VirusShare.com - Because Sharing is Caring

Home • Hashes • Research • About • Swag Shop

Account: Login

Please login to search and download.

How to search the VirusShare database
 
This reference is for the web-based search interface. You can find the API reference here.
 
Please note that using multiple contexts in a search results in an AND operation.
 
Searching by hash value
You can search by a number of cryptographic hash alogrithims simply by entering a single hash value in the search box. Hash values supported are md5, sha1, sha224, sha256, sha384, and sha512. There is no need to specify the hash type context as it will be auto-detected by the server. Hashes must be submitted one at a time and not combined with any other values as hash values are (generally) expected to be unique and combining with other search values will probably return less results than you are hoping for.
 
810c8e6cac456ea031f9c495dfedc035
 
Searching by special hash values
Fuzzy Hash
You can search for similar samples using ssdeep fuzzy hashes or Context Triggered Piecewise Hashes (CTPH) by entering the fuzzy hash value in the search box. It is not necessary to provide the name of the file with the hash value and if provided will be ignored. Fuzzy hashes must be submitted one at a time and cannot combined with any other search contexts.
 
12288:Zrej6Qrw4kE0E/YmvUtU3UcRUkRUYRUGw4kE0E/Ym2:ZrejhD0
 
Authentihash
Where possible, the Authentihash sha256 value is calculated for PE files. You can search the database by specifying the context asha256.
 
asha256:cd2e9c31c9ae04bba609e23124fa6bcc5701638bd5d9bd4a0505cdf055691b2e
 
Imphash
Where possible, the Import Hash or Imphash value is calculated for PE files. You can search the database by specifying the context imphash.
 
imphash:9402b48d966c911f0785b076b349b5ef
 
Searching by metadata fields
Size
File sizes may be searched by specifying one or more size contexts: size for an exact match, sizelte for less-than-or-equal, and sizegte for greater-than-or-equal. Search values may only be integers. Both sizelte and sizegte may be specified to search within a range of sizes.
 
size:236884
sizegte:236000 sizelte:237000
 
File Type
File types as reported by the file / magic / libmagic tool can be searched by specifying the filetype context. As this field may may contain spaces, the search may be optionally enclosed in double quotes. Additionally, searches on this field support case-insensitive PCRE regular expresions.
 
filetype:"PE32 executable"
filetype:"PE32\+ .*"
 
Mime Type
Mime type as reported by the file / magic / libmagic tool can be searched by specifying the mimetype context.
 
mimetype:application/x-dosexec
 
Extension
File extensions may be searched by specifying the extension context, which may be abbreviated to ext. Extensions are determined by probability using TrID.
 
extension:exe
ext:pdf
 
TrID
You can search the results of the TrID File Identifier by specifying one or more trid contexts. The context trid and trid.0 searches the highest probability. Contexts trid.1 through trid.4 search decreasing levels of probability.
 
trid:"Win32 Executable MS Visual C++ (generic)"
trid.3:"Win32 Executable"
 
ExifTool
You can search the output of ExifTool by using one or more exif contexts. Exif contexts are case sensitive, but search values are case insensitive, support PCRE regular expressions, and may be optionally enclosed by double quotes.
 
exif.EntryPoint:0xa7b1
exif.CompanyName:"Корпорация Майкрософт"
exif.ProductName:"微软公司"
exif.Email:"rina[a-z]+[0-9]{2}@gmail\.com"
 
Searching by database fields
Timestamps
You can search by the time samples were added to the database. Time may be specified by a 10-digit unix timestamp or by a string representation of the time. Enclosing strings in double-quotes is recommended. The search contexts before and after specify the range to be included. Days specified without a time will default to midnight. Unless you specify the timezone, the system will default to UTC.
 
before:1577934245
after:2020-01-02T03:04:05Z
after:"last month"
after:"-7 days ago"
after:yesterday before:today
 
Searching by antivirus engine detection
Simple search
String searches where context is not specified will search the detections reported by antivirus engines. These searches are case-insensitive and support PCRE regular expressions. Strings may be optionally enclosed in double quotes.
 
hacktool.win32.wincred.y
 
Searching by count of antivirus detections
The count of detections may be searched by specifying one or more detection contexts: det for an exact match, detlte for less-than-or-equal, and detgte for greater-than-or-equal. Search values may only be integers. Both detlte and detgte may be specified to search withing a range of detections.
 
det:30
detgte:20 detlte:30
 
Search by antivirus vendor
Individual antivirus engine detection results can be searched by specifying one or more antivirus products as the context. Detection search values are case insensitive, support PCRE regular expressions, and may be optionally enclosed in double quotes. The complete list of antivirus contexts is listed below.
List of antivirus engine search contexts:
Acronis
Ad-Aware
AegisLab
Agnitum
AhnLab
AhnLab-V3
Alibaba
ALYac
AntiVir
Antivir7
Antiy-AVL
APEX
Arcabit
a-squared
Authentium
Avast
Avast5
Avast-Mobile
AVG
Avira
AVware
Babable
Baidu
Baidu-International
BitDefender
BitDefenderTheta
Bkav
ByteHero
CarpeDiem
CAT-QuickHeal
ClamAV
CMC
Command
Commtouch
Comodo
CrowdStrike
Cybereason
Cylance
Cynet
Cyren
DrWeb
DrWebSE
eGambit
Emsisoft
Endgame
eSafe
eScan
ESET-EEA
ESET-NOD32
eTrust-InoculateIT
eTrust-Vet
EW
Ewido
FileAdvisor
FireEye
Fortinet
FortinetBeta
F-Prot
F-Prot4
F-Secure
GData
Ikarus
Invincea
Jiangmin
K7AntiVirus
K7GW
Kaspersky
Kingsoft
Malwarebytes
Malwarebytes3
MAX
MaxSecure
McAfee
McAfee+Artemis
McAfeeBeta
McAfee-GW-Edition
Microsoft
MicroWorld-eScan
NANO-Antivirus
NOD32
NOD32Beta
NOD32v2
Norman
nProtect
Paloalto
Panda
PCTools
Power-Antivirus-2009
Prevx
Qihoo-360
Rising
Sangfor
SAVMail
SecureWeb-Gateway
SentinelOne
Sophos
Sunbelt
SUPERAntiSpyware
Symantec
SymantecMobileInsight
T3
TACHYON
Tencent
TheHacker
TotalDefense
Trapmine
TrendMicro
TrendMicro-HouseCall
Trustlook
UNA
VBA32
VIPRE
ViRobot
VirusBuster
Webroot
Webwasher-Gateway
WhiteArmor
Yandex
Zillya
ZoneAlarm
Zoner
 
kaspersky:hacktool.win32
 
Search by crawler data

Crawler data searches are functional but do not yet include the complete data yet as it is currently being imported from several years of logs. This import will also impact the performance of crawler searches.

DNS name searches
You can search DNS hostname IP address resolutions received by the web-crawlers each time they connected to a URL. These searches are case-insensitive and support PCRE regular expressions. The dns context can only be combined with the contexts ip, before, after, and limit to narrow the results.
 
dns:www.preview.top10antivirussoftware.com
dns:^cdn\-[0-9]+\.
 
IP address searches
You can search IP address resolutions received by the web-crawlers for DNS hostnames each time they connected to a URL. These searches are limited to IPv4 and IPv6 formatted IP addresses. The ip context can only be combined with the contexts dns, before, after, and limit to narrow the results.
 
ip:54.173.89.85
ip:2600:3c00::f03c:91ff:fe1c:90ab
 
URL searches
You can search for URLs accessed by the web-crawlers using the url context. These searches are case-insensitive, support PCRE regular expressions, and may be optionally enclosed in double quotes. The url context can only be combined with the contexts before, after, size, sizegte, and sizelte to narrow the results.
 
url:www.preview.top10antivirussoftware.com
url:.cn\/.+\.apk$
 
Crawler data by hash
You can search for crawler history by file hash using the crawldata context. Results are not limited to the database, but also include files that are not part of the corpus (e.g. oversize, misplaced). Only sha256 hashes can be searched at this time. The crawldata context can not be combined with any other contexts.
 
crawldata:d1fadaf37e898e70896c2732616378b9accf7ed4ef58ac723bac6b4790773b04
 
Search modifiers
Reducing results returned
You can reduce the number of results returned at one time by adding the limit context to your search, which can often be helpful in locating the proverbial needle in the haystack. By default, searches are limited to 20 results at a time with a query time limit of 60 seconds.
 
limit:1