FYAnti

FYAnti is a loader that has been used bymenuPass since at least 2020, including to deployQuasarRAT.^[1]

ID: S0628

ⓘ

Associated Software: DILLJUICE stage2

ⓘ

Type: MALWARE

ⓘ

Platforms: Windows

Version: 1.0

Created: 22 June 2021

Last Modified: 25 April 2025

Associated Software Descriptions

Name	Description
DILLJUICE stage2	^[1]

Domain	ID		Name	Use
Enterprise	T1140		Deobfuscate/Decode Files or Information	FYAnti has the ability to decrypt an embedded .NET module.^[1]
Enterprise	T1083		File and Directory Discovery	FYAnti can search the`C:\Windows\Microsoft.NET\` directory for files of a specified size.^[1]
Enterprise	T1105		Ingress Tool Transfer	FYAnti can download additional payloads to a compromised host.^[1]
Enterprise	T1027	.002	Obfuscated Files or Information:Software Packing	FYAnti has used ConfuserEx to pack its .NET module.^[1]

ID	Name	References
G0045	menuPass	^[1]