Malware Hash Registry
The Malware Hash Registry (also known as the Malware Database) is a vast collection of information about hundreds of millions of files. It allows users to add hash look-up capabilities to their security systems, making their security measures smarter.
The database is continuously updated in real time, making the AI-powered API extremely valuable for IT professionals and malware researchers. It quickly identifies unknown or suspicious files by checking their MD5, SHA1, or SHA256 hashes. Bulk requests are also supported, simplifying the processing of multiple file hashes at once.
The Malware Hash Registry (MHR) has many practical uses to improve cybersecurity and safeguard against threats. Here's an explanation of each use case:
- Website Form Protection (e.g., File Uploads Protection): MHR keeps web applications safe by stopping the upload of harmful files through website forms. It checks incoming files against its database to block any potential threats.
- Anti-Virus Scanner for Servers/IoT Devices (Where Full AV Software Is Not Possible): MHR acts as a useful alternative when full Anti-Virus (AV) software can't be installed. It efficiently scans files on servers or IoT devices to detect malware without the need for heavy AV software.
- Data Enrichment for Security Systems: MHR enhances threat detection in security systems like SIEM/SOAR or EDR/XDR. By integrating with these systems, organizations get better insights into various malware threats and their characteristics.
- Customized IPS/DLP: Organizations can customize their Intrusion Prevention Systems (IPS) and Data Loss Prevention (DLP) with MHR data. By checking file hashes, they can improve protection against specific types of malware and data breaches.
- Malware Research: MHR is a valuable resource for malware researchers and analysts. It provides a large repository of information about known malicious files, helping researchers understand malware behavior and impact.
By using the Malware Hash Registry, organizations can proactively protect themselves from risks, detect threats early, and keep their critical assets and data safe from malicious attacks.
Malware Hash Registry is used as an additional security layer and is not suitable as complete replacement for Anti-Virus, Firewalls, or IPS solutions.
[GET] Single hash lookup*
Billable
Endpoint
[GET] https://api.itsecurity.ee/v4/hash/{hash}
Description
The API provides a Single Hash Lookup method, allowing users to retrieve information about specific SHA256 or MD5 hashes. Request parameter {hash} that represents the MD5, SHA1, or SHA256 hash for which information is requested.
Response keys:
found(bool): Indicates whether the hash exists in the database.infected(bool): Indicates if the hash is associated with a known infection.last_access(str): Represents the last time the hash was accessed by any API user.created_at(str): Represents the time when the hash was added to the database.severity(int): An indicator of infection spreading with values ranging from 1 (not known) to 10 (very common).sha256(str): File's SHA256 hash.sha1(str): File's SHA1 hash.md5(str): File's MD5 hash.classification(str): Classification of the infection found (if applicable).infection_type(str): Type of infection, such as trojan, worm, adware, backdoor, hoax, etc.platform(str): Platform associated with the infection, e.g., win32, Android, Linux, MS Office, script, etc.views(int): Number of views (counter) of the requested hash.size(int): File size in bytes.downloadable(bool): Indicates if the sample is available for download.download_meta(obj): Metadata related to the infected sample (visible when downloads are enabled for the account).downloads(int): Represents the amount of file downloads (only visible when downloads are enabled for the account).storage(list): TL datacenter hot copy of the file is stored at (only visible when downloads are enabled for the account).
ssdeep(str): Infection's SSDEEP hash. Read morepeinfo(obj): Contents of PE header. Read moreexport_info(obj)file_info(obj)pe_info(obj)signcheck(obj)section_info(list)import_info(list)
apkinfo(obj): Contents extracted from Android's APK file. Read moremain_activity(str)package_name(str)signcheck(obj)service_list(list)api_list(list)permission_list(list)activity_list(list)file_list(list)
magic(str): String representation of the file's magic bytes. Read moretags(list): Tags assigned to the file.
Example Response
{
"additional_data": {},
"payload": {
"download_meta": {
"compression": 0.45,
"downloads": 0,
"integrity": "539be0fd2d1d545f860254093a103219225d461d18c67b3822885bd9b15ddcba",
"storage": "TLL, Cold Storage"
},
"downloadable": true,
"found": true,
"infection_type": "trojan",
"last_access": 1560685796,
"last_modified": 1328090847,
"magic": "PE32 executable (GUI) Intel 80386, for MS Windows",
"md5": "e0297d3e661dbf9587eab032249de4a5",
"peinfo": {
"export_info": {},
"file_info": {},
"import_info": [
{
"dll_name": "KERNEL32.dll",
"function_list": [
"ReadFile",
"GetCommandLineW",
"CreateFileW",
"MultiByteToWideChar",
"CreateProcessW",
"CloseHandle",
"WideCharToMultiByte",
"Sleep",
"UnmapViewOfFile",
"GetTempPathW",
"GetTempFileNameW",
"CreateFileMappingW",
"MapViewOfFile",
"SetEnvironmentVariableA",
"CompareStringW",
"GetSystemTimeAsFileTime",
"HeapAlloc",
"GetLastError",
"HeapFree",
"HeapSetInformation",
"GetStartupInfoW",
"TerminateProcess",
"GetCurrentProcess",
"UnhandledExceptionFilter",
"SetUnhandledExceptionFilter",
"IsDebuggerPresent",
"EncodePointer",
"DecodePointer",
"GetTimeZoneInformation",
"TlsAlloc",
"TlsGetValue",
"TlsSetValue",
"TlsFree",
"InterlockedIncrement",
"GetModuleHandleW",
"SetLastError",
"GetCurrentThreadId",
"InterlockedDecrement",
"GetProcAddress",
"ExitProcess",
"WriteFile",
"GetStdHandle",
"GetModuleFileNameW",
"HeapCreate",
"FreeEnvironmentStringsW",
"GetEnvironmentStringsW",
"SetHandleCount",
"InitializeCriticalSectionAndSpinCount",
"GetFileType",
"DeleteCriticalSection",
"QueryPerformanceCounter",
"GetTickCount",
"GetCurrentProcessId",
"LeaveCriticalSection",
"EnterCriticalSection",
"GetCPInfo",
"GetACP",
"GetOEMCP",
"IsValidCodePage",
"LoadLibraryW",
"RtlUnwind",
"IsProcessorFeaturePresent",
"HeapReAlloc",
"LCMapStringW",
"GetStringTypeW",
"HeapSize"
]
},
{
"dll_name": "USER32.dll",
"function_list": [
"FindWindowW",
"SendMessageW"
]
},
{
"dll_name": "SHELL32.dll",
"function_list": [
"CommandLineToArgvW"
]
}
],
"pe_info": {
"characteristics": "0x102(EXECUTABLE_IMAGE, 32BIT_MACHINE)",
"entry_point": "0x20F3",
"file_alignment": "0x200",
"image_base": "0x400000",
"pe_file_type": "PE32",
"section_alignment": "0x1000",
"stored_checksum": "0x1078C",
"subsystem": "0x2(WINDOWS)"
},
"section_info": [
{
"raw_data_hash": "404b5f5f5babd31356644ca56efd0e4161c71b050cb44324bab95efa5053df00",
"raw_data_offset": "0x400",
"section_name": ".text"
},
{
"raw_data_hash": "147682f1e931eee6b48089e0dfa639c09328c5da1142c400835343111a622e57",
"raw_data_offset": "0xB000",
"section_name": ".rdata"
},
{
"raw_data_hash": "583e757665900f7be926808c6a29990b53bc231206779be982b5926dad455417",
"raw_data_offset": "0xDC00",
"section_name": ".data"
},
{
"raw_data_hash": "1be493102fb3e22f4726ebea75c1ebd6f4383db62011d1183378bb36e72940af",
"raw_data_offset": "0xEC00",
"section_name": ".rsrc"
},
{
"raw_data_hash": "c2818fd7b2d3b184dfc2d55bb9443ec59b5a39a7a13066cea7f08e6680b57fd3",
"raw_data_offset": "0x14C00",
"section_name": ".reloc"
}
],
"signcheck": {
"verified": "Unsigned"
}
},
"platform": "win32",
"severity": 5,
"sha1": "633240a3e553f2ecb7923649889c31315c64bece",
"sha256": "7a776578c3cd46317a309451c5e324147d79da49bfb372de4d3dbc875dd1dde8",
"size": 90112,
"tags": [
"injector",
"graftor",
"agent",
"exe_32bit",
"dropper",
"peexe",
"trojan"
],
"views": 18
},
"success": true
}
[POST] Batch hash lookup*
Billable
Endpoint
[POST] https://api.itsecurity.ee/v4/hash/
Description
The API allows checking multiple hashes at once. It functions similarly to the single lookup method, providing information about each hash submitted. Up to 100 hashes can be sent in a single request, which is helpful when dealing with a large number of hashes. This saves time and reduces the number of requests needed. Up to 100 hashes can be included in each request. If there are more than 100 hashes to check, multiple requests will be needed accordingly.
Example Response
{
"additional_data": {
"incorrect": [
"any other sha256 or md5 hash",
"..."
],
"not_found": []
},
"payload": [
{
"found": true,
"infection_type": "trojan",
"last_access": 1562245999,
"last_modified": 1423384557,
"md5": "6ba1f6525ce0ef40c3d3472b059cb0b1",
"platform": "js",
"severity": 3,
"sha1": "cce4ac9de7e5ee083e7a1c6db37c37d2c8c59119",
"sha256": "00795af804437c9ec785803e3fdba906c40fd795db06698546e98f9dc3656191",
"views": 79
},
{
"download_meta": {
"compression": 0.5,
"downloads": 0,
"integrity": "b546aacb26a0330315857dbdd5fb60e34d5152b0c0d8881a0ec668af2ceefa81",
"storage": "TLL, Cold Storage"
},
"downloadable": true,
"found": true,
"infection_type": "virus",
"last_access": 1559569432,
"last_modified": 1394952410,
"magic": "PE32 executable (DLL) (GUI) Intel 80386, for MS Windows",
"md5": "5e88c886adb5e69d72623abc22f264d6",
"platform": "win32",
"severity": 9,
"sha1": "8e03b3fbf91d357a2509cc84ea3bd1793c7e9bf2",
"sha256": "05028743ad83cf5548acf07b22657e41a79e4ad6f3b977294aa3b88733f04b2d",
"size": 459679,
"tags": [
"interested_strings_ip",
"pioneer",
"dll_32bit",
"interested_strings_path",
"virus",
"floxif",
"pedll"
],
"views": 17
}
],
"success": true
}