deletes itself

Executes dropped EXE

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Suspicious File

Score:

0.34

Link:

https://yomi.yoroi.company/submissions/4d169cc73f0389c86d0e4d3df5a38042f38da00a3fe474275a2a1894fbbbee66

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	MAL_Linux_IoT_MultiArch_BotnetLoader_Generic Create hunting rule
Author:	Anish Bogati
Description:	Technique-based detection of IoT/Linux botnet loader shell scripts downloading binaries from numeric IPs, chmodding, and executing multi-architecture payloads
Reference:	MalwareBazaar sample lilin.sh