S0628 FYAnti
FYAnti is a loader that has been used by menuPass since at least 2020, including to deploy QuasarRAT.1
| Item | Value |
|---|---|
| ID | S0628 |
| Associated Names | DILLJUICE stage2 |
| Type | MALWARE |
| Version | 1.0 |
| Created | 22 June 2021 |
| Last Modified | 11 October 2021 |
| Navigation Layer | View In ATT&CK® Navigator |
Associated Software Descriptions
| Name | Description |
|---|---|
| DILLJUICE stage2 | 1 |
Techniques Used
| Domain | ID | Name | Use |
|---|---|---|---|
| enterprise | T1140 | Deobfuscate/Decode Files or Information | FYAnti has the ability to decrypt an embedded .NET module.1 |
| enterprise | T1083 | File and Directory Discovery | FYAnti can search the C:\Windows\Microsoft.NET\ directory for files of a specified size.1 |
| enterprise | T1105 | Ingress Tool Transfer | FYAnti can download additional payloads to a compromised host.1 |
| enterprise | T1027 | Obfuscated Files or Information | - |
| enterprise | T1027.002 | Software Packing | FYAnti has used ConfuserEx to pack its .NET module.1 |
Groups That Use This Software
| ID | Name | References |
|---|---|---|
| G0045 | menuPass | 1 |