Malware Hash Registry (MHR) An antivirus and malware validation force multiplier.

Discover Malware Hash Registry 2.0

Identify new or emerging malware that may not be detected by your existing anti-malware tools.


MHR is our free malware validation tool that searches against 30+ antivirus databases and our own malware database to serve as a force multiplier for malware detection and validation. It’s like having an army of malware detectors giving you insight single antivirus solutions cannot.

Researchers and analysts can submit their malware hashes via the MHR portal to get near-real-time results that tell them the percentage of malware databases containing signature matches.

Developers and networks security teams can integrate MHR into existing workflows to augment malware detection.

Get Started
Malware Hash Registry

Malware Hash Registry Features

  • Access to 8+ years of Team Cymru malware analysis
  • Support for MD5, SHA-1 and SHA-256
  • Multiple service options


Use Cases



Validate file samples quickly and easily by cross-referencing 30+ antivirus databases and Team Cymru’s malware analysis in a single lookup.


Integrate with…

  • Secure Gateways
  • Cloud Access Security Brokers
  • Document Management Systems

For non-commercial use only.

Help us ensure stable service.

If you are planning on implementing or automating the use of this service in any free or open software, application or host, PLEASE let us know in advance. We would like to adequately plan for capacity and make sure that we can handle the additional load you may generate. Please use the WHOIS-based service for larger queries. We have had instances where large deployments are put in place without informing us in advance, making it difficult to maintain a stable service for the rest of the community.

Attempting to enumerate the malware registry via the public service interface is not only impractical, it is also strictly prohibited. Contact us if the public interface is insufficient for your needs and we may be able to come up with alternative arrangement.




  • Near-real-time results include file #, Time Stamp (EPOC) and signature match percentage.
  • Positive hits return the last time we saw the sample along with an approximate antivirus detection percentage.
  • Cross-references 30+ antivirus databases and 8+ years of Team Cymru malware analysis.
  • Support for MD5,  SHA-1 and SHA-256 hashes.
  • Access via HTTPS, DNS, WHOIS
  • False positive mitigation:
    • We don’t list items with less than 10% detection rate.
    • We exclude entries present in the NIST database.
    • We try to exclude multiple copies of polymorphic malware.


Service Options

Whois (TCP 43) *

DNS (UDP 53) *



* Please be mindful of your risk tolerance and privacy concerns when choosing your transport protocol. DNS is convenient and a standard internet protocol, but does not normally afford the user integrity and confidentiality. HTTPS is recommended for those wanting increased integrity and confidentiality.


Frequently asked questions

How do I interpret the output?

If a hash exists in our registry and is identified as malware there are two output values of interest. One is a timestamp when the malware was last seen, the other the rough antivirus package detection rate.

The timestamp is a Unix time aka POSIX time whose value is the number of seconds since midnight January 1, 1970 universal coordinated time (UTC). So for example, 1223478925 seconds since midnight 1970-01-01 is Wednesday, October 8 15:15:25 UTC 2008. With a bash shell in Unix you can map between Unix time and a more readable local time using the command date --date="1970-01-01 <Unix timestamp> secs UTC". Using Perl, you can use this command perl -e 'print scalar localtime(<Unix timestamp>),"\n"'.

The antivirus package detection rate is a two or three digit value representing the total detection rate as a percent of all the antivirus packages we ran the malware against.

What antivirus packages are you using?

We use over 30 undisclosed antivirus software packages. In a limited number of cases a smaller number of AV packages will be used.

How do you collect malware?

We employ various collection techniques, such as honeypots and crawlers, as well as leveraging private data sharing agreements with partners.

How up-to-date is your registry?

The malware hash registry is reloaded once per day. Please note that we try to avoid including too much polymorphic malware when possible.

Can I have a copy of one or more piece(s) malware you have?

Sorry, we believe it is inappropriate to share actual binary copies of malware with the general public. Additionally, many of our data-sharing agreements would not permit us to re-distribute samples.

Can I download your hash registry database?

The hash registry database is not publicly available for download, but you may contact us about setting up a data sharing agreement should you need a more efficient method of performing queries.

Your service says my file is malware, but I know it is not!

We’re very sorry about that. If you have found a false positive, we do want to know about it so we can fix a potential problem with our system. First, please be absolutely sure it is not malware. There are numerous free online services that will run your malware through multiple antivirus packages. Virus Total is one such example. If you’re sure the file is not malware, you will need to send us a copy of it. Use our main contact address and please encrypt the file with PGP to our public key in order to avoid any potential mail filtering problems.

This service is great! How can I help?

We’re glad you asked! Please contact us to let us know in what capacity you think you can be of assistance in terms of data or time. We’re always looking for more partners.

I'm a vendor, and I'd like to send you my AV package. Can you use it?

Sure! Please send us the details regarding your AV package. Presently we only support Windows compatible versions of AV products.

Can I send you malware?

Please feel free to contact us as to how we may be able to receive your feed.