Malware Hash Registry (MHR) Fill your antivirus gaps.

Check suspect hashes against 30+ antivirus tools, plus our own analysis.

The Team Cymru Malware Hash Registry (MHR) complements antivirus tools by helping to identify unknown or suspicious files. Based on our research, standard antivirus tools have trouble detecting every possible piece of malware when it first appears. MHR aggregates the results of over 30 antivirus tools, as well as our own analysis, in order to improve your detection rate and tell you what percentage of AV tools flagged your samples as malicious. It’s like having an army of malware detectors giving you insight single antivirus solutions cannot.

  • False positive mitigation:
    • We don’t list items with less than 5% detection rate
    • We exclude entries present in the NIST database
    • We try to exclude multiple copies of polymorphic malware
  • Query for MD5 or SHA-1 hashes
  • Positive hits return the last time we saw the sample along with an approximate antivirus detection percentage

For non-commercial use only…

The Malware Hash Registry (MHR) is free for non-commercial use ONLY. If you wish to discuss commercial use of this service, please contact Team Cymru for more information.

Help us ensure stable service.

  • If you are planning on implementing or automating the use of this service in any free or open software, application or host, PLEASE let us know in advance. We would like to adequately plan for capacity and make sure that we can handle the additional load you may generate. Please use the WHOIS-based service for larger queries. We have had instances where large deployments are put in place without informing us in advance, making it difficult to maintain a stable service for the rest of the community.
  • Attempting to enumerate the malware registry via the public service interface is not only impractical, it is also strictly prohibited. Contact us if the public interface is insufficient for your needs and we may be able to come up with alternative arrangement.

Service Options

Whois (TCP 43)

DNS (UDP 53)

HTTP (TCP 80)

HTTPS (TCP 443)

Additional features are being considered for the future. Contact us with your ideas!

How do I use these services?

WHOIS

The whois daemon acts like a standard whois server would, but a MD5 or SHA-1 hash value instead of a name or address is passed as an argument. It accepts arguments on the command-line for single whois queries and it also supports BULK hash submissions when combined with GNU’s netcat for those who wish to optimize their queries. When issuing requests for two or more hashes we strongly suggest you use netcat for BULK submissions since there is less overhead.

WARNING: Source addresses or networks that are seen abusing the whois server with large numbers of individual queries instead of using the bulk netcat interface may be null routed. Sources issuing an abnormally large number of queries may be automatically rate-limited. The netcat interface should be used for large groups of hash lists at a time in one single TCP query.

There is presently one whois server available with round robin IP addresses:

  • cymru.com

The syntax for whois and netcat whois IP queries is as follows:

Whois   Netcat          Action
        begin           enable bulk input mode          (netcat only)
        end             exit the whois/netcat client    (netcat only)
help    help            the help message

An example use of the command-line arguments on a single malware hash query:

$ whois -h hash.cymru.com 1cf7724052b5aba962bc6ba81743e2a9
1cf7724052b5aba962bc6ba81743e2a9 1596014805 36

The output above includes the hash that was queried for, along with the last known GMT timestamp associated with that hash in Unix Epoch, and the detection percentage across a mix of AV packages. If the malware hash is NOT in the database, the results will look something like this:

$ whois -h hash.cymru.com 1250ac278944a0737707cf40a0fbecd4b5a17c9d
1250ac278944a0737707cf40a0fbecd4b5a17c9d NO_DATA

We recommend the use of GNU’s version of netcat, not nc. (nc has been known to cause buffering problems with our server and will not always return the full output for larger malware hash lists). GNU netcat can be downloaded from http://netcat.sourceforge.net. This is the same as gnetcat in FreeBSD ports.

To issue bulk queries, follow these steps:

  • Create a file with a list of hashes, one per line. Add the word begin at the top of the file and the word end at the bottom. Example of list01:
begin
7697561ccbbdd1661c25c86762117613
d48a85139dde1eb00ee7460e80f42c35
1cf7724052b5aba962bc6ba81743e2a9
end
  • Run the list through GNU netcat (NOT the venerable nc).
$ netcat hash.cymru.com 43 < list01 > list02

The file list02 should now appear as:

# Bulk mode; hash.cymru.com [2009-11-12 19:39:50 +0000]
# SHA1|MD5 TIME(Unix_t) DETECTION_PERCENT
7697561ccbbdd1661c25c86762117613 1258054790 NO_DATA
d48a85139dde1eb00ee7460e80f42c35 1567523514 NO_DATA
1cf7724052b5aba962bc6ba81743e2a9 1596014805 36

Additional help can be obtained by issuing the help command:

$ whois -h hash.cymru.com help

DNS

The DNS daemon is designed for infrequent, but rapid lookups, much in the same way as other remote blackhole list (RBL) lookups are done. DNS has the added advantage of being able to cache answers locally and is based on UDP, so there is much less overhead from a client perspective. Prepend the hash value as a label to the malware.hash zone:

  • hash.cymru.com

There are two types of queries you can perform, a TXT or an A query. The TXT query will give a bit more verbose output, including the last seen timestamp and an antivirus package detection rate if the hash exists in our registry. If the hash exists in our registry and you just issue a default A query a loopback address will be returned. The address returned if a positive result is found should always be 127.0.0.2.

The format and output for a DNS TXT query is as follows:

$ dig +short 1cf7724052b5aba962bc6ba81743e2a9.malware.hash.cymru.com TXT
"1596014805 36"

The format and output for a DNS A query is as follows:

$ dig +short 1cf7724052b5aba962bc6ba81743e2a9.malware.hash.cymru.com.malware.hash.cymru.com A
127.0.0.2

If a given hash does not exist in our registry, the daemon will return a standard NXDOMAIN response (domain does not exist). If you have been rate limited, you will not receive any response and your packet will be dropped.

HTTP/HTTPS

The HTTP/HTTPS interface to WebMHR acts as a web-based proxy to the underlying WHOIS service. You can reach the web interface by browsing to:

http://hash.cymru.com/ or https://hash.cymru.com/

Simply follow the instructions on either of the pages at the links above to submit your hashes via the web.

Frequently asked questions

How do I interpret the output?

If a hash exists in our registry and is identified as malware there are two output values of interest. One is a timestamp when the malware was last seen, the other the rough antivirus package detection rate.

The timestamp is a Unix time aka POSIX time whose value is the number of seconds since midnight January 1, 1970 universal coordinated time (UTC). So for example, 1223478925 seconds since midnight 1970-01-01 is Wednesday, October 8 15:15:25 UTC 2008. With a bash shell in Unix you can map between Unix time and a more readable local time using the command date --date="1970-01-01 <Unix timestamp> secs UTC". Using Perl, you can use this command perl -e 'print scalar localtime(<Unix timestamp>),"\n"'.

The antivirus package detection rate is a two or three digit value representing the total detection rate as a percent of all the antivirus packages we ran the malware against.

What antivirus packages are you using?

We try to use over 30 undisclosed antivirus software packages. In a limited number of cases a smaller number of AV packages will be used.

How do you collect malware?

We employ various collection techniques, such as honeypots and crawlers, as well as leveraging private data sharing agreements with partners.

How up-to-date is your registry?

The malware hash registry is reloaded once per day. Please note that we try to avoid including too much polymorphic malware when possible.

Can I have a copy of one or more piece(s) malware you have?

Sorry, we believe it is inappropriate to share actual binary copies of malware with the general public. Additionally, many of our data-sharing agreements would not permit us to re-distribute samples.

Can I download your hash registry database?

The hash registry database is not publicly available for download, but you may contact us about setting up a data sharing agreement should you need a more efficient method of performing queries.

Your service says my file is malware, but I know it is not!

We’re very sorry about that. If you have found a false positive, we do want to know about it so we can fix a potential problem with our system. First, please be absolutely sure it is not malware. There are numerous free online services that will run your malware through multiple antivirus packages. Virus Total is one such example. If you’re sure the file is not malware, you will need to send us a copy of it. Use our main contact address team-cymru@cymru.com and please encrypt the file with PGP to our public key in order to avoid any potential mail filtering problems.

This service is great! How can I help?

We’re glad you asked! Please contact us to let us know in what capacity you think you can be of assistance in terms of data or time. We’re always looking for more partners.

I'm a vendor, and I'd like to send you my AV package. Can you use it?

Sure! Please send us the details regarding your AV package. Presently we only support Linux compatible CLI versions of AV products.

Can I send you malware?

Please feel free to contact us as to how we may be able to receive your feed.