TacticTechnique**Details
ExecutionUser Execution: Malicious File (T1204.002)A user downloads and executes malicious .hta file
ExecutionCommand and Scripting Interpreter: Visual Basic (T1059.005).hta contains malicious VBScript function
ExecutionCommand and Scripting Interpreter:Powershell (T1059.001)VBScript executes powershell to download powershell script
Command and ControlIngress Tool Transfer (T1105)A powershell script downloads an additional .Net Loader
Defense EvasionReflective Code Loading (T1620)Powershell script executed the loader reflectively
Defense EvasionProcess Injection (T1055)The .Net loader injects into RegAsm.exe process
Credential AccessCredentials from Password Stores: Credentials from Web Browsers (T1555.003)Atlantida steals stored browser data such as passwords, cookies, tokens, credit cards and autofills
Credential AccessCredentials from Password Stores (T1555)Atlantida steals offline cryptocurrency wallets data, and other software data
DiscoverySystem Information Discovery (T1082)Atlantida collects victim’s hardware information
CollectionScreen Capture (T1113)Atlantida captures victim’s screen
ExfiltrationExfiltration Over C2 Channel (T1041)Atlantida exfiltrats all collected data

IOCs

IOCSHA-256Notes
ReadEra_v1.4.2.hta67b8776b9d8f581173bcb471e91ff1701cafbc92aaed858fe3cb26a31dd6a6d8Malicious .hta file
http://166.1.160[.]10/loader.txt Malicious powershell script
http://166.1.160[.]10/www_c.binf935143dba2fb65eef931c1dac74a740e58e9e911a13457f4cfa4c73a0c673b3Stores .Net Loader
http://166.1.160[.]10/www.bin350216884486d1fafbd60e1d9c87c48149b058e4fab6b9a2a5cd7ea67ab250a0Stores Donut shellcode
AtlantidaStealer.exeb4f4d51431c4e3f7aeb01057dc851454cff4e64d16c05d9da12dfb428715d130Atlantida stealer
45.144.232[.]99 C&C server