Home • Hashes • Research • About • Swag Shop
| How to search the VirusShare database |
| This reference is for the web-based search interface. You can find the API reference here. |
| Please note that using multiple contexts in a search results in an AND operation. |
| Searching by hash value |
| You can search by a number of cryptographic hash alogrithims simply by entering a single hash value in the search box. Hash values supported are md5, sha1, sha224, sha256, sha384, and sha512. There is no need to specify the hash type context as it will be auto-detected by the server. Hashes must be submitted one at a time and not combined with any other values as hash values are (generally) expected to be unique and combining with other search values will probably return less results than you are hoping for. |
| 810c8e6cac456ea031f9c495dfedc035 |
| Searching by special hash values |
| Fuzzy Hash |
| You can search for similar samples using ssdeep fuzzy hashes or Context Triggered Piecewise Hashes (CTPH) by entering the fuzzy hash value in the search box. It is not necessary to provide the name of the file with the hash value and if provided will be ignored. Fuzzy hashes must be submitted one at a time and cannot combined with any other search contexts. |
| 12288:Zrej6Qrw4kE0E/YmvUtU3UcRUkRUYRUGw4kE0E/Ym2:ZrejhD0 |
| Authentihash |
| Where possible, the Authentihash sha256 value is calculated for PE files. You can search the database by specifying the context asha256. |
| asha256:cd2e9c31c9ae04bba609e23124fa6bcc5701638bd5d9bd4a0505cdf055691b2e |
| Imphash |
| Where possible, the Import Hash or Imphash value is calculated for PE files. You can search the database by specifying the context imphash. |
| imphash:9402b48d966c911f0785b076b349b5ef |
| Searching by metadata fields |
| Size |
| File sizes may be searched by specifying one or more size contexts: size for an exact match, sizelte for less-than-or-equal, and sizegte for greater-than-or-equal. Search values may only be integers. Both sizelte and sizegte may be specified to search within a range of sizes. |
| size:236884 |
| sizegte:236000 sizelte:237000 |
| File Type |
| File types as reported by the file / magic / libmagic tool can be searched by specifying the filetype context. As this field may may contain spaces, the search may be optionally enclosed in double quotes. Additionally, searches on this field support case-insensitive PCRE regular expresions. |
| filetype:"PE32 executable" |
| filetype:"PE32\+ .*" |
| Mime Type |
| Mime type as reported by the file / magic / libmagic tool can be searched by specifying the mimetype context. |
| mimetype:application/x-dosexec |
| Extension |
| File extensions may be searched by specifying the extension context, which may be abbreviated to ext. Extensions are determined by probability using TrID. |
| extension:exe |
| ext:pdf |
| TrID |
| You can search the results of the TrID File Identifier by specifying one or more trid contexts. The context trid and trid.0 searches the highest probability. Contexts trid.1 through trid.4 search decreasing levels of probability. |
| trid:"Win32 Executable MS Visual C++ (generic)" |
| trid.3:"Win32 Executable" |
| ExifTool |
| You can search the output of ExifTool by using one or more exif contexts. Exif contexts are case sensitive, but search values are case insensitive, support PCRE regular expressions, and may be optionally enclosed by double quotes. |
| exif.EntryPoint:0xa7b1 |
| exif.CompanyName:"Корпорация Майкрософт" |
| exif.ProductName:"微软公司" |
| exif.Email:"rina[a-z]+[0-9]{2}@gmail\.com" |
| Searching by database fields |
| Timestamps |
| You can search by the time samples were added to the database. Time may be specified by a 10-digit unix timestamp or by a string representation of the time. Enclosing strings in double-quotes is recommended. The search contexts before and after specify the range to be included. Days specified without a time will default to midnight. Unless you specify the timezone, the system will default to UTC. |
| before:1577934245 |
| after:2020-01-02T03:04:05Z |
| after:"last month" |
| after:"-7 days ago" |
| after:yesterday before:today |
| Searching by antivirus engine detection |
| Simple search |
| String searches where context is not specified will search the detections reported by antivirus engines. These searches are case-insensitive and support PCRE regular expressions. Strings may be optionally enclosed in double quotes. |
| hacktool.win32.wincred.y |
| Searching by count of antivirus detections |
| The count of detections may be searched by specifying one or more detection contexts: det for an exact match, detlte for less-than-or-equal, and detgte for greater-than-or-equal. Search values may only be integers. Both detlte and detgte may be specified to search withing a range of detections. |
| det:30 |
| detgte:20 detlte:30 |
| Search by antivirus vendor |
| Individual antivirus engine detection results can be searched by specifying one or more antivirus products as the context. Detection search values are case insensitive, support PCRE regular expressions, and may be optionally enclosed in double quotes. The complete list of antivirus contexts is listed below. |
| List of antivirus engine search contexts: |
| Acronis Ad-Aware AegisLab Agnitum AhnLab AhnLab-V3 Alibaba ALYac AntiVir Antivir7 Antiy-AVL APEX Arcabit a-squared Authentium Avast Avast5 Avast-Mobile AVG Avira AVware Babable Baidu Baidu-International BitDefender BitDefenderTheta Bkav ByteHero CarpeDiem CAT-QuickHeal ClamAV CMC Command Commtouch Comodo CrowdStrike Cybereason Cylance Cynet Cyren DrWeb DrWebSE eGambit Emsisoft Endgame eSafe eScan ESET-EEA ESET-NOD32 eTrust-InoculateIT eTrust-Vet EW Ewido FileAdvisor FireEye Fortinet FortinetBeta F-Prot F-Prot4 F-Secure GData Ikarus Invincea Jiangmin K7AntiVirus K7GW Kaspersky Kingsoft Malwarebytes Malwarebytes3 MAX MaxSecure McAfee McAfee+Artemis McAfeeBeta McAfee-GW-Edition Microsoft MicroWorld-eScan NANO-Antivirus NOD32 NOD32Beta NOD32v2 Norman nProtect Paloalto Panda PCTools Power-Antivirus-2009 Prevx Qihoo-360 Rising Sangfor SAVMail SecureWeb-Gateway SentinelOne Sophos Sunbelt SUPERAntiSpyware Symantec SymantecMobileInsight T3 TACHYON Tencent TheHacker TotalDefense Trapmine TrendMicro TrendMicro-HouseCall Trustlook UNA VBA32 VIPRE ViRobot VirusBuster Webroot Webwasher-Gateway WhiteArmor Yandex Zillya ZoneAlarm Zoner |
| kaspersky:hacktool.win32 |
| Search by crawler data |
Crawler data searches are functional but do not yet include the complete data yet as it is currently being imported from several years of logs. This import will also impact the performance of crawler searches. |
| DNS name searches |
| You can search DNS hostname IP address resolutions received by the web-crawlers each time they connected to a URL. These searches are case-insensitive and support PCRE regular expressions. The dns context can only be combined with the contexts ip, before, after, and limit to narrow the results. |
| dns:www.preview.top10antivirussoftware.com |
| dns:^cdn\-[0-9]+\. |
| IP address searches |
| You can search IP address resolutions received by the web-crawlers for DNS hostnames each time they connected to a URL. These searches are limited to IPv4 and IPv6 formatted IP addresses. The ip context can only be combined with the contexts dns, before, after, and limit to narrow the results. |
| ip:54.173.89.85 |
| ip:2600:3c00::f03c:91ff:fe1c:90ab |
| URL searches |
| You can search for URLs accessed by the web-crawlers using the url context. These searches are case-insensitive, support PCRE regular expressions, and may be optionally enclosed in double quotes. The url context can only be combined with the contexts before, after, size, sizegte, and sizelte to narrow the results. |
| url:www.preview.top10antivirussoftware.com |
| url:.cn\/.+\.apk$ |
| Crawler data by hash |
| You can search for crawler history by file hash using the crawldata context. Results are not limited to the database, but also include files that are not part of the corpus (e.g. oversize, misplaced). Only sha256 hashes can be searched at this time. The crawldata context can not be combined with any other contexts. |
| crawldata:d1fadaf37e898e70896c2732616378b9accf7ed4ef58ac723bac6b4790773b04 |
| Search modifiers |
| Reducing results returned |
| You can reduce the number of results returned at one time by adding the limit context to your search, which can often be helpful in locating the proverbial needle in the haystack. By default, searches are limited to 20 results at a time with a query time limit of 60 seconds. |
| limit:1 |