Malware using winapi can be detected by AV after being decrypted/executed by the crypter?

[3c2n90yt57489t3y8794]

Hello, I'm a beginner about AV evasion. I developed my crypter and my malware both in C. The malware uses some winapi and the crypter uses ntdll calls to avoid AV detections.
1) Can the malware be blocked by the AV after its decryption and execution (done by the crypter) because of the winapi call used by the malware? If not, exactly why?
2) Should a malware decrypted and executed in memory be blocked only by the behavioral analysis? Can AV know what api are called after the memory execution?

 

[CheckerChin]

1) Can the malware be blocked by the AV after its decryption and execution (done by the crypter) because of the winapi call used by the malware? If not, exactly why?

может, даже если там не винапи, а вызовы ntdll или сисколы. Это просто поведенческий детект.

2) Should a malware decrypted and executed in memory be blocked only by the behavioral analysis? Can AV know what api are called after the memory execution?

конечно ав знает, что вызывается. В юзермоде могут стоять хуки, если ты их обходишь, то они всё равно есть в ядре, хоть в гораздо меньшем количестве

 

[TOP G]

Hello, I'm a beginner about AV evasion. I developed my crypter and my malware both in C. The malware uses some winapi and the crypter uses ntdll calls to avoid AV detections.
1) Can the malware be blocked by the AV after its decryption and execution (done by the crypter) because of the winapi call used by the malware? If not, exactly why?
2) Should a malware decrypted and executed in memory be blocked only by the behavioral analysis? Can AV know what api are called after the memory execution?

I will answer your questions 1 by 1.

1 ) Yes the AV can detect the malware after decryption if you are decrypting the malware in the wrong way Also you need to remember that the malware when unencrypted is naked in memory and AV/EDR can do a memory scan if he suspects your process.

You also can see the Decrypted malware Using Process Hacker if you use CMD and print the address of the memory that holds the unencrypted Payload then you can see it easily.

2 ) Most of the time the behavior shield runs a memory scan if he detects an unusual action, such as. when you click exe instantly download files from the internet and drop them to the desktop or instantly manipulate the Windows registry

 

[slice]

Hello, I'm a beginner about AV evasion. I developed my crypter and my malware both in C. The malware uses some winapi and the crypter uses ntdll calls to avoid AV detections.
1) Can the malware be blocked by the AV after its decryption and execution (done by the crypter) because of the winapi call used by the malware? If not, exactly why?
2) Should a malware decrypted and executed in memory be blocked only by the behavioral analysis? Can AV know what api are called after the memory execution?

Firstly i think your question can be answered by doing a little research on the forum. There are many articles that cover topics that answer your question.

Secondly, the fundamental working principle for "crypters" where the stub is encrypted and decrypted in memory and uses a suspended process is not enough to bypass even windows defender. That method and all methods you have described will only bypass static detection. To bypass runtime detection, IN MY OPINION you must be able to obfuscate the payload itself and not just wrap it around a bubble.

Thirdly when making direct calls using NTDLL avoid using know heavily flagged patterns like GetProcAdress, LoadLibrary style or using github projects for example syswhipser. Most of these are heavily flagged.
Overall you just have to try out a lot of things and determine what works for you, no one can provide a sure pattern to bypass av engines.

 

[el84]

Thirdly when making direct calls using NTDLL avoid using know heavily flagged patterns like GetProcAdress, LoadLibrary style or using github projects for example syswhipser. Most of these are heavily flagged.
Overall you just have to try out a lot of things and determine what works for you, no one can provide a sure pattern to bypass av engines.

A curious thing about this, is that API hashing still working, it will not bypass everything but its usually enough to dont get the executable flagged directly on static analysis.

 

[TOP G]

You can read my tutorials on forum there are 2 parts and the 3 is comming soon
PART 1 : http://xss.pro/threads/97133/
PART 2 : http://xss.pro/threads/98026/

In Part and the important for you how to create your Own Custom WINAPI Functions and hashing the api and removing all strings