VirusTotal has introduced a new feature for portable executable (PE) files. It’s called “imphash” and it stands for “import hash.”
The imphash feature has been utilized by IT security firm Mandiant for tracking the backdoors of specific threat groups. The hashes are created based on library/API names and their specific order within a PE file.
The imphash value can be used to identify malware samples that are related to one another. It can also be utilized to identify similar samples created by a certain threat group.
Imphases in VirusTotal are available in the “additional information” tab.
“When considering an individual report, this property might not be very useful on its own, however, if you happen to have an API key with additional information privileges you will also find the hash embedded in the JSON response,” VirusTotal’s Emiliano Martinez explained.
“This means you can massively feed your own local database setup with the imphash and implement your own similarity search feature for your malware collection.”