What is PeStudio?
PeStudio is a tool to find suspicious artifacts within executable files to accelerate the first malware assessment. Using this tool, the analyst can easily spot the functionalities commonly used for malicious activities by malware creators.
When the analyst opens the malicious sample inside the program, general information of the file, such as MD5 hash and entropy, is obtained. The hash value of the sample will then be checked on Virus Total, and the result of the lookup will be listed inside the program. The picture presented below shows the result of the query.
In the ‘Section tab’, an analyst can see the MD5 hash for each section, entropy value and entry-point address (the address from where the process starts executing), and the read, write, and/or execute permission for each section. If the ‘.rsrc’ section is abnormally large, the application can ‘drop’ another file on the disk. In this case, it is recommended that, during runtime analysis, the analyst pays close attention to the files that are written on the disk.
‘Import sections’ hold the imported function names. By searching each function on MSDN.microsoft.com, the analyst can find what that function is doing. PeStudio has a list of ‘blocked’ imports, where all the imports that can be used for malicious activities are listed.
In the sample presented below, an inspection of the ‘Imports’ section can give the analyst an overview of the principal imported libraries used by the malware for malicious activities and banned by the PeStudio application. For example, the imports ‘connect’, ‘gethostbyname’, ‘socket’, ‘memcpy’, ‘send’ and ‘GetAsyncKeyState’ give the malware analyst some idea of the basic functionalities of the analyzed sample.
The ‘Exports section’ presents the functions that the PE file is exporting for other PE files to use. In the example presented, there are no exports.
The ‘resources section’ usually stores the information related to UI (icons or custom window elements). If the malicious application has dropper5 functionalities, the files that are written on the disk could be stored in the ‘.rsrc’ section.
The section ‘tls-callback’ has the code that will set up the environment, so the application can run. This code will be executed before the entry point. Using this functionality, the malware creator can hide code inside the TLS (Thread Local Storage) that will be executed before Windows OS creates the process.
The ‘strings section’ is also a useful source of information for the analyst. All the strings from the executable are parsed and placed in this section. In examining the ‘strings section’, the analyst is trying to identify readable strings, such as IPs and URLs, and filenames that can be used during the investigation. When the number of readable characters is reduced, the application could be packed or obfuscated.
The ‘strings section’ of the sample analyzed is presented below.
Another major area when analyzing malware is the ‘certificate section, which contains the certificate used for signing the application. Usually, malicious applications are not signed or use a certificate from a certificate authority that is untrusted or has been compromised. The PeStudio tools can also create and export an XML report for the executable being analyzed. The XML output report can be used for further analysis by third-party analysis tools.