Using PE header information for static analysis

Threat Intelligence: When was this sample created?

  • PE header → TimeDateStamp
  • Exact date and time this sample was compiled

Threat Intelligence: What’s the country of origin of these attackers?

  • PE header → TimeDateStamp
  • Fall into 9-5 jobs
  • Some cases it is possible to identify the attackers’ country of origin

Threat Intelligence: Is it a stolen certificate? Are all these samples related?

  • For all the malicious samples that use a specific stolen certificate – produced by the same actor.