PESCAN.IO - Analysis Report

PESCAN.IO - Analysis Report Valid Code

File Structure:
PE chart code: - The executable header is displayed in light blue. - The executable sections are pink. - Non-executable sections are black. - Code added to executables externally to a compiler appears in red. Chart code for other files: - Printable characters are blue. - Non-printable characters (Null Bytes) are black.

Information:

Size: 9,00 KB
SHA-256 Hash: 54BF690F5F2C88F9372E5A98EADD1876CCE376115C2D619BD97A332CF87C716B
SHA-1 Hash: 55DCB71E72400370C5010EF251832746A610FA08
MD5 Hash: 0C101AC9402FD27C216E7BD992A8AF27
Imphash: EE1698448DBF9F72A5B96446D16946D6
MajorOSVersion: 5
CheckSum: 00000000
EntryPoint (rva): 1E10
SizeOfHeaders: 400
SizeOfImage: 7000
ImageBase: 10000000
Architecture: x86
ExportTable: 2280
ImportTable: 205C
Characteristics: 2102
TimeDateStamp: 4BD43970
Date: 25/04/2010 12:45:36
File Type: DLL
Number Of Sections: 6
ASLR: Enabled
Section Names: .text, .rdata, .data, .TrueTra, .rsrc, .reloc
Number Of Executable Sections: 1
Subsystem: Windows GUI
UAC Execution Level Manifest: asInvoker

Sections Info:

Section Name	Flags	ROffset	RSize	VOffset	VSize
.text	60000020 (Executable)	400	1000	1000	F44
.rdata	40000040	1400	400	2000	305
.data	C0000040 (Writeable)	0	0	3000	28
.TrueTra	D0000040 (Writeable)	1800	200	4000	11
.rsrc	40000040	1A00	600	5000	4E8
.reloc	42000040	2000	400	6000	23A

Description:

InternalName: TrueTransparency
LegalCopyright: Lefreut 2007-2010
FileVersion: 1.4.1.189

Entry Point:

The section number (1) - (.text) have the Entry Point
Information -> EntryPoint (calculated) - 1210
Code -> 8B4424085633F683F80175638B4424086A0456A300300010FF150820001050FF15102000103BC6746FF60524300010017529
• MOV EAX, DWORD PTR [ESP + 8]
• PUSH ESI
• XOR ESI, ESI
• CMP EAX, 1
• JNE 0X106F
• MOV EAX, DWORD PTR [ESP + 8]
• PUSH 4
• PUSH ESI
• MOV DWORD PTR [0X10003000], EAX
• CALL DWORD PTR [0X10002008]
• PUSH EAX
• CALL DWORD PTR [0X10002010]
• CMP EAX, ESI
• JE 0X1098
• TEST BYTE PTR [0X10003024], 1
• JNE 0X105B

Signatures:

Rich Signature Analyzer:
Code -> 6BB9989E2FD8F6CD2FD8F6CD2FD8F6CD081E8DCD28D8F6CD2FD8F7CD3BD8F6CD26A07CCD2CD8F6CD26A064CD2ED8F6CD26A062CD2ED8F6CD26A067CD2ED8F6CD526963682FD8F6CD
Footprint md5 Hash -> 8E7AFC2CDBD01AFE54C613DD9FB1E082
• The Rich header apparently has not been modified
Certificate - Digital Signature Not Found:
• The file is not signed

Packer/Compiler:

Detect It Easy (die)
• PE: compiler: Microsoft Visual C/C++(2008 SP1)[-]
• PE: linker: Microsoft Linker(9.0)[DLL32]
• Entropy: 4.99861

ET Functions (carving):

Original Name -> TrueTransparencyHook.dll
_PauseHook@0
_StartHook@8
_StopHook@0

File Access:

TrueTransparencyHook.dll
GDI32.dll
USER32.dll
KERNEL32.dll

Interest's Words:

exec
start
pause

IP Addresses:

1.4.1.189

Strings/Hex Code Found With The File Rules:

• EP Rules: Microsoft Visual C++ 8
• EP Rules: Microsoft Visual C++ 8.0
• EP Rules: TrueVision Targa Graphics format

Resources:

Path	DataRVA	Size	FileOffset	Code	Text
\VERSION\1\1033	5298	24C	1C98	4C0234000000560053005F00560045005200530049004F004E005F0049004E0046004F0000000000BD04EFFE000001000400	L.4...V.S._.V.E.R.S.I.O.N._.I.N.F.O...............
\24\1\1033	50A0	1F8	1AA0	3C3F786D6C2076657273696F6E3D22312E302220656E636F64696E673D225554462D3822207374616E64616C6F6E653D2279	<?xml version="1.0" encoding="UTF-8" standalone="y

Intelligent String:

• KERNEL32.dll
• www.customxp.net
• 1.4.1.189

Extra 4n4lysis:

Metric	Value	Percentage
Ascii Code	4454	48,329%
Null Byte Code	3753	40,7227%

PESCAN.IO - Analysis Report Valid Code