diff --git a/packs/win_malware.conf b/packs/win_malware.conf
index 83b831b..b3b5edb 100644
--- a/packs/win_malware.conf
+++ b/packs/win_malware.conf
@@ -1762,6 +1762,15 @@
             "platform": [
                 "windows"
             ]
+        },
+        "TimbreStealer Install Path": {
+            "query": "SELECT f.path, f.directory, f.filename, h.sha256, f.uid, f.gid, f.mode, f.size, DATETIME(f.atime, 'unixepoch','UTC') AS last_access_time, DATETIME(f.mtime, 'unixepoch','UTC') AS last_modified, DATETIME(f.ctime, 'unixepoch', 'UTC') AS last_status_change_time, DATETIME(f.btime, 'unixepoch', 'UTC') AS creation_time FROM file f JOIN hash h ON f.path = h.path WHERE ( f.path = 'C:\Windows\Installer\{1737AB55-BEDD-659D-7BD3-BB35D6A6342D}\ApplicationIcon.ico' and f.size > 2000000 ) or ( f.path like '\Windows\AddressP\Cecujujajofubo475.dll'  and f.size > 1000000 ) ORDER BY mtime DESC LIMIT 5;",
+            "interval": 86400,
+            "snapshot": true,
+            "description": "Files associated with the TimbreStealer malware were detected. TimbreStealer largely targets Latin American countries and is commonly distributed through spam campaigns. The main goal of this of malware is finacially motivated information theft.",
+            "platform": [
+                "windows"
+            ]
         }
     }
 }
diff --git a/win_malware/timbrestealer_install_paths.yaml b/win_malware/timbrestealer_install_paths.yaml
new file mode 100644
index 0000000..7cd94c8
--- /dev/null
+++ b/win_malware/timbrestealer_install_paths.yaml
@@ -0,0 +1,38 @@
+TimbreStealer Install Path:
+description:     Files associated with the TimbreStealer malware were detected. TimbreStealer
+    largely targets Latin American countries and is commonly distributed through spam campaigns. 
+    The main goal of this of malware is finacially motivated information theft.
+query:  SELECT f.path, f.directory, f.filename, h.sha256, f.uid, f.gid, f.mode, f.size,
+        DATETIME(f.atime, 'unixepoch','UTC') AS last_access_time, DATETIME(f.mtime, 'unixepoch',
+        'UTC') AS last_modified, DATETIME(f.ctime, 'unixepoch', 'UTC') AS last_status_change_time,
+        DATETIME(f.btime, 'unixepoch', 'UTC') AS creation_time FROM file f JOIN hash h
+        ON f.path = h.path 
+        WHERE 
+        (
+           f.path = "C:\Windows\Installer\{1737AB55-BEDD-659D-7BD3-BB35D6A6342D}\ApplicationIcon.ico"
+           and f.size > 2000000
+        )
+        or
+        (
+           f.path like "\Windows\AddressP\Cecujujajofubo475.dll"
+           and f.size > 1000000
+        )
+        ORDER BY mtime DESC LIMIT 5;
+interval: 86400
+snapshot: true
+references:
+- 5EFA99B3CB17BEC76FEC2724BCFCC6423D0231BBA9CF9C1AED63005E4C3C2875
+mitre_tactics:
+- Initial Access: TA0001
+- Execution: TA0002 
+- Persistence: TA0003
+- Defense Evasion: TA0005
+mitre_techniques:
+- Debugger Evasion: T1622
+- Deobfuscate/Decode Files or Information: T1140
+- Execution Guardrails: T1480
+- Gather Victim Identity Information: T1589
+- Native API: T1106 
+- Obfuscated Files or Information: T1027 
+platform:
+- windows
\ No newline at end of file