Analyze suspicious Windows executable files with PeStudio
If you install and run new software regularly on your Windows system, you may have come upon programs that you have a bad feeling about.
Maybe because you have downloaded them from a site you cannot trust, maybe because it is a new app that has not been reviewed anywhere yet, or maybe because of what it is supposed to do.
You may scan the executable file locally then and on sites like VirusTotal to find out if it contains malicious code.
Sometimes, you get two, three or four hits on VirusTotal while the remaining antivirus engine report that the file is clean.
Unless major engines are reporting the hits, it is usually false positives but would you risk installing malware based on that?
You could run the program in a sandbox so that it won't affect the underlying system no matter what. Another option is to analyze it with the help of the free PeStudio program.
PeStudio is a free portable program for Windows that you can use to analyze executable files in various ways. It was designed to uncover suspicious patterns, indicators and anomalies that provide you with additional insight about the program's main purpose and whether it is malicious or not.
All you need to do is drag an executable file on the program window after you have started it up to start the analysis.
One of the first things PeStudio does is query VirusTotal to report hits. That's however just one of the things it does and you will notice that it lists more than two dozen checks it performs.
Each check is color coded so that you know on first glance what you should check initially. Green indicates no issues, orange something that you should look into and red the most pressing findings that you should investigate first.
A click on strings may for instance reveal commands, for instance Registry manipulation, used by the program or module names that may reveal information about its function.
Other information that it provides include imported libraries and symbols, the file and DOS header, as well as certificate and resource information.
The indicators listing may be of importance as it lists important information discovered during the scan at the very top. There you may find information about the program's capabilities (e.g. accesses libraries at runtime, creates or modifies files) which can be very useful in your analysis.
It needs to be noted at this point that PeStudio finds indicators and that red or orange color codes do not have to mean that something fishy is going on.
PeStudio comes as a graphical user interface but also as a command line version that you can run right from it.
Verdict
PeStudio is a useful helper program for Windows users who want to analyze executable files before they run them on their system. The integration of VirusTotal is excellent and the remaining options that it provides can give you valuable clues whether a program may potentially be malicious in nature. (via Betanews)
1) Sometimes, PeStudio’s left window displays something in red, but the corresponding entry at the right-hand window has no value flagged in red. So it is not clear which “interesting” value triggered the red alert.
2) When individually scanning certain .exe files (even small ones of 1 MB size), PeStudio’s “Indicators” image tends to hang at “wait …” for 30–90 seconds, even though the results for all other images are finalized. If the user tries to “Close All Images” or “Close Selected Image” while “Indicators” is still at “wait” status, this is when PeStudio crashes & exits.
For larger .exe files (eg. Firefox 35.0 offline installer 38 MB, or Avira Antivirus offline installer 146 MB), the “Indicators” response-time is VERY long (>10 mins). And while the user waits w/o doing anything, PeStudio may or may not suddenly crash. For these 2 examples, PeStudio sometimes crashed & exited, while I was waiting. Even if it didn’t crash, I eventually gave up waiting & clicked “Close All Images” to trigger PeStudio to crash & exit, so that I could get it to stop.
The “Indicators” wait non-responsiveness can be reproduced every single time for the affected .exe files. This is how I can reliably make PeStudio crash as many times as I wish. Hmm, this is even more “crash-happy” than my good ol’ Firefox, which can crash >100 times per month.
It picks up the last scan by VT … if you do a scan and then go back to PE, you will notice that the newest scan is shown.
As features have been added, the app has become slower. Hopefully this will get fixed in the upcoming versions.
Be careful with warnings from Virus Total. Some of those prescans are several years old. The one for Rainmeter is 2 years and 9 months old. Rainmeter says the trojan is a false positive.
I could only load about 2 files into PE Studio before it crashed. But it’s still better than nothing.
PE Studio does NOT crash. Depending on the file you are opening however, it can look like a crash as it can take quite long to analyze the program. You unfortunately don’t get a pretty fake box saying “analysis in progress”. It unfortunately appears to go ‘unresponsive’ as it does its thing. Just wait.
I have been using this tool for years and it is quite a gem!
It crashed 4 times so I deleted it.
Do not drag and drop more than one item. It works.