PeStudio

PeStudio is a tool to find suspicious artifacts within executable files to accelerate the first malware assessment. Using this tool, the analyst can easily spot the functionalities commonly used for malicious activities by malware creators.

• It is used for static analysis or studying executable file properties without running the files.

• https://www.winitor.com/ ↗

• First, we will launch PeStudio and load the executable into it.

• You can drag and drop the executable into the PeStudio window, or load it by selecting File -> Open File from the toolbar. PeStudio will display some information about the executable.

• the file > sha256 property within the table is of interest. This value is a checksum, which is a unique identifier for the executable. We can keep a note of this SHA256 as threat intelligence.

• reviewing the “Strings” of the executable. You can do this by clicking on the “strings” indicator on the left pane of PeStudio.

• The file’s entropy value indicates a remote chance of packing or encryption, which is typical of dangerous software.

• The absence of a rich header  indicates that the file is potentially packed or obfuscated to avoid detection by static analysis tools. This is typical behaviour of sophisticated malware that tries to evade detection by altering critical sections of its PE file.

• The function tabs list API calls that the file has imported. This is also known as the IAT (Import Address Table). By clicking on the blacklist tab, PeStudio will sort the API by moving all the blacklisted functions to the top. This is useful because it enables us to understand how malware may behave once it compromises a host.

  • set_UseShellExecute: This function allows the process to use the operating system’s shell to execute other processes. This is often seen in malware that spawns additional processes to carry out malicious actions.
  • CryptoStream, RijndaelManaged, CipherMode, CreateDecryptor: These APIs indicate that the executable uses cryptographic functions, specifically Rijndael (AES encryption). Malware may use cryptography to encrypt communication and files or even implement ransomware functionality.