1. Home
  2. Software
  3. FYAnti

FYAnti

FYAnti is a loader that has been used by menuPass since at least 2020, including to deploy QuasarRAT.[1]

ID: S0628
Associated Software: DILLJUICE stage2
Type: MALWARE
Platforms: Windows
Version: 1.0
Created: 22 June 2021
Last Modified: 11 October 2021

Associated Software Descriptions

Name Description
DILLJUICE stage2

[1]
Enterprise Layer
download view

Techniques Used

Domain ID Name Use
Enterprise T1140 Deobfuscate/Decode Files or Information

FYAnti has the ability to decrypt an embedded .NET module.[1]
Enterprise T1083 File and Directory Discovery

FYAnti can search the C:\Windows\Microsoft.NET\ directory for files of a specified size.[1]
Enterprise T1105 Ingress Tool Transfer

FYAnti can download additional payloads to a compromised host.[1]

Enterprise T1027 .002 Obfuscated Files or Information: Software Packing

FYAnti has used ConfuserEx to pack its .NET module.[1]

Groups That Use This Software

ID Name References
G0045 menuPass

[1]

References

  1. GREAT. (2021, March 30). APT10: sophisticated multi-layered loader Ecipekac discovered in A41APT campaign. Retrieved June 17, 2021.