Pestudio Malware Analysis Download
Amintor Robillard
Whenever I begin analysing a piece of malware, I will always load it into PeStudio first. It provides so much information about the sample and gives me a wealth of information for me to start building out my report. This is great for the initial triage of a malware sample.
What I love about PeStudio is how easy it is to use and the clear, simple layout of the tool. Double-clicking the desktop icon opens the tool, to start investigating a piece of malware simply drag the malware sample into the tool.
Here we are presented with information such as hashes of the sample, if you are dealing with a malware-related incident in your organization you could use this information to start blocking and looking for devices that have these hashes on the filesystem.
The entropy of the file is also listed, this is useful because the value of the entropy can help identify if the malware is packed or not. Malware is often packed so that the code written by the malware author is obfuscated, the bad guys have taken time to write some malicious code and don't want it to be an easy task for somebody to take a quick look at the malware and in a short space of time identify what it does and how to stop it.
Entropy is measured on a scale of 0-8, the higher the value the more likely it is that the malware is packed with values of 7-8 pretty much confirming the sample is packed. This is useful because PeStudio is telling us that we will need to unpack the malware in order to pull out some useful IOC's.
In the image below, we can see that PeStudio has identified a signature for UPX which is a common packer used by malware authors. So by using PeStudio we can start to work out whether a sample is packed or not.
In the image above we can see the section names associated with the UPX packer again confirming from using PeStudio that the malware is indeed packed. We can also see that section UPX1 contains the file that was first mentioned in the indicators tab, notice that this section makes up nearly 88% of the file and also has a high level of entropy. This indicates that the unpacked malware is being stored in this location. Once unpacked we can see sections that are more typical of an executable.
The above image shows that PeStudio has blacklisted some of the DLL's meaning that they may be being used for malicious purposes by the malware. Looking at the names and descriptions it's safe to surmise that urlmon.dll, wininet.dll and ws2_32.dll relate to network functionality. It's not instantly clear what winmm.dll does, however, a quick google of the DLL may shed some light.
It looks like the malware may be potentially importing some functionality to record audio from a compromised device. Each DLL will contain a unique set of API, these are legitimate Windows functions that can be imported and used by the malware. By clicking on the imports tab we can take a look at what these functions are.
The imports tab is the list of functions/API that have been imported by the malware, this is also known as the IAT (Import Address Table). By clicking on the blacklist tab PeStudio will sort the API by moving all the blacklisted functions to the top.
What I think is useful is that next to each API name PeStudio will tell you what type of activity the API is related to under the 'group' column, from the above screenshot we can see the malware has imported some functionality relating to the registry so may use 'RegCreateKeyA' to create a run key which will launch the malware at startup.
We can also see some API that PeStudio is associating with network activity, 'URLDownloadToFileA' tells us quite clearly that the malware has the capability to download additional files from the internet. This type of information is extremely useful as before we run the malware in a malware analysis lab or a Cuckoo Sandbox we can start to get an idea of how the malware may behave.
This information is also useful if we later begin to reverse engineer the malware using a tool such as x64dbg as we have already identified some interesting functionality that we can set some breakpoints on and see what values are being passed to these API by the malware.
The next interesting string is 'Software\Microsoft\Windows\CurrentVersion\Run'. This is a common run key used by malware authors to automatically launch the malware if the device is rebooted. This is known as a persistence mechanism and the malware is making use of a legitimate Windows feature.
In the above image I have navigated to 'HKLM\Software\Microsoft\Windows\CurrentVersion\Run' on my host device and can see the software that will launch on startup. On my malware analysis lab, I could also use this technique when I have detonated a piece of malware to see if this persistence mechanism is being used and then identify where the persistence location of the malware is on disk.
Whether you are learning to analyze malware, triaging a malware incident or writing a YARA rule PeStudio is a great tool to use and has a great amount of depth to it. Whenever I need to build a new malware analysis lab it is the first tool I install and is the first tool I always use when I begin to look at a piece of malware.
The goal of pestudio is to spot artifacts of executable files in order to ease and accelerate Malware Initial Assessment. The tool is used by Computer Emergency Response Teams (CERT), Security Operations Centers (SOC) and Digital-Forensic Labs worldwide.
What alternatives are there on Linux that are capable of extracting data from windows binaries? Tools like `strings' on their own don't show up much information, and ideally i'd want to find something similar to pestudio, containing a GUI etc with an ability to generate a report in xml/html. Thanks, if anyone knows.
The first step I take in approaching any unknown, untrusted, or malicious program is to load it up into PeStudio, a static malware-analysis tool made by Winitor.From here I can derive some basic information about the executable, and form some early opinions on what the malware may be doing.
Just below the test we see jne wannacry.4081BC. This is a conditional jump that will occur if the result of the previous operation is NOT equal. To determine this, the instruction evaluates the ZF flag. If the ZF flag is set to 1, the last operation was equal, and the jump is not made. If the ZF flag is 0, then the last operation was not equal, and the jump is taken. This instruction will jump to code located at address 0x4081BC if the ZF flag is 1. We can assume that this is the code that terminates the malware if the kill-switch domain is live and the victim machine has an active internet connection that successfully resolves the domain.
There are lots of files here, most of which have a custom file extension that is unique to this malware. Inside of the msg folder there are more .wnry files but they all begin with the name of different languages. This is probably the ransom note, translated into multiple languages. I test this theory by opening m_english.wnry in a hex editor:
This appears to be the decryptor that is used by victims after making payment. It also sheds a little light on why there are links to TOR and why TOR is packaged into the malware, as it asks the victim to make sure that their ISP is not blocking TOR if the decryptor fails to validate they paid the ransom.
PeStudio is a portable and free program which is able to examine executable files in depth. It supports both 32-bit and 64-bit EXE files.To perform an analysis of a particular file, you can drag it from Windows Explorer into the program interface. Once loaded, it will display different bits of information such as the libraries it uses and loads, import and export functions, compatibility and more. It can also be used to grab information from VirusTotal, allowing users to quickly determine whether the file has been flagged by any antivirus applications.For users and administrators who often have to deal with executables, PeStudio is an excellent tool which provides both details for troubleshooting but also other known information from the web.Features of PeStudio
- Customization: Options that allow you to tailor the tool to your specific needs and preferences.
- File analysis: Tools for analyzing PE files in detail, including the ability to view and edit the file's headers, import and export tables and other data structures.
- Malware detection: Detect malware in PE files. It can scan a file for known malware signatures and can also analyze the behavior of the file to identify potential malware.
- Plug-in support: Support for plug-ins, which allow you to extend the capabilities of the tool with additional features and functionality.
- Reverse engineering: Tools for reverse engineering PE files, including the ability to disassemble the file's code and view it in assembly language.
- Security analysis: Analyze the security of PE files, including the ability to identify vulnerabilities and other security risks.
- User-friendly interface: Makes it easy to use, even for those who are new to the tool.
PeStudio can be used on a computer running Windows 11 or Windows 10. Previous versions of the OS shouldn't be a problem with Windows 8 and Windows 7 having been tested. It comes in both 32-bit and 64-bit downloads.Filed under: PeStudio DownloadFree Computer UtilitiesAnalyzing SoftwareWe have tested PeStudio 9.56 against malware with several different programs. We certify that this program is clean of viruses, malware and trojans.Download for Windows 1.09 MB - Tested clean
- $$ Cost:Free Freeware