Skip to content

4.18-Compare Hashes of suspected malware

Task Perform Hash Analysis and Signature check of Suspected Malware

Conditions

Given a suspected malware file or files, file hashing tools, and a database or repository of known malware file hashes.

Standards

  • The team member obtains a hash (MD5 or SHA1) of the suspected malware files and saves them to a text file.
  • Hashes can be obtained at the command line using one of the tools referenced below.
  • Hashes can be obtained and verified automatically on VirusTotal using Windows GUI tools.
  • The team member compares the hash value to previously known malware samples from the incident Indicators of Compromise (IOC).
  • The team member utilizes the VirusTotal website’s hash search functionality to determine if any previous samples of this malware have been reported.
  • The team member utilizes a signature-checking utility to determine if the suspected malware is signed with a code-signing certificate.

End State

All file hashes of suspected malware files have been checked against a trusted file hash repository.

Notes

Caution should be observed when utilizing VirusTotal to determine if a suspected malware sample has already been identified. Checking the hash of the file does not enter any information into the VirusTotal database. Uploading of the actual malware sample does create a searchable entry in the VirusTotal database and can be monitored by malicious actors to determine if their actions have been detected.
* Tools: There are various free Windows and Linux tools that can be used to complete this task. For example:
* Md5sum / Sha1sum – Linux
* Md5deep / Hasheep
* Sigcheck.exe – Sysinternals (Windows)
* Hfind – Linux
* Signtool.exe – Part of Microsoft SDK## Manual Steps

Running Script

Gather Hash of Files

  • MacOS

    openssl [algorithm] [file]  

#Example:  
openssl md5 READMME.md  
MD5(README.md)=f524eb99090ff80aa7cb1ddee223531e

openssl sha1 README.md  
SHA1(README.md)=71d926baef99eea2af534ba7bcdf5871d2da9f88

  • Linux

    md5 filename
sha1sum filename

  • Windows

  • CertUtil is a Windows built-in command line installed as part of certificate services, but it also offers a switch -hashfile that allows you to generate the hash string using a specified algorithm. For example, running the following command generates an SHA-512 checksum for an executable file called lsr.exe.

    certutil -hashfile c:\<path to file> SHA512

    • Use PowerShell to retrieve hash of file
      Get-FileHash -Path c:\<path to file> -Algorithm SHA512

  • Submitting hashes to Virustotal using Sysinternals

    • procex.exe

      • run ProcEx.exe
      • Right-Click Columns tab and click Select Columns.
      • Check Virus Total box under Process Image tab.
      • Agree to VirustTotal's Terms of Service to submit process hashes for evaluation.

    • SigCheck.exe

      • Open cmd.exe and navigate to directory of sigcheck.exe if not added to global variables

      • When you use option -v, the hash of the file will be submitted to VirusTotal. The first time you run it, you'll have to accept VirusTotal's terms (or use option -vt to accept and avoid the prompt). You can scan a complete disk with option -s and specifying the root folder of the disk (e.g. c:), and you can produce a CSV report with option -c.
        bat sigcheck.exe -vt [File]

      • Files without digital signature are also checked with VirusTotal.

        sigcheck.exe -v -c c:/

Dependencies

Other available tools

Visual Studio

References

Searcing VirusTotal for hashes SingTool.exe
using Sysinternals Process Explorer to check file hashes on VirusTotal
using sigcheck to check file hash values on VirusTotal
Using MD5DEEP
Using MD5SUM

Revision History