6.4 Examining the Compilation Timestamp

The PE header contains information that specifies when the binary was compiled; examining this field can give an idea of when the malware was first created. This information can be useful in building a timeline of the attack campaign. It is also possible that an attacker modifies the timestamp to prevent an analyst from knowing the actual timestamp. A compile timestamp can sometimes be used to classify suspicious samples. The following example shows a malware binary whose timestamp was modified to a future date in 2020. In this case, even though the actual compilation timestamp could not be detected, such characteristics can help you identify anomalous behavior:

In Python, you can determine the compile timestamp using the following Python commands:

>>> import pefile
>>> import time
>>> pe = pefile.PE("veri.exe")
>>> timestamp = pe.FILE_HEADER.TimeDateStamp
>>> print time.strftime("%Y-%m-%d %H:%M:%S",time.localtime(timestamp))
2020-01-06 08:36:17

All Delphi binaries have a compile timestamp set to June 19, 1992, making it hard to detect the actual compile timestamp. If you are investigating a malware binary set to this date, there is a high possibility that you are looking at Delphi binary. The blog post at a http://www.hexacorn.com/blog/2014/12/05/the-not-so-boring-land-of-borland-executables-part-1/ gives information on how it may be possible to get the compilation timestamp from a Delphi binary.