Posted June 30, 20187 yr hi Does anyone have a list of sequences or number of repetitive malicious api functions for identifying unknown malware? For example, a list of the api functions sequence used in virus worms and .etc If not how can it be reached ?
July 1, 20187 yr not all api's are malicious but looking for things like createfile in the temp folder then writing to it and closing the handle and then doing a createprocess / shellexecute on it could be something worth flagging for example to be effective you need a little bit more than just a blacklist of api sequences or do you mean like the list of api's (imports) in the executable.. if this is what you mean google for 'imphash'
July 7, 20187 yr Maybe this can help https://github.com/NtRaiseHardError/UnRunPE/blob/master/UnRunPE/UnRunPE/static.cpp#L11
Create an account or sign in to comment