VirusTotal Introduces “imphash” for Portable Executables

VirusTotal adds imphashes

VirusTotal has introduced a new feature for portable executable (PE) files. It’s called “imphash” and it stands for “import hash.”

The imphash feature has been utilized by IT security firm Mandiant for tracking the backdoors of specific threat groups. The hashes are created based on library/API names and their specific order within a PE file.

The imphash value can be used to identify malware samples that are related to one another. It can also be utilized to identify similar samples created by a certain threat group.

Imphases in VirusTotal are available in the “additional information” tab.

“When considering an individual report, this property might not be very useful on its own, however, if you happen to have an API key with additional information privileges you will also find the hash embedded in the JSON response,” VirusTotal’s Emiliano Martinez explained.

“This means you can massively feed your own local database setup with the imphash and implement your own similarity search feature for your malware collection.”


Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )


Connecting to %s