Analyze suspicious Windows executable files with PeStudio
If you install and run new software regularly on your Windows system, you may have come upon programs that you have a bad feeling about.
Maybe because you have downloaded them from a site you cannot trust, maybe because it is a new app that has not been reviewed anywhere yet, or maybe because of what it is supposed to do.
You may scan the executable file locally then and on sites like VirusTotal to find out if it contains malicious code.
Sometimes, you get two, three or four hits on VirusTotal while the remaining antivirus engine report that the file is clean.
Unless major engines are reporting the hits, it is usually false positives but would you risk installing malware based on that?
You could run the program in a sandbox so that it won't affect the underlying system no matter what. Another option is to analyze it with the help of the free PeStudio program.
PeStudio is a free portable program for Windows that you can use to analyze executable files in various ways. It was designed to uncover suspicious patterns, indicators and anomalies that provide you with additional insight about the program's main purpose and whether it is malicious or not.
All you need to do is drag an executable file on the program window after you have started it up to start the analysis.
One of the first things PeStudio does is query VirusTotal to report hits. That's however just one of the things it does and you will notice that it lists more than two dozen checks it performs.
Each check is color coded so that you know on first glance what you should check initially. Green indicates no issues, orange something that you should look into and red the most pressing findings that you should investigate first.
A click on strings may for instance reveal commands, for instance Registry manipulation, used by the program or module names that may reveal information about its function.
Other information that it provides include imported libraries and symbols, the file and DOS header, as well as certificate and resource information.
The indicators listing may be of importance as it lists important information discovered during the scan at the very top. There you may find information about the program's capabilities (e.g. accesses libraries at runtime, creates or modifies files) which can be very useful in your analysis.
It needs to be noted at this point that PeStudio finds indicators and that red or orange color codes do not have to mean that something fishy is going on.
PeStudio comes as a graphical user interface but also as a command line version that you can run right from it.
PeStudio is a useful helper program for Windows users who want to analyze executable files before they run them on their system. The integration of VirusTotal is excellent and the remaining options that it provides can give you valuable clues whether a program may potentially be malicious in nature. (via Betanews)Advertisement