New Query: TimbreStealer Install Paths THR-2772/ Bug 2679082

Cisco-Talos · Mar 1, 2024 · bcac9f8 · bcac9f8
1 parent d2e7f14
commit bcac9f8
Show file tree

Hide file tree

Showing 2 changed files with 47 additions and 0 deletions.
diff --git a/packs/win_malware.conf b/packs/win_malware.conf
@@ -1762,6 +1762,15 @@
             "platform": [
                 "windows"
             ]
+        },
+        "TimbreStealer Install Path": {
+            "query": "SELECT f.path, f.directory, f.filename, h.sha256, f.uid, f.gid, f.mode, f.size, DATETIME(f.atime, 'unixepoch','UTC') AS last_access_time, DATETIME(f.mtime, 'unixepoch','UTC') AS last_modified, DATETIME(f.ctime, 'unixepoch', 'UTC') AS last_status_change_time, DATETIME(f.btime, 'unixepoch', 'UTC') AS creation_time FROM file f JOIN hash h ON f.path = h.path WHERE ( f.path = 'C:\Windows\Installer\{1737AB55-BEDD-659D-7BD3-BB35D6A6342D}\ApplicationIcon.ico' and f.size > 2000000 ) or ( f.path like '\Windows\AddressP\Cecujujajofubo475.dll'  and f.size > 1000000 ) ORDER BY mtime DESC LIMIT 5;",
+            "interval": 86400,
+            "snapshot": true,
+            "description": "Files associated with the TimbreStealer malware were detected. TimbreStealer largely targets Latin American countries and is commonly distributed through spam campaigns. The main goal of this of malware is finacially motivated information theft.",
+            "platform": [
+                "windows"
+            ]
         }
     }
 }
diff --git a/win_malware/timbrestealer_install_paths.yaml b/win_malware/timbrestealer_install_paths.yaml
@@ -0,0 +1,38 @@
+TimbreStealer Install Path:
+description:     Files associated with the TimbreStealer malware were detected. TimbreStealer
+    largely targets Latin American countries and is commonly distributed through spam campaigns. 
+    The main goal of this of malware is finacially motivated information theft.
+query:  SELECT f.path, f.directory, f.filename, h.sha256, f.uid, f.gid, f.mode, f.size,
+        DATETIME(f.atime, 'unixepoch','UTC') AS last_access_time, DATETIME(f.mtime, 'unixepoch',
+        'UTC') AS last_modified, DATETIME(f.ctime, 'unixepoch', 'UTC') AS last_status_change_time,
+        DATETIME(f.btime, 'unixepoch', 'UTC') AS creation_time FROM file f JOIN hash h
+        ON f.path = h.path 
+        WHERE 
+        (
+           f.path = "C:\Windows\Installer\{1737AB55-BEDD-659D-7BD3-BB35D6A6342D}\ApplicationIcon.ico"
+           and f.size > 2000000
+        )
+        or
+        (
+           f.path like "\Windows\AddressP\Cecujujajofubo475.dll"
+           and f.size > 1000000
+        )
+        ORDER BY mtime DESC LIMIT 5;
+interval: 86400
+snapshot: true
+references:
+- 5EFA99B3CB17BEC76FEC2724BCFCC6423D0231BBA9CF9C1AED63005E4C3C2875
+mitre_tactics:
+- Initial Access: TA0001
+- Execution: TA0002 
+- Persistence: TA0003
+- Defense Evasion: TA0005
+mitre_techniques:
+- Debugger Evasion: T1622
+- Deobfuscate/Decode Files or Information: T1140
+- Execution Guardrails: T1480
+- Gather Victim Identity Information: T1589
+- Native API: T1106 
+- Obfuscated Files or Information: T1027 
+platform:
+- windows