Cryptographic hashing as the first step of any malware triage — MD5, SHA-256, fuzzy hashing with ssdeep, querying VirusTotal, and why the hash is the case identifier for every report.
⚡ Quick Bite · 40s
Cryptographic hashes (MD5, SHA-256, Avalanche Property), advanced identification with ssdeep and Imphash, and a 5-step triage workflow for every suspect file.
Watch this 40-second summary before diving into the full article. Sign in to earn 5 leaderboard points.
Before opening any tool, the analyst computes the file's cryptographic hash. The hash is the file's fingerprint. Two files with the same SHA-256 hash are, for all practical purposes, identical.
A hash function maps an input of arbitrary length to a fixed-length output (the digest) with two critical properties:
| Algorithm | Digest Size | Status |
|---|---|---|
| MD5 | 128 bits (32 hex chars) | Collision attacks known. Still used as a lookup key. |
| SHA-1 | 160 bits (40 hex chars) | Collision attacks demonstrated. Avoid for security. |
| SHA-256 | 256 bits (64 hex chars) | Current standard. Use for all primary identification. |
MD5 and SHA-1 have known collision attacks and should not be relied upon for security — but they remain useful as fast lookup keys in malware databases where collision resistance is not critical.
Windows (PowerShell):
Get-FileHash invoice.exe -Algorithm SHA256
Get-FileHash invoice.exe -Algorithm MD5
Linux:
sha256sum invoice.exe
md5sum invoice.exe
x64dbg: the hash of the loaded file is shown in File → Properties.
PEStudio: computes MD5, SHA-1, SHA-256, and imphash automatically on file open.
After computing the SHA-256 hash, query it against VirusTotal:
curl -s "https://www.virustotal.com/api/v3/files/<SHA256_HASH>" \
-H "x-apikey: YOUR_FREE_API_KEY" \
| python3 -m json.tool | grep -A5 "last_analysis_stats"
Interpreting results:
| Detection Ratio | Interpretation |
|---|---|
| 40+/70 | Known malicious — read existing report, proceed to IOC extraction |
| 5–40/70 | Suspicious — proceed with full static and dynamic analysis |
| 0/70 | Possibly novel, possibly benign — full analysis required |
| 0/70 with suspicious behaviour | Evasion suspected — do not trust clean result |
Key point: A clean VirusTotal result never means a sample is safe. Polymorphic and novel malware routinely achieves 0 detections on initial submission.
Standard cryptographic hashes change completely if a single byte differs. ssdeep computes a Context-Triggered Piecewise Hash (CTPH) that produces similar outputs for similar files.
ssdeep -r malware_samples/ # hash all files recursively
ssdeep -m known_family.exe * # compare all files against a reference
A similarity score above 50% typically indicates a related sample — a new variant of a known family with minor modifications to evade hash-based detection.
Use case: you have 500 samples from an incident. Run ssdeep to cluster them. Similar files likely belong to the same malware family and can be triaged together.
The imphash is computed from the ordered list of a PE file's imported function names and their DLLs. Because malware authors rarely change their import patterns between variants, files from the same malware family often share an imphash even when their byte-level hash differs.
imphash("CreateFileA,WriteFile,RegSetValueExA,URLDownloadToFileA") → fixed hash
PEStudio and VirusTotal both display the imphash. Searching VirusTotal by imphash finds related samples from the same family or build environment.
1. Receive suspect file → compute SHA-256 immediately
2. Query VirusTotal → record detection ratio and top family labels
3. Compute ssdeep hash → compare against known samples
4. Note the imphash → search VirusTotal for related files
5. Record all hashes as the case identifier in your report
The hash is the primary identifier for every report, database entry, IOC feed, and YARA rule that follows from this analysis. Always record it first.
Sign in to mark this article as read and track your progress.