Triaging suspicious files with pestudio, (Fri, Aug 11th)

Triaging suspicious files with pestudio

Pestudio[1] by is a utility can be used to Triage malware analysis . all you need is to drop the suspicious file to Pestudio and it will show you the imports, the resources and it will send the MD5 hash of the file to virustotal.

border:solid windowtext 1.0pt”>

pestudiox.exe

border:solid windowtext 1.0pt”>

pestudiox 8.61 – Malware Initial Assessment

Copyright 2009-2017 Marc Ochsenmeier

www.winitor.com

pestudiox -file:input [-xml:output]

-file: input file to analyse

-xml: output xml report file

As you can see its straightforward to use the command line version of Pestudio ,you have just to specify the suspicious file and you have to specify the xml output file name.

Now lets put Pestudio in action and try some sucepicious files. In this diary, I am going to use the GUI version.

For this diary I have obtain a sample malware from malware traffic analysis blog[2] which is maintained by Brad Duncan the ISC Handler.

To triage a file with Pestudio you have to run it then you can drop the suspicious file to it or you can choose open file from the file menu.

It will take few seconds to do it width:800px” />

By default Pestudio will send a MD5 hash of the file to Virustotal and it will retrieve the results, if you dont feel comfortable of sending such info to a third-party website. You can disable it by changing score-file enable=1/ to score-file enable=0/ width:800px” />

Pestudio retrieves the libraries and the functions referenced in the suspicious file. Pestudio comes with a predefined list of libraries and functions which is often used by width:800px” />

Finally you can save the triage report as xml file and with your favorite xml parser.


(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.