pestudio is a tool that is used in many Cyber Emergency Response Teams (CERT) worldwide in order to perform malware initial assessment.

Malicious software often attempts to hide its intents in order to evade early detection and static analysis. In doing so, it often leaves suspicious patterns, unexpected metadata, and sometimes even anomalies.

The goal of pestudio is to spot these artifacts in order to ease and accelerate the Malware Initial Assessment. The tool uses a powerful parser and a flexible set of configuration files that are used to provide many of indicators and determine thresholds. Since the file being analyzed is never started, you can inspect any unknown or malicious executable file and even ransomware without a risk of infection.

features

pestudio implements a rich set of features that is especially designed to retrieve every single detail of any executable file. Result is checked against the Microsoft specification. Additionally, the content of the file being analysed is checked against several white and black lists and thresholds.

Imports

Even a suspicious binary file must interact with the operating system in order to perform its activity.

pestudio retrieves the libraries and the functions referenced. Several XML files are used to blacklist functions (e.g. Registry, Process, Thread, File, …). Blacklist files can be customized and extended according to your own needs. pestudio shows the intent and purpose of the application analyzed.

Resources

Resources sections are commonly used by malware to host payload.

pestudio detects many embedded file types (e.g. EXE, DLL, SYS, PDF, CAB, ZIP, JAR, …). Detected items can be saved to a file, allowing the possibility of further analysis.

Report

The goal of pestudio is to allow investigators to analyse unknown and suspicious executable files.

For this purpose, pestudio can also produce an XML output report file documenting the executable file being analysed. The goal of this XML output Report file is the ability to be utilized by any third-party analysis tool.

Prompt

pestudio runs from the Graphical User Interface (GUI) as well as from the Command prompt (CLI). Running pestudio from the prompt allows the analysis of executable file and the creation of the associated XML output files in a batch mode.

pestudio website: https://www.winitor.com/index.html

Advertisements