FYAnti

FYAnti is a loader that has been used by menuPass since at least 2020, including to deploy QuasarRAT.[1]

ID: S0628
Associated Software: DILLJUICE stage2
Type: MALWARE
Platforms: Windows
Version: 1.0
Created: 22 June 2021
Last Modified: 11 October 2021

Associated Software Descriptions

Name Description
DILLJUICE stage2

[1]

Techniques Used

Domain ID Name Use
Enterprise T1140 Deobfuscate/Decode Files or Information

FYAnti has the ability to decrypt an embedded .NET module.[1]

Enterprise T1083 File and Directory Discovery

FYAnti can search the C:\Windows\Microsoft.NET\ directory for files of a specified size.[1]

Enterprise T1105 Ingress Tool Transfer

FYAnti can download additional payloads to a compromised host.[1]

Enterprise T1027 .002 Obfuscated Files or Information: Software Packing

FYAnti has used ConfuserEx to pack its .NET module.[1]

Groups That Use This Software

ID Name References
G0045 menuPass

[1]

References