PE Files Malware Journey Day 3

I realized throughout my 2 malware samples that analyzing PE file headers is critical, so I need to understand what each section really does.

Big thanks to Josh Stroschein for providing a valuable lesson

Using HxD as a tool to analyze an executable was a first for me. From the below screenshot it is clear this is the MZ Dos Header due to it being 60 bytes

The PE Section is a little after the Dos Header.

It is clear HxD is best suited for just verifying the sample and maybe confirming it is an executable by looking for a PE Header.

Moving onto PEStudio.

I need to triage the sample as a start. From PEStudio I was curious what exactly signatures were used for and how useful they are. From what I gain it is a file that recongizes patterns through hex and if they is a match it could be packer possibly.

An interesting thing learned from looking at PEstudio is that it seems that executables generally only import data and dont export data. While dlls will do the opposite

Looking at this sample I found it interesting how there is a dll for Wininet, this could possibly indicate to me it is reaching out to a server?

Now if this was actual malware, it could be a good step to see where the URL from InternetOpenUrlA is. This could be a possible command and control server.

Looking at the strings I realize this sample might be slightly deobfuscated since there is an actual abense of large strings.

I also want to look at the difference between an unpacked program which currently has roughly 78 functions showing

Compared to one packed with UPX. Which only shows 5

To my suprise using this packer also flaged. Also going back to HxD I see there are several section names with UPX.

I learned that UPX is an actual legit packer not used just for malware, which was new to me. Ofcourse PEstudio also detected UPX since the signatures showed a pattern.

When unpacking the same, I was able to recover all function names as shown previously.