PESCAN.IO - Analysis Report Valid Code

File Structure:
Analysis Image
Information:
Size: 9,00 KB
SHA-256 Hash: 54BF690F5F2C88F9372E5A98EADD1876CCE376115C2D619BD97A332CF87C716B
SHA-1 Hash: 55DCB71E72400370C5010EF251832746A610FA08
MD5 Hash: 0C101AC9402FD27C216E7BD992A8AF27
Imphash: EE1698448DBF9F72A5B96446D16946D6
MajorOSVersion: 5
CheckSum: 00000000
EntryPoint (rva): 1E10
SizeOfHeaders: 400
SizeOfImage: 7000
ImageBase: 10000000
Architecture: x86
ExportTable: 2280
ImportTable: 205C
Characteristics: 2102
TimeDateStamp: 4BD43970
Date: 25/04/2010 12:45:36
File Type: DLL
Number Of Sections: 6
ASLR: Enabled
Section Names: .text, .rdata, .data, .TrueTra, .rsrc, .reloc
Number Of Executable Sections: 1
Subsystem: Windows GUI
UAC Execution Level Manifest: asInvoker

Sections Info:
Section Name Flags ROffset RSize VOffset VSize
.text 60000020 (Executable) 400 1000 1000 F44
.rdata 40000040 1400 400 2000 305
.data C0000040 (Writeable) 0 0 3000 28
.TrueTra D0000040 (Writeable) 1800 200 4000 11
.rsrc 40000040 1A00 600 5000 4E8
.reloc 42000040 2000 400 6000 23A
Description:
InternalName: TrueTransparency
LegalCopyright: Lefreut 2007-2010
FileVersion: 1.4.1.189

Entry Point:
The section number (1) - (.text) have the Entry Point
Information -> EntryPoint (calculated) - 1210
Code -> 8B4424085633F683F80175638B4424086A0456A300300010FF150820001050FF15102000103BC6746FF60524300010017529
MOV EAX, DWORD PTR [ESP + 8]
PUSH ESI
XOR ESI, ESI
CMP EAX, 1
JNE 0X106F
MOV EAX, DWORD PTR [ESP + 8]
PUSH 4
PUSH ESI
MOV DWORD PTR [0X10003000], EAX
CALL DWORD PTR [0X10002008]
PUSH EAX
CALL DWORD PTR [0X10002010]
CMP EAX, ESI
JE 0X1098
TEST BYTE PTR [0X10003024], 1
JNE 0X105B

Signatures:
Rich Signature Analyzer:
Code -> 6BB9989E2FD8F6CD2FD8F6CD2FD8F6CD081E8DCD28D8F6CD2FD8F7CD3BD8F6CD26A07CCD2CD8F6CD26A064CD2ED8F6CD26A062CD2ED8F6CD26A067CD2ED8F6CD526963682FD8F6CD
Footprint md5 Hash -> 8E7AFC2CDBD01AFE54C613DD9FB1E082
• The Rich header apparently has not been modified
Certificate - Digital Signature Not Found:
• The file is not signed

Packer/Compiler:
Detect It Easy (die)
PE: compiler: Microsoft Visual C/C++(2008 SP1)[-]
PE: linker: Microsoft Linker(9.0)[DLL32]
Entropy: 4.99861

ET Functions (carving):
Original Name -> TrueTransparencyHook.dll
_PauseHook@0
_StartHook@8
_StopHook@0

File Access:
TrueTransparencyHook.dll
GDI32.dll
USER32.dll
KERNEL32.dll

Interest's Words:
exec
start
pause

IP Addresses:
1.4.1.189

Strings/Hex Code Found With The File Rules:
EP Rules: Microsoft Visual C++ 8
EP Rules: Microsoft Visual C++ 8.0
EP Rules: TrueVision Targa Graphics format

Resources:
Path DataRVA Size FileOffset CodeText
\VERSION\1\1033 5298 24C 1C98 4C0234000000560053005F00560045005200530049004F004E005F0049004E0046004F0000000000BD04EFFE000001000400L.4...V.S._.V.E.R.S.I.O.N._.I.N.F.O...............
\24\1\1033 50A0 1F8 1AA0 3C3F786D6C2076657273696F6E3D22312E302220656E636F64696E673D225554462D3822207374616E64616C6F6E653D2279<?xml version="1.0" encoding="UTF-8" standalone="y
Intelligent String:
• KERNEL32.dll
• www.customxp.net
• 1.4.1.189

Extra 4n4lysis:
Metric Value Percentage
Ascii Code 4454 48,329%
Null Byte Code 3753 40,7227%
© 2025 All rights reserved.