Hash Validation.
Built for triage.
Team Cymru operates the Malware Hash Registry for the analysts, researchers, and detection engineers who triage malware at scale. Programmatic hash lookups against 30+antivirus databases and over 8 years of our own malware analysis, returned in near-real-time over HTTPS, DNS, or WHOIS. Built for the workflows where speed matters most. Operated for the community, not as a product.
Advanced malware detection through community-scale hash validation.
The Malware Hash Registry is a programmatic hash validation service operated by TeamCymru. Submit an MD5, SHA-1, or SHA-256 hash via HTTPS, DNS, or WHOIS and get back a near-real-time response showing the last time the sample was seen and the percentage of 30+ antivirus databases that flagged it. Built for the triage workflows where a single lookup answers the question: is this thing malware.
30+ Antivirus Databases
Every hash you submit gets cross-referenced against 30+undisclosed antivirus vendor databases plus Team Cymru’s own malware analysis. One lookup. The collective signalof every major detection engine in the industry.
Near-Real-Time Response
Hash query in, detection result back. Returns the last-seen timestamp and the percentage of antivirus packages that flagged the sample. Fast enough for analyst triage workflows; structured enough for pipeline automation.
Three Hash Formats
Supports MD5, SHA-1, and SHA-256. Whatever your detection pipeline produces, MHR accepts. Submit a single hash, a batch over the API, or query interactively from the portal during an investigation.
Three Access Protocols
Query over HTTPS, DNS, or WHOIS. Pick the protocol your stack already supports. False-positive filtering and NIST exclusions baked in. No appliance, no SDK, no integration tax.
Malware Hash Registry access.

Programmatic hash validation against 30+ antivirus databases and 8+ years of Team Cymru malware analysis. Submit MD5, SHA-1, or SHA-256 hashes over HTTPS, DNS, or WHOIS. Get back the last-seen timestamp and antivirus detection percentage. False positives filtered. NIST entries excluded. Built for triage workflows where the answer needs to come back in milliseconds.
Why MHR
Team Cymru built the Malware Hash Registry for the analysts who triage samples at 2 AM, the detection engineers wiring up pipelines, and the researchers chasing campaigns across borders. Hash validation should never be a paywall between you and the answer. So we share 8+ years of our own malware analysis and cross-reference it against every major antivirus database in the industry, free, for the community of defenders who keep the internet a little less hostile.
“ Our Promise
Every defender deserves a fast answer to one question: is this thing malware? We’ve been answering it for over a decade. We’ll keep answering it as long as the question gets asked.”
MHR is free for non-commercial use. No subscription. No query quota on the community tier. No invoice at the end of a trial. The intelligence belongs to the people defending the internet, and the cost of access should never be the thing that stops a triage call.
We support HTTPS for security-sensitive integrations, DNS for low-friction lookups, and WHOIS for legacy automation. We don't care which one you pick. We care that the answer is in your pipeline bythe time the analyst needs it.
False-positive filtering, NIST exclusions, polymorphic deduplication. Every quality safeguard in MHR exists because an analyst told us their queue was full of noise. We listen, we filter, we ship cleaner signal. The community shapes the corpus.
Team Cymru has operated community infrastructure for 25 years. MHR has cross-referenced hashes for defenders worldwide forover a decade and counting. Adversaries don't take quarters off, and neither do we. As long as malware exists, MHR exists.
In Practice
Same MHR, different defender. Here’s the workflow when the hash hits the queue, what MHR does in the middle, and what the analyst walks away with.
SOC Analysts
Suspicious attachment lands in the SIEM. Is it actually malware?
Pressure
Unknown sample
MHR Action
Hash lookup · HTTPS
Outcome
94% detection match
Detection Engineers
Building a pipeline that auto-validates every hash through the gateway.
Pressure
Volume of file events
MHR Action
Batch via REST API
Outcome
Enriched pipeline
Threat Researcheres
Chasing a campaign across borders, dozens of samples to cross-reference.
Pressure
Campaign attribution
MHR Action
30+ AV cross-check
Outcome
Malware family confirmed
Network Security Teams
Need to enrich secure gateway, CASB, and DMS workflows with hash validation.
Pressure
Tool sprawl
UTRS Action
Community layer added
Outcome
Resilient stack
Every MHR capability came from a defender asking for it. Protocol support, batch endpoints, false-positive filters, NIST exclusions. If your stack needs something we don’t currently offer, submit a request. The team that operates MHR reads everyone.
Used Worldwide
SOC analysts, detection engineers, threat researchers, network security teams, integration partners. MHR is queried millions of times by the defenders working the front lines of malware triage, in pipelines and portals across six continents.
SOC ANALYSTS
Detection Engineers
Threat Researchers
Network Security
Integration Partners
Defense is Layered
MHR validates hashes at the file layer. If your operational priority is filtering bogon routes, mitigating volumetric DDoS, monitoring backbone threats, or coordinating with the global CSIRT community, the Operational Marketplace has the right tool for the mission.
Bogon Networks
Reference data for unrouted, reserved, and unallocated IPv4 and IPv6 prefixes. Six access formats for filtering at the routing layer.
DDoS Mitigation UTRS
Real-time BGP-based DDoS mitigation, coordinated across 1,300+network operators worldwide. Stop volumetric attacks at the source.
Nimbus Threat Monitor
Near-real-time cyber threat detection for ISPs and hosting providers. Cross-references your network flows against 7M+ IP reputation indicators.
CSIRT Assistance Program
Operational support for national and sector CSIRTs worldwide. Trust-network coordination and incident response.
GLOBAL DEFENDER EXCHANGE COMMUNITY
Is this thing malware?
Get the answer in milliseconds.
Operated by Team Cymru for the analysts, researchers, and detection engineers triaging malware at scale. Hash lookups against 30+ antivirus databases and 8+ years of our own malware analysis, accessible over HTTPS, DNS, or WHOIS. Free for non-commercial use. Built for the community of defenders who keep the internet a little less hostile.