EpochZero Learn
EpochZero LearnMulti-Domain Tech Learning Hub
Courses
LeaderboardAbout
Dashboard
EpochZero
EpochZero Learn
Multi-Domain Tech Learning Hub

Structured learning for Reverse Engineering, Cloud Security, Cryptography, and Web Development. Articles, videos, tests, and peer discussion.

Learn

  • Learning Path
  • All Articles
  • Video Lessons
  • Podcast
  • eBooks & PDFs
  • Question Banks
  • Cheatsheets
  • MCQ Banks

Tests & Forum

  • All Tests
  • REMA Tests
  • Cloud Tests
  • Forum
  • REMA Forum
  • Cloud Forum
  • Crypto Forum
  • Web Dev Forum

Campus

  • REMA Club
  • Full Stack Dev Club
  • Extension Activity
  • Events
  • CTF Competitions
  • Workshops
  • Industrial Visits

Platform

  • Dashboard
  • Leaderboard
  • About
  • Verify Certificate

© 2026 EpochZero Learn. Educational content for learning purposes.

Course Instructor: Ashish Revar

All articles
Educationhashingmd5sha256

File Identification and Hashing

Cryptographic hashing as the first step of any malware triage — MD5, SHA-256, fuzzy hashing with ssdeep, querying VirusTotal, and why the hash is the case identifier for every report.

Ashish Revar12 May 202612 min read2 views
Quick Bite

⚡ Quick Bite · 40s

Malware Triage: Hashing & File Identification

Cryptographic hashes (MD5, SHA-256, Avalanche Property), advanced identification with ssdeep and Imphash, and a 5-step triage workflow for every suspect file.

Watch this 40-second summary before diving into the full article. Sign in to earn 5 leaderboard points.

The First Action on Any Suspect File

Before opening any tool, the analyst computes the file's cryptographic hash. The hash is the file's fingerprint. Two files with the same SHA-256 hash are, for all practical purposes, identical.

Cryptographic Hash Functions

A hash function maps an input of arbitrary length to a fixed-length output (the digest) with two critical properties:

  • Collision resistance: computationally infeasible to find two distinct inputs with the same output
  • Avalanche property: changing even a single bit of input produces a completely different digest
AlgorithmDigest SizeStatus
MD5128 bits (32 hex chars)Collision attacks known. Still used as a lookup key.
SHA-1160 bits (40 hex chars)Collision attacks demonstrated. Avoid for security.
SHA-256256 bits (64 hex chars)Current standard. Use for all primary identification.

MD5 and SHA-1 have known collision attacks and should not be relied upon for security — but they remain useful as fast lookup keys in malware databases where collision resistance is not critical.

Computing Hashes

Windows (PowerShell):

Get-FileHash invoice.exe -Algorithm SHA256
Get-FileHash invoice.exe -Algorithm MD5

Linux:

sha256sum invoice.exe
md5sum invoice.exe

x64dbg: the hash of the loaded file is shown in File → Properties.

PEStudio: computes MD5, SHA-1, SHA-256, and imphash automatically on file open.

Querying VirusTotal

After computing the SHA-256 hash, query it against VirusTotal:

curl -s "https://www.virustotal.com/api/v3/files/<SHA256_HASH>" \
  -H "x-apikey: YOUR_FREE_API_KEY" \
  | python3 -m json.tool | grep -A5 "last_analysis_stats"

Interpreting results:

Detection RatioInterpretation
40+/70Known malicious — read existing report, proceed to IOC extraction
5–40/70Suspicious — proceed with full static and dynamic analysis
0/70Possibly novel, possibly benign — full analysis required
0/70 with suspicious behaviourEvasion suspected — do not trust clean result

Key point: A clean VirusTotal result never means a sample is safe. Polymorphic and novel malware routinely achieves 0 detections on initial submission.

Fuzzy Hashing with ssdeep

Standard cryptographic hashes change completely if a single byte differs. ssdeep computes a Context-Triggered Piecewise Hash (CTPH) that produces similar outputs for similar files.

ssdeep -r malware_samples/        # hash all files recursively
ssdeep -m known_family.exe *      # compare all files against a reference

A similarity score above 50% typically indicates a related sample — a new variant of a known family with minor modifications to evade hash-based detection.

Use case: you have 500 samples from an incident. Run ssdeep to cluster them. Similar files likely belong to the same malware family and can be triaged together.

The Import Hash (imphash)

The imphash is computed from the ordered list of a PE file's imported function names and their DLLs. Because malware authors rarely change their import patterns between variants, files from the same malware family often share an imphash even when their byte-level hash differs.

imphash("CreateFileA,WriteFile,RegSetValueExA,URLDownloadToFileA") → fixed hash

PEStudio and VirusTotal both display the imphash. Searching VirusTotal by imphash finds related samples from the same family or build environment.

Quick Triage: Hashing a Suspicious File

1. Receive suspect file → compute SHA-256 immediately
2. Query VirusTotal → record detection ratio and top family labels
3. Compute ssdeep hash → compare against known samples
4. Note the imphash → search VirusTotal for related files
5. Record all hashes as the case identifier in your report

The hash is the primary identifier for every report, database entry, IOC feed, and YARA rule that follows from this analysis. Always record it first.

Sign in to mark this article as read and track your progress.

Related to this topic

Continue learning

Listen

Malware Blueprints in Portable Executable Headers

A deep dive into the Portable Executable (PE) structure used by Windows binaries — how analysts decode executable metadata to uncover malicious intent, compiler behaviour, packing indicators, and execution flow.

Reference material

eBook
REMA eBook 2026
v1.0
Open resource
Cheatsheet
REMA Cheatsheet 2026
v1.0
Open resource
MCQ Bank
REMA MCQ Bank 2026
v1.0
Open resource
Question Bank
REMA Question Bank 2026
v1.0
Open resource

External references

VirusTotal — Free File and Hash Search

Submit files or search by hash. Free account gives API access for programmatic queries. Essential first stop for any sample.

tool
MalwareBazaar — Sample Search by Hash

Search for samples by MD5, SHA-1, SHA-256, or imphash. Download samples for analysis. Free and no account required.

tool
ssdeep — Fuzzy Hashing Tool

Official ssdeep project page with download links and documentation for context-triggered piecewise hashing.

tool
More articlesTest your knowledge