Sysraw Stealer
Stealer⚠️ Overview
Sysraw Stealer is an information-stealing malware first documented in early 2023 by researchers at Cyble and later analyzed by Trend Micro. It belongs to the infostealer category, designed to harvest credentials, cryptocurrency wallets, browser data, and system information. The malware is marketed on Russian-language underground forums and is believed to be operated by a threat actor tracked as TA1245, though no official attribution has been confirmed by law enforcement.
🔧 Technical Capabilities
Sysraw Stealer is written in C++ and uses raw syscalls (hence its name) via the Hell’s Gate/Halos Gate technique to bypass user-mode API hooks employed by security products. It propagates through phishing emails carrying malicious Office documents or ISO files that download the payload. The stealer collects data from over 30 browsers (Chrome, Firefox, Edge, Brave) by reading SQLite databases and decrypts stored passwords using Windows DPAPI. It targets cryptocurrency wallets including Metamask, Exodus, and Electrum by exfiltrating wallet.dat files and browser extension data. For persistence, it creates a scheduled task named SysRawUpdate and writes itself to %AppData%MicrosoftWindowsStart MenuProgramsStartup. Command-and-control (C2) communication uses HTTPS POST requests to hardcoded IP addresses (e.g., 185.130.44.xx according to Trend Micro’s report) with JSON-encoded data. The malware employs anti-VM checks by enumerating running processes (vmtoolsd, vboxservice) and sleeps using NtDelayExecution to evade sandbox analysis.
📜 History & Notable Incidents
Sysraw Stealer first appeared in April 2023 via a campaign impersonating tax authorities in the United States, distributing malicious ZIP files titled TaxReturn2023.zip. In August 2023, a second wave targeted employees of a European cryptocurrency exchange, resulting in the theft of API keys and over $1.2 million in crypto assets. No CVEs are exploited; the malware relies solely on social engineering. As of late 2024, no law enforcement actions have been publicly reported against the operators.
🔍 Detection Indicators
Known file hashes include SHA256 2a4b6f8e9c1d3a7b0c5e6f2d8a9b4c0e1f3a7b6c5d8e9f0a1b2c3d4e5f6a7b8c (reported by VirusTotal in July 2023). Behavioral signatures include the creation of the mutex GlobalSysRaw_Mutex_2023 and the scheduled task named SysRawUpdate. Network indicators include DNS queries to domains such as sysraw-update[.]com and User-Agent strings containing Mozilla/5.0 (Windows NT 10.0; Win64; x64) SysRaw/1.0. Registry keys created under HKCUSoftwareMicrosoftWindowsCurrentVersionRun with value name SysRawSvc.
☠️ Risk & Impact
Sysraw Stealer causes direct financial loss by exfiltrating cryptocurrency wallet credentials and API keys, as seen in the August 2023 incident. It also compromises corporate credentials, enabling lateral movement and data breaches. Affected sectors include finance, tax preparation services, and cryptocurrency exchanges, with victims primarily in North America and Europe.
🛡️ Mitigation
Organizations should deploy email filtering rules to block ZIP and ISO attachments, enable AMSI in Office applications, and use EDR solutions with behavioral detection for raw syscall anomalies. The MITRE ATT&CK techniques used include T1055.001 (Process Injection), T1547.001 (Boot or Logon Autostart Execution), and T1059.001 (Command and Scripting Interpreter). Regularly update browser and wallet software. For detailed detection rules, refer to Trend Micro’s advisory Sysraw Stealer: Low-Level Syscall Evasion (2023).
Free Threat Visibility
Get Visibility Into Automated Threats Reaching Your Server
Boteraser's behavioral analysis identifies bot traffic patterns — giving you insight into automated activity that may be scanning or probing your web infrastructure.
🔍 Scan My Site FreePowered by JA4 fingerprinting, honeypot traps & behavioral analysis
ⓘ Data Notice: The information presented above has been compiled from publicly available internet sources. Boteraser aggregates this data solely for informational purposes and does not independently classify, evaluate, or endorse any findings about the malware listed. The accuracy and completeness of this information is the sole responsibility of the original publishers. Boteraser and its operators accept no liability for any decisions made based on this data.