[DMEW]

Could anyone tell me generally how AV works at the level of scanning the Import Table? For example, I would assume an exe with import table of

VirtuallAlloc,
WriteProcessMemory,
getprocaddress,
loadlibrary,
w32_Connect

would be flagged by AV. However Im not sure, because I have a pretty generic malware that has this but not flagged by some major vendors. Can any one share insight into typical rules that AV does not like in exe/dlls? (Forexample: Which imports raise suspicion?)

[EP_X0FF]

URLDownloadToFile, CreateProcess -> compile this and use VT. You will have some results :)

[r3shl4k1sh]

WriteProcessMemory
ReadProcessMemory
CreateRemoteThread
VirtualAllocEx
EnumProcesses
CreateToolhelp32Snapshot

But i doubt you will able to get AVs from "major vendors" to flag the file based only on suspicious imports from the Import Table.
Anyway most of the time the imports should actually be used in the code and not just artificially added to the import table.

[Fulrem]

CreateProcess with the CREATE_SUSPENDED flag is usually pretty suspicious as you then expect to see process hollowing, though you do need to be careful with any kind of trick as legit apps start using them at times. IIRC Armadillo packer started using this one a few years back.