As you can see in the screenshot the first thing it will show some general info about the file such as the MD5 hash and entropy. It will take few seconds to do it’s analysis. To triage a file with Pestudio you have to run it then you can drop the suspicious file to it or you can choose open file from the file menu. In this diary, I am going to use the GUI version.įor this diary I have obtain a sample malware from malware traffic analysis blog which is maintained by Brad Duncan the ISC Handler. Now let’s put Pestudio in action and try some sucepicious files. Pestudiox 8.61 - Malware Initial AssessmentĪs you can see it’s straightforward to use the command line version of Pestudio ,you have just to specify the suspicious file and you have to specify the xml output file name. If you are a command line fan you can just type the following:
Once you download Pestudio you have just to extract the file and use it.
Pestudio can be obtained from, there is no need for registration to download it. all you need is to drop the suspicious file to Pestudio and it will show you the imports, the resources and it will send the MD5 hash of the file to virustotal. Pestudio by is a utility can be used to Triage malware analysis. Source: C:\Users\u ser\Deskto p\pestudio. Thread injection, dropped files, key value created, disk infection and DNS query: no activit y detectedĬontains functionality to register its own exception handler Program does not show much activity (idle) rdataĬontains functionality to check if a debugger is running (IsDebuggerPresent)Ĭode function: 0_2_010913 6C IsDebug gerPresent ,SetUnhand ledExcepti onFilter,U nhandledEx ceptionFil ter,GetCur rentProces s,Terminat eProcess,Ĭontains functionality to dynamically determine API callsĬode function: 0_2_010672 90 _wcsnle n,LoadLibr aryA,GetPr ocAddress, Static PE information: Data direc tory: IMAG E_DIRECTOR Y_ENTRY_IA T is in. Static PE information: Data direc tory: IMAG E_DIRECTOR Y_ENTRY_LO AD_CONFIG is in. Static PE information: Data direc tory: IMAG E_DIRECTOR Y_ENTRY_BA SERELOC is in. Static PE information: Data direc tory: IMAG E_DIRECTOR Y_ENTRY_RE SOURCE is in. Static PE information: Data direc tory: IMAG E_DIRECTOR Y_ENTRY_IM PORT is in. PE file contains a valid data directory to section mapping Key opened: HKEY_CURRE NT_USER\So ftware\Pol icies\Micr osoft\Wind ows\Safer\ CodeIdenti fiers text IMAGE _SCN_MEM_E XECUTE, IM AGE_SCN_CN T_CODE, IM AGE_SCN_ME M_READ text section and no other executable section Static PE information: 32BIT_MACH INE, EXECU TABLE_IMAG EĬontains functionality to instantiate COM classesĬode function: 0_2_010414 20 CoCreat eInstance,Ĭontains functionality to load and extract PE file embedded resourcesĬode function: 0_2_0107AB F5 LoadRes ource,Lock Resource,_ malloc,Get SysColor,G etSysColor ,GetSysCol or,GetSysC olor,GetDC ,CreateCom patibleBit map,Create Compatible DC,SelectO bject,Sele ctObject,S tretchDIBi ts,SelectO bject,Dele teDC,Relea seDC,FreeR esource, Sample file is different than original file name gathered from version info Static PE information: Resource n ame: RT_IC ON type: G LS_BINARY_ LSB_FIRST exeįound potential string decryption / allocating functionsĬode function: String fun ction: 010 92053 appe ars 50 tim es