PESCAN.IO - Analysis Report Basic |
|||||||
| File Structure |
|
PE Chart Code
Header PE (light blue)
Executable sections (pink)
Non-executable sections (black)
External injected code (red)
File Structure in red = malformed or corrupted header
Chart Code For Other Files
Printable characters (blue)
Non-printable characters (black)
| Information |
| Size: 754,71 KB SHA-256 Hash: 8A9FE58B87ABE997640CEDCE1C80D3EAC6F9C36FC83B8976CF231D9E73BD5616 SHA-1 Hash: 94E668AE7912A2520F5CF7995E84618935B572AD MD5 Hash: B2926B3FF903F78B86E0F18FC2A0A600 Imphash: 11AC28AD86192F5FAB9E059D9831E75D MajorOSVersion: 6 MinorOSVersion: 0 CheckSum: 000BF920 EntryPoint (rva): 5E609 SizeOfHeaders: 400 SizeOfImage: BF000 ImageBase: 400000 Architecture: x86 ExportTable: ABDA0 ImportTable: ABFF8 IAT: 90000 Characteristics: 102 TimeDateStamp: 69B3DF36 Date: 13/03/2026 9:56:06 File Type: EXE Number Of Sections: 5 ASLR: Enabled Section Names: .text, .rdata, .data, .rsrc, .reloc Number Of Executable Sections: 1 Subsystem: Windows GUI UAC Execution Level Manifest: asInvoker |
| Sections Info |
| Section Name | Flags | ROffset | RSize | VOffset | VSize | Entropy | Chi2 |
|---|---|---|---|---|---|---|---|
| .text | 0x60000020 Code Executable Readable |
400 | 8E600 | 1000 | 8E5C3 |
|
|
| .rdata | 0x40000040 Initialized Data Readable |
8EA00 | 1CA00 | 90000 | 1C9F8 |
|
|
| .data | 0xC0000040 Initialized Data Readable Writeable |
AB400 | 4A00 | AD000 | 5AA4 |
|
|
| .rsrc | 0x40000040 Initialized Data Readable |
AFE00 | 3400 | B3000 | 3278 |
|
|
| .reloc | 0x42000040 Initialized Data GP-Relative Readable |
B3200 | 7800 | B7000 | 7668 |
|
|
| Description |
| OriginalFilename: BankIDStart.exe CompanyName: Finansiell ID-Teknik BID AB LegalCopyright: 2026 Finansiell ID-Teknik BID AB ProductName: BankID skerhetsprogram FileVersion: 7.17.0.2123 FileDescription: BankID Security Application ProductVersion: 7.17.0.2123 Language: English (United States) (ID=0x409) CodePage: Unicode (UTF-16 LE) (0x4B0) |
| Entry Point |
The section number (1) - (.text) have the Entry Point Information -> EntryPoint (calculated) - 5DA09 Code -> E877080000E974FEFFFFE9FCEA00008B4DF464890D00000000595F5F5E5B8BE55D51C38B4DF033CDE8F5F9FFFFE9DDFFFFFF Assembler |CALL 0X187C |JMP 0XE7E |JMP 0XFB0B |MOV ECX, DWORD PTR [EBP - 0XC] |MOV DWORD PTR FS:[0], ECX |POP ECX |POP EDI |POP EDI |POP ESI |POP EBX |MOV ESP, EBP |POP EBP |PUSH ECX |RET |MOV ECX, DWORD PTR [EBP - 0X10] |XOR ECX, EBP |CALL 0XA22 |JMP 0X100F |
| Signatures |
| Rich Signature Analyzer: Code -> 8D5D3387C93C5DD4C93C5DD4C93C5DD482445ED5C53C5DD4824458D56E3C5DD4824459D5DC3C5DD40BBD59D5DB3C5DD40BBD5ED5D13C5DD40BBD58D5903C5DD482445CD5C03C5DD4C93C5CD45D3C5DD43ABE58D5D53C5DD43ABE5DD5C83C5DD43ABEA2D4C83C5DD4C93CCAD4CB3C5DD43ABE5FD5C83C5DD452696368C93C5DD4 Footprint md5 Hash -> AE7AEDE9136850A7B524364D9500AC71 • The Rich header apparently has not been modified Certificate - Digital Signature: • The file is signed and the signature is correct |
| Packer/Compiler |
| Compiler: Microsoft Visual Studio Detect It Easy (die) • PE: compiler: EP:Microsoft Visual C/C++(2017 v.15.5-6)[EXE32] • PE: compiler: Microsoft Visual C/C++(-)[-] • PE: linker: Microsoft Linker(14.39**)[-] • PE: Sign tool: Windows Authenticode(2.0)[PKCS 7] • Entropy: 6.55286 |
| Suspicious Functions |
| Library | Function | Description |
|---|---|---|
| KERNEL32.DLL | GetModuleHandleA | Retrieves a handle to the specified module. |
| KERNEL32.DLL | WriteFile | Writes data to a specified file or input/output (I/O) device. |
| KERNEL32.DLL | GetProcAddress | Retrieves the address of an exported function or variable from the specified dynamic-link library (DLL). |
| KERNEL32.DLL | IsDebuggerPresent | Determines if the calling process is being debugged by a user-mode debugger. |
| File Access |
| BankIDStart.exe ole32.dll KERNEL32.dll USER32.dll .dat @.dat Temp |
| File Access (UNICODE) |
| BankIDStart.exe mscoree.dll 0123456789-0123456789-kernel32.dll |
| Interest's Words |
| exec start ping |
| Interest's Words (UNICODE) |
| start |
| URLs |
| http://ocsp.digicert.com http://cacerts.digicert.com/DigiCertCSECCP384RootG5.crt http://crl3.digicert.com/DigiCertCSECCP384RootG5.crl http://www.digicert.com/CPS0 http://crl3.digicert.com/DigiCertG5CSECCSHA3842021CA1.crl http://crl4.digicert.com/DigiCertG5CSECCSHA3842021CA1.crl http://cacerts.digicert.com/DigiCertG5CSECCSHA3842021CA1.crt http://cacerts.digicert.com/DigiCertTrustedG4TimeStampingRSA4096SHA2562025CA1.crt http://crl3.digicert.com/DigiCertTrustedG4TimeStampingRSA4096SHA2562025CA1.crl http://cacerts.digicert.com/DigiCertTrustedRootG4.crt http://crl3.digicert.com/DigiCertTrustedRootG4.crl http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl https://www.bankid.com |
| Strings/Hex Code Found With The File Rules |
| Rule Type | Encoding | Matched (Word) |
|---|---|---|
| Text | Ascii | WinAPI Sockets (connect) |
| Text | Ascii | File (GetTempPath) |
| Text | Ascii | File (CreateFile) |
| Text | Ascii | File (WriteFile) |
| Hex | Hex Pattern | PEB AntiDebug (Flag BeingDebugged) |
| Text | Ascii | Anti-Analysis VM (IsDebuggerPresent) |
| Text | Ascii | Reconnaissance (FindNextFileW) |
| Text | Ascii | Reconnaissance (FindClose) |
| Text | Ascii | Stealth (CloseHandle) |
| Text | Ascii | Execution (OpenEventA) |
| Text | Ascii | Execution (CreateEventA) |
| Entry Point | Hex Pattern | Microsoft Visual C++ 8 |
| Entry Point | Hex Pattern | Microsoft Visual C++ 8 |
| Entry Point | Hex Pattern | VC8 - Microsoft Corporation |
| Resources |
| Path | DataRVA | Size | FileOffset | Code | Text |
|---|---|---|---|---|---|
| \REGISTRY\101\1033 | B3250 | 2D8 | B0050 | 484B43520A7B0A202020204269737052656D6F74696E674C69622E52656D6F74696E674368616E6E656C2E31203D20732027 | HKCR.{. BispRemotingLib.RemotingChannel.1 = s ' |
| \TYPELIB\1\1033 | B3528 | 77C | B0328 | 4D5346540200010000000000090400000000000041000000000000000000000002000000FFFFFFFF00000000000000000900 | MSFT................A............................. |
| \VERSION\1\6 | B3CA8 | 34C | B0AA8 | 4C0334000000560053005F00560045005200530049004F004E005F0049004E0046004F0000000000BD04EFFE000001001100 | L.4...V.S._.V.E.R.S.I.O.N._.I.N.F.O............... |
| \VERSION\1\9 | B3FF8 | 34C | B0DF8 | 4C0334000000560053005F00560045005200530049004F004E005F0049004E0046004F0000000000BD04EFFE000001001100 | L.4...V.S._.V.E.R.S.I.O.N._.I.N.F.O............... |
| \VERSION\1\11 | B4688 | 348 | B1488 | 480334000000560053005F00560045005200530049004F004E005F0049004E0046004F0000000000BD04EFFE000001001100 | H.4...V.S._.V.E.R.S.I.O.N._.I.N.F.O............... |
| \VERSION\1\12 | B49D0 | 354 | B17D0 | 540334000000560053005F00560045005200530049004F004E005F0049004E0046004F0000000000BD04EFFE000001001100 | T.4...V.S._.V.E.R.S.I.O.N._.I.N.F.O............... |
| \VERSION\1\19 | B4D28 | 350 | B1B28 | 500334000000560053005F00560045005200530049004F004E005F0049004E0046004F0000000000BD04EFFE000001001100 | P.4...V.S._.V.E.R.S.I.O.N._.I.N.F.O............... |
| \VERSION\1\20 | B5720 | 338 | B2520 | 380334000000560053005F00560045005200530049004F004E005F0049004E0046004F0000000000BD04EFFE000001001100 | 8.4...V.S._.V.E.R.S.I.O.N._.I.N.F.O............... |
| \VERSION\1\21 | B5A58 | 354 | B2858 | 540334000000560053005F00560045005200530049004F004E005F0049004E0046004F0000000000BD04EFFE000001001100 | T.4...V.S._.V.E.R.S.I.O.N._.I.N.F.O............... |
| \VERSION\1\29 | B5DB0 | 344 | B2BB0 | 440334000000560053005F00560045005200530049004F004E005F0049004E0046004F0000000000BD04EFFE000001001100 | D.4...V.S._.V.E.R.S.I.O.N._.I.N.F.O............... |
| \VERSION\1\37 | B4348 | 340 | B1148 | 400334000000560053005F00560045005200530049004F004E005F0049004E0046004F0000000000BD04EFFE000001001100 | @.4...V.S._.V.E.R.S.I.O.N._.I.N.F.O............... |
| \VERSION\1\38 | B5078 | 360 | B1E78 | 600334000000560053005F00560045005200530049004F004E005F0049004E0046004F0000000000BD04EFFE000001001100 | .4...V.S._.V.E.R.S.I.O.N._.I.N.F.O............... |
| \VERSION\1\39 | B53D8 | 344 | B21D8 | 440334000000560053005F00560045005200530049004F004E005F0049004E0046004F0000000000BD04EFFE000001001100 | D.4...V.S._.V.E.R.S.I.O.N._.I.N.F.O............... |
| \24\1\1033 | B60F8 | 17D | B2EF8 | 3C3F786D6C2076657273696F6E3D27312E302720656E636F64696E673D275554462D3827207374616E64616C6F6E653D2779 | <?xml version='1.0' encoding='UTF-8' standalone='y |
| Intelligent String |
| • BankIDStart.exe • C:\GitLab-Runner\builds\uRVNXkrSn\1\client\bisp\bisp\2123\external\boost-artifacts\boost/exception/detail/exception_ptr.hpp • KERNEL32.DLL • 0123456789-0123456789-kernel32.dll • mscoree.dll • C:\GitLab-Runner\builds\uRVNXkrSn\1\client\bisp\bisp\2123\bisp\cmake-build\windows\Release\bisp\BispApp\Release\BankIDStart.pdb • .tls • .bss • USER32.dll • KERNEL32.dll • :060U00Uq]dL.g?O0U0E1-Q!m0U0y+m0k0$+0http://ocsp.digicert.com0C+07http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0EU>0<0:864http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0U |
| Flow Anomalies |
| Offset | RVA | Section | Description |
|---|---|---|---|
| 4C5 | 490190 | .text | CALL [static] | Indirect call to absolute memory address |
| 4E5 | 490190 | .text | CALL [static] | Indirect call to absolute memory address |
| 505 | 490190 | .text | CALL [static] | Indirect call to absolute memory address |
| 978A | 490034 | .text | CALL [static] | Indirect call to absolute memory address |
| 13FF4 | 490184 | .text | CALL [static] | Indirect call to absolute memory address |
| 1460C | 490180 | .text | CALL [static] | Indirect call to absolute memory address |
| 1461E | 49018C | .text | CALL [static] | Indirect call to absolute memory address |
| 1462C | 490188 | .text | CALL [static] | Indirect call to absolute memory address |
| 41229 | 49019C | .text | CALL [static] | Indirect call to absolute memory address |
| 4125C | 490198 | .text | CALL [static] | Indirect call to absolute memory address |
| 4126B | 4901A0 | .text | CALL [static] | Indirect call to absolute memory address |
| 413ED | 4901A4 | .text | CALL [static] | Indirect call to absolute memory address |
| 41450 | 4901A4 | .text | JMP [static] | Indirect jump to absolute memory address |
| 415CC | 490038 | .text | CALL [static] | Indirect call to absolute memory address |
| 4178E | 4901A4 | .text | CALL [static] | Indirect call to absolute memory address |
| 4181E | 490048 | .text | CALL [static] | Indirect call to absolute memory address |
| 41825 | 490044 | .text | CALL [static] | Indirect call to absolute memory address |
| 418BE | 49002C | .text | CALL [static] | Indirect call to absolute memory address |
| 41916 | 49002C | .text | CALL [static] | Indirect call to absolute memory address |
| 419B6 | 49005C | .text | CALL [static] | Indirect call to absolute memory address |
| 41E65 | 490058 | .text | CALL [static] | Indirect call to absolute memory address |
| 41E84 | 49004C | .text | CALL [static] | Indirect call to absolute memory address |
| 41EEF | 490024 | .text | CALL [static] | Indirect call to absolute memory address |
| 41F13 | 490028 | .text | CALL [static] | Indirect call to absolute memory address |
| 41F85 | 490024 | .text | CALL [static] | Indirect call to absolute memory address |
| 41FAC | 490050 | .text | CALL [static] | Indirect call to absolute memory address |
| 41FE5 | 490068 | .text | CALL [static] | Indirect call to absolute memory address |
| 4200E | 49006C | .text | CALL [static] | Indirect call to absolute memory address |
| 4214C | 490080 | .text | CALL [static] | Indirect call to absolute memory address |
| 421DB | 490078 | .text | CALL [static] | Indirect call to absolute memory address |
| 421E2 | 49007C | .text | CALL [static] | Indirect call to absolute memory address |
| 422D3 | 490054 | .text | CALL [static] | Indirect call to absolute memory address |
| 4232E | 490034 | .text | CALL [static] | Indirect call to absolute memory address |
| 42360 | 490030 | .text | CALL [static] | Indirect call to absolute memory address |
| 4237A | 490030 | .text | CALL [static] | Indirect call to absolute memory address |
| 42436 | 49002C | .text | CALL [static] | Indirect call to absolute memory address |
| 4246A | 49002C | .text | CALL [static] | Indirect call to absolute memory address |
| 42482 | 49004C | .text | CALL [static] | Indirect call to absolute memory address |
| 4253C | 490060 | .text | CALL [static] | Indirect call to absolute memory address |
| 425CB | 490074 | .text | CALL [static] | Indirect call to absolute memory address |
| 427B0 | 490058 | .text | CALL [static] | Indirect call to absolute memory address |
| 427C5 | 49002C | .text | CALL [static] | Indirect call to absolute memory address |
| 427D3 | 490028 | .text | CALL [static] | Indirect call to absolute memory address |
| 42825 | 49006C | .text | CALL [static] | Indirect call to absolute memory address |
| 4287E | 490048 | .text | CALL [static] | Indirect call to absolute memory address |
| 42885 | 490044 | .text | CALL [static] | Indirect call to absolute memory address |
| 4288E | 490048 | .text | CALL [static] | Indirect call to absolute memory address |
| 42895 | 490044 | .text | CALL [static] | Indirect call to absolute memory address |
| 42907 | 490070 | .text | CALL [static] | Indirect call to absolute memory address |
| 4292D | 490048 | .text | CALL [static] | Indirect call to absolute memory address |
| 42934 | 490044 | .text | CALL [static] | Indirect call to absolute memory address |
| 47D79 | 4901AC | .text | CALL [static] | Indirect call to absolute memory address |
| 47D91 | 4901AC | .text | CALL [static] | Indirect call to absolute memory address |
| 47E93 | 4901AC | .text | CALL [static] | Indirect call to absolute memory address |
| 47EB7 | 4901AC | .text | CALL [static] | Indirect call to absolute memory address |
| 47F04 | 4901AC | .text | CALL [static] | Indirect call to absolute memory address |
| 47F1E | 4901AC | .text | CALL [static] | Indirect call to absolute memory address |
| 4804E | 4901AC | .text | CALL [static] | Indirect call to absolute memory address |
| 48066 | 4901AC | .text | CALL [static] | Indirect call to absolute memory address |
| 4838E | 4901AC | .text | CALL [static] | Indirect call to absolute memory address |
| 48510 | 49001C | .text | CALL [static] | Indirect call to absolute memory address |
| 4861C | 490094 | .text | CALL [static] | Indirect call to absolute memory address |
| 48637 | 490094 | .text | CALL [static] | Indirect call to absolute memory address |
| 486C9 | 490098 | .text | CALL [static] | Indirect call to absolute memory address |
| 486ED | 490098 | .text | CALL [static] | Indirect call to absolute memory address |
| 48A6E | 49009C | .text | CALL [static] | Indirect call to absolute memory address |
| 48A8C | 490064 | .text | CALL [static] | Indirect call to absolute memory address |
| 48AAB | 4900A0 | .text | CALL [static] | Indirect call to absolute memory address |
| 48AD9 | 4900A0 | .text | CALL [static] | Indirect call to absolute memory address |
| 48B34 | 4900A4 | .text | CALL [static] | Indirect call to absolute memory address |
| 48B4B | 4900A4 | .text | CALL [static] | Indirect call to absolute memory address |
| 4970E | 4901AC | .text | CALL [static] | Indirect call to absolute memory address |
| 4973F | 4901AC | .text | CALL [static] | Indirect call to absolute memory address |
| 4983B | 4901AC | .text | CALL [static] | Indirect call to absolute memory address |
| 49871 | 4901AC | .text | CALL [static] | Indirect call to absolute memory address |
| 4A22B | 4901AC | .text | CALL [static] | Indirect call to absolute memory address |
| 4A26F | 4901AC | .text | CALL [static] | Indirect call to absolute memory address |
| 4A83A | 4901AC | .text | CALL [static] | Indirect call to absolute memory address |
| 4A8CF | 4901AC | .text | CALL [static] | Indirect call to absolute memory address |
| 4A943 | 4901AC | .text | CALL [static] | Indirect call to absolute memory address |
| 4AC50 | 4901AC | .text | CALL [static] | Indirect call to absolute memory address |
| 4AC6F | 4901AC | .text | CALL [static] | Indirect call to absolute memory address |
| 4AC89 | 4901AC | .text | CALL [static] | Indirect call to absolute memory address |
| 4AD42 | 4901AC | .text | CALL [static] | Indirect call to absolute memory address |
| 4B0BC | 4901AC | .text | CALL [static] | Indirect call to absolute memory address |
| 4B881 | 4901AC | .text | CALL [static] | Indirect call to absolute memory address |
| 4B948 | 4901AC | .text | CALL [static] | Indirect call to absolute memory address |
| 4BB51 | 4901AC | .text | CALL [static] | Indirect call to absolute memory address |
| 4BB9A | 4901AC | .text | CALL [static] | Indirect call to absolute memory address |
| 4BBBA | 4901AC | .text | CALL [static] | Indirect call to absolute memory address |
| 4BBDE | 4901AC | .text | CALL [static] | Indirect call to absolute memory address |
| 4BBF4 | 4900B4 | .text | CALL [static] | Indirect call to absolute memory address |
| 4BC09 | 4900B0 | .text | CALL [static] | Indirect call to absolute memory address |
| 4BC17 | 4900A8 | .text | CALL [static] | Indirect call to absolute memory address |
| 4BC25 | 4900AC | .text | CALL [static] | Indirect call to absolute memory address |
| 4BC61 | 4900C0 | .text | CALL [static] | Indirect call to absolute memory address |
| 4BC6F | 4901AC | .text | CALL [static] | Indirect call to absolute memory address |
| 4BCA8 | 4900BC | .text | CALL [static] | Indirect call to absolute memory address |
| 4BD26 | 490094 | .text | CALL [static] | Indirect call to absolute memory address |
| 4BD91 | 490094 | .text | CALL [static] | Indirect call to absolute memory address |
| 8EC64 | 43590 | .rdata | TLS Callback | Pointer to 443590 - 0x42990 .text |
| BAA00 | N/A | *Overlay* | D820000000020200308220C906092A864886F70D | . ......0. ...*.H... |
| Extra Analysis |
| Metric | Value | Percentage |
|---|---|---|
| Ascii Code | 447479 | 57,9018% |
| Null Byte Code | 126111 | 16,3182% |
© 2026 All rights reserved.