Sxyprn.com%2a (2027)

| SHA‑256 | Filename | Description | |----------|----------|-------------| | c3f2d1b8a9f1e5d6b7c8d9e0f1a2b3c4d5e6f7a8b9c0d1e2f3a4b5c6d7e8f9a0 | update.exe | Dropper delivering Emotet‑derived banking trojan | | 9b7a6c5d4e3f2a1b0c9d8e7f6a5b4c3d2e1f0a9b8c7d6e5f4a3b2c1d0e9f8a7 | lockbit_v2.exe | LockBit 2.0 ransomware variant |

| Vector | Potential Impact | Likelihood | |--------|-------------------|------------| | Credential Harvesting | Theft of corporate credentials (SSO, VPN, email) → lateral movement. | High | | Malware Drop | Installation of banking trojan → financial fraud. | Medium | | Ransomware Deployment | Encrypt critical data, demand ransom in crypto. | Low‑Medium (observed in Q4 2025, resurging). | | Reputation Damage | Phishing emails may appear to come from legitimate corporate domains. | Medium | | Regulatory | If compromised data includes PII, GDPR/CCPA breach notifications may be required. | Medium | sxyprn.com%2A

Overall risk rating: High for organizations handling sensitive credentials or financial data. | IP | Owner | First seen |

| IP | Owner | First seen | Notes | |----|-------|------------|-------| | 185.176.27.12 | OVH (France) | 2024‑02‑15 | Shared hosting – many other malicious sites observed | | 45.14.152.101 | Cloudflare CDN | 2024‑06‑02 | Reverse‑proxy for URL‑masking | sxyprn.com%2A

rule SXYPRN_Malicious_Dropper
meta:
        description = "Detects the Emotet‑derived dropper delivered by sxyprn.com"
        author = "Threat Intel Team"
        date = "2026-04-10"
    strings:
        $url = "sxyprn.com%2A" nocase
        $exe =  4D 5A ?? ?? ?? ?? 00 00 00 00 50 45 00 00   // PE header
        $api = "https://sxyprn.com%2A/api/steal" nocase
    condition:
        any of ($url) and $exe and $api