IncidentResponsev2

4.18 Compare Hashes of Suspected Malware

Task

Perform Hash Analysis and Signature check of Suspected Malware to identify malware samples, support incident response investigations, and validate against known-good and known-bad datasets.

---

Conditions

Given:

• A suspected malware file or files
• File hashing tools
• Access to internal hash repositories and/or external threat intelligence sources (VirusTotal, Hybrid Analysis, Abuse.ch)

---

Standards

• Team member obtains a hash (MD5, SHA1, SHA256 preferred) and saves them to a text file
• Compare hash value against previously identified IOCs or known good hashsets
• Use VirusTotal and other threat intelligence platforms to identify malware detections
• Determine file signature using appropriate tools (Sigcheck, SignTool) to assess trustworthiness
• Record and document findings for IR process

---

End State

All file hashes of suspected malware have been analyzed, compared, validated, and documented.

---

Notes

• Hash lookups do not upload the file itself → safer option (avoid uploading sensitive files when possible)
• Uploading the full file → creates searchable record visible to external parties (potential risk during IR)
• Validate using multiple sources → public intelligence + internal allow/block lists
• Use multiple algorithms → MD5 (legacy), SHA1 (common), SHA256 (preferred)

---

Manual Steps

Gathering Hash of Files

MacOS

openssl md5 README.md
openssl sha1 README.md

Linux

md5 filename
sha1sum filename

Windows

CertUtil

certutil -hashfile C:\Malware\sample.exe SHA256

PowerShell

Get-FileHash -Path "C:\Malware\sample.exe" -Algorithm SHA256

Hashdeep (optional)

hashdeep.exe -c md5,sha1,sha256 -r C:\Malware\sample.exe

---

Submitting Hashes to VirusTotal using Sysinternals Suite

Process Explorer

• Run ProcExp.exe
• Right-click Columns → Select Columns → enable VirusTotal
• Accept Terms of Service
• Hashes will be submitted automatically for running processes

SigCheck.exe

sigcheck.exe -vt file.exe
sigcheck.exe -v -c C:\

• -vt → submit to VirusTotal
• -c → generate CSV
• -v → include signature information

---

Signature Checking (Verify File Authenticity)

• Sigcheck.exe → native signature checks
• SignTool.exe (part of Visual Studio SDK)

signtool verify /pa file.exe

---

Advanced Cloud/Remote Intelligence Check (Expanded)

VirusTotal (API + Web)

https://www.virustotal.com/gui/file/<hash>

Hybrid Analysis

https://www.hybrid-analysis.com/search?query=<hash>

Abuse.ch MalwareBazaar

https://bazaar.abuse.ch/search.php?query=<hash>

---

Cloud Environment Workflow

AWS GuardDuty

• Uses threat intelligence feeds → hash matching automatic
• Manual submission → not supported natively → use external VirusTotal submission

Azure Defender for Endpoint

• Hash submissions automatic for detections
• Review suspicious file hashes via Defender Portal

GCP VirusTotal (native integration)

• Hash submission and review directly supported in GCP → use portal or CLI/API

---

Running Script

Automated scheduled collection example (Windows):

Get-ChildItem -Path "C:\Malware\" -File | ForEach-Object {
    Get-FileHash -Path $_.FullName -Algorithm SHA256 | Export-Csv "C:\Hashes\collected_hashes.csv" -Append -NoTypeInformation
}

---

Dependencies

• CertUtil
• PowerShell
• OpenSSL / sha1sum / md5sum
• Sysinternals (Process Explorer, SigCheck)
• Optional: VirusTotal API key (for automated queries)

---

Other Available Tools

Tool	Platform	Installation	Usage
CertUtil	Windows	Native	Single hash calculation
PowerShell	Windows	Native	Single/multi hash calculation
Hashdeep	Windows/Linux/macOS	Open Source	Multi-hash file integrity
Process Explorer	Windows	Sysinternals	Running process hash + VirusTotal
Sigcheck	Windows	Sysinternals	Signature + VirusTotal hash
VirusTotal	Cloud	Web/API	Threat intelligence lookup
Hybrid Analysis	Cloud	Web	Threat intelligence lookup
AWS GuardDuty	Cloud	Native	Automatic hash intel
Azure Defender	Cloud	Native	Automatic hash intel
GCP VirusTotal	Cloud	Native	Hash submission and review

---

Operator Recommendations and Additional Tools

Operator Checklist

• Acquire suspected malware file (forensic chain of custody)
• Calculate hash (MD5, SHA1, SHA256)
• Verify hash with VirusTotal, Hybrid Analysis, MalwareBazaar
• Run signature check → SigCheck + SignTool
• Review cloud security platform detections (if applicable)
• Document findings + submit to incident management system
• Escalate samples with malicious or unknown results to malware analysis team
• Update allow/block lists with findings

Best Practices

• Always calculate hashes prior to executing/handling malware
• Use multiple hash algorithms for better detection coverage
• Avoid uploading sensitive/internal files to public services without proper approval
• Maintain local hash repositories for quick verification
• Automate daily/weekly hash collection + comparison via scripts

---

References

• VirusTotal
• Hybrid Analysis
• Abuse.ch Malware Bazaar
• Sysinternals Process Explorer + VirusTotal
• Sysinternals Sigcheck + VirusTotal
• MD5Deep / Hashdeep
• SignTool

---

Revision History

Date	Version	Description	Author
2025-05-02	1.0	Original retained + expanded with multi-platform hashing, cloud, operator workflow	Leo