Skip to content
MalwareWiki

Infostealer

Sysraw Stealer

aka Clipsa

Sysraw stealer got its name because at some point, it was started as "ZSysRaw\sysraw.exe".

Sysraw stealer got its name because at some point, it was started as "ZSysRaw\sysraw.exe". PDB strings suggest the name "Clipsa" though. First stage connects to /WPCoreLog/, the second one to /WPSecurity/. Its behavior suggest that it is an info stealer. It creates a rather large amount of files in a subdirectory (e.g. data) named "1?[-+].dat" and POSTs them.

Family metadata imported from Malpedia (Fraunhofer FKIE).