Thiago Teixeira
EN | PT

PEStudio

Marc Ochsenmeier

Static triage of Windows PE files — strings, imports, indicators at a glance.

Malware Analysis & Sandboxing Freemium GUI Learning Windows
Homepage

Cyber Kill Chain & Defender Lifecycle

Attacker — Kill Chain
1 Reconnaissance
2 Weaponization
3 Delivery
4 Exploitation
5 Installation
6 Command & Control
7 Actions on Objectives
Defender — IR Lifecycle
8 Detection / Monitoring
9 Containment & Eradication
10 Post-incident Forensics

Description

PEStudio is a free Windows tool that performs static triage of a PE (Portable Executable) file — EXE, DLL, SYS — without executing it. In a few seconds it surfaces dozens of indicators an analyst would otherwise have to query manually: suspicious imports, blacklisted strings, anomalous section names, signed/unsigned status, resources, manifest, version info, and VirusTotal hits.

It is the first stop for many malware analysts before deciding whether to detonate a sample in a sandbox or load it into Ghidra/IDA.

Use cases

  • Fast first-look at a suspicious attachment
  • Confirming whether a binary is signed and by whom
  • Spotting packers, anti-VM strings, suspicious APIs