Hash investigation
Kaspersky Threat Intelligence Portal enables you to search for information about objects by MD5, SHA1, and SHA256 hashes.
Now Kaspersky Threat Intelligence Portal additionally provides the ability to obtain information on hash from various open sources. This allows you to find more information on the hash, for example, in posts and articles that mentioned the requested hash. For more details, please refer to the OSINT IoCs section description.
General information about hash
Kaspersky Threat Intelligence Portal provides the following general information about hashes:
General information about hash
Field name |
Description |
|---|---|
Status |
Shows whether the requested hash can be classified as malicious. The investigated hash may have one of the following statuses: Clean—Object is not malicious. Adware and other—Object can be classified as Not-a-virus. Malware—Object is malicious. Not categorized—No or not enough information about the object is available to define the category. |
Hits |
Number of hits (popularity) of the requested hash detected by Kaspersky expert systems. Number of hits is rounded to the nearest power of 10. |
Format |
Format of the object being investigated by hash. |
Size |
Size of the object being investigated by hash (in bytes). |
Packed by |
Packer name (if any). |
Signed by |
Organization that signed the requested hash. |
Signature trust |
Trust level (zone) of object signature: Discredited ( |
First seen |
Date and time when the requested hash was detected by Kaspersky expert systems for the first time, according to your computer local time zone. |
Last seen |
Date and time when the requested hash was detected by Kaspersky expert systems for the last time, according to your computer local time zone. |
MD5 |
MD5 hash of the file requested by hash. |
SHA1 |
SHA1 hash of the file requested by hash. |
SHA256 |
SHA256 hash of the file requested by hash. |
Categories |
Categories of the requested hash. If the hash does not belong to any of defined categories, the General category is displayed. |
Reports |
Available APT Intelligence, Crimeware Threat Intelligence, and Industrial reports. If you have a valid commercial license for the corresponding service and the requested hash is related to an APT attack and/or mentioned in a report, links to the corresponding reports on the Reporting page are displayed. |
Data Feeds |
List of Threat Data Feeds that contain information about the requested hash. You can click a link to view the list of available feeds on the Threat Data Feeds page. |
), 
), 
).Graphical information about hash
The Hash Hit Map (a graphical representation) displays the requested hash spread across the world if the number of hits is larger than 10. Data obtained from users participating in Kaspersky Security Network is used to build the map.
The Detection Statistics shows the hash activity statistics—daily hit statistics.
Additional information about hash
Kaspersky Threat Intelligence Portal displays, in separate tables, additional information about the hash that is being investigated. You can export data from these tables as separate archives.
Additional information about hash
Table name |
Description |
Table fields |
Comments |
|---|---|---|---|
Detection names |
Detected objects related to the requested hash (for example, HEUR:Exploit.Script.Blocker). |
— |
In this table, the following information is displayed: Color of the zone that the detection object belongs to (red, yellow, gray, green). Date and time when the object was last detected by Kaspersky expert systems. Name of the detected object. You can click any entry to view its description in the Kaspersky threats website. |
File signatures and certificates |
Shows detailed information about signatures and certificates of the file identified by the requested hash. |
Status—Status of the file certificate. Vendor—Owner of the certificate. Publisher—Publisher of the certificate. Signed—Date and time when the certificate was signed. Issued—Date and time when the certificate was issued. Expires—Expiration date of the certificate. Serial number—Serial number of the certificate. |
Items in the table are sorted by the Signed field in descending order. |
Container signatures and certificates |
Information about the signatures and certificates of a container. |
Status—Status of the container's certificate. Container MD5—MD5 hash of the container's file. Signed—Date and time when the container's certificate was signed. Issued—Date and time when the container's certificate was issued. Expires—Expiration date of the container's certificate. |
Items in the table are sorted by the Signed field in descending order. |
File names |
Known names of the file identified by the requested hash on computers using Kaspersky software. Private data is not displayed. For example, a file or folder will not be displayed if its name contains a user name. |
Hits—Number of file name detections by Kaspersky expert systems. File names—Name of the file identified by the requested hash. |
Items in the table are sorted by the Hits field in descending order. |
File paths |
Known paths of the file identified by the requested hash on computers using Kaspersky software. Private data is not displayed. For example, a file or folder will not be displayed if its name contains a user name. |
Hits—Number of path detections by Kaspersky expert systems. Path—Path to the file on user computers identified by the requested hash. Location—Root folder or drive where the file identified by the requested hash is located on user computers. |
Items in the table are sorted by the Hits field in descending order. The Path and Location fields can be empty if the file is located in the registry. |
File downloaded from URLs and domains |
Web addresses and domains from which the file identified by the requested hash was downloaded. |
Status—Status of web addresses or domains used to download the file identified by the requested hash. URL—Web addresses used to download the file identified by the requested hash. Items are clickable and take you to the Threat Lookup page, where you can search for information about the web address. The length of the web addresses to be investigated is limited to a maximum of 2000 characters; other characters will be ignored. In the message window that opens, you will be asked to confirm that you still want to investigate the shortened web address. Last downloaded—Date and time when the file identified by the requested hash was last downloaded from the web address / domain. Domain—Upper domain of the web address used to download the file identified by the requested hash. Items are clickable and take you to the Threat Lookup page, where you can search for information about the domain. IP count—Number of IP addresses that the domain resolves to. |
Items in the table are grouped by status. Items in each group are sorted by the Last downloaded field in descending order. |
File accessed the following URLs |
Web addresses that were accessed by the file identified by the requested hash. |
Status—Status of accessed web addresses. URL—Web addresses accessed by the file identified by the requested hash. Items are clickable and take you to the Threat Lookup page, where you can search for information about the web address. The length of the web address to be investigated is limited to a maximum of 2000 characters; other characters will be ignored. In the message window that opens, you will be asked to confirm that you still want to investigate the shortened web address. Last accessed—Date and time when the file identified by the requested hash last accessed the web address. Domain—Upper domain of the web address accessed by the file identified by the requested hash. Items are clickable and take you to the Threat Lookup page, where you can search for information about the domain. IP count—Number of IP addresses that the domain resolves to. |
Items in the table are grouped by status. Items in each group are sorted in descending order by the Last accessed field. |
File started the following objects |
Objects that were started by the file identified by the requested hash. |
Status—Status of started objects. Hits—Number of times the file identified by the requested hash started the object, as detected by Kaspersky expert systems. File MD5—MD5 hash of the started object. Items are clickable and take you to the Threat Lookup page, where you can search for information about the hash. Location—Root folder or drive where the started object is located on user computers. Path—Path to the object on user computers. File name—Name of the started object. Last started—Date and time when the object was last started by the file identified by the requested hash. Detection name—Name of the detected object (for example, HEUR:Exploit.Script.Blocker). |
Items in the table are grouped by status. Items in each group are sorted by the Hits field, and then by the Last started field in descending order. The Path and Location fields can be empty if the file is located in the registry. |
File was started by the following objects |
Objects that started the file identified by the requested hash. |
Status—Status of objects that started the file identified by the requested hash. Hits—Number of times the file identified by the requested hash was started as detected by Kaspersky expert systems. File MD5—MD5 hash of the object that started the file identified by the requested hash. Items are clickable and take you to the Threat Lookup page, where you can search for information about the hash. Location—Root folder or drive where the object is located on user computers. Path—Path to the object on user computers. File name—Name of the object that started the file identified by the requested hash. Last started—Date and time when the file identified by the requested hash was last started. Detection name—Name of the detected object (for example, HEUR:Exploit.Script.Blocker). |
Items in the table are grouped by status. Items in each group are sorted by the Hits field, and then by the Last started field in descending order. The Path and Location fields can be empty if the file is located in the registry. |
File downloaded the following objects |
Files that were downloaded by the file identified by the requested hash. |
Status—Status of downloaded objects. Hits—Number of times the object was downloaded as detected by Kaspersky expert systems. File MD5—MD5 hash of the downloaded object. Items are clickable and take you to the Threat Lookup page, where you can search for information about the hash. Location—Root folder or drive where the downloaded object is located on user computers. Path—Path to the downloaded object on user computers. File name—Name of the downloaded object. Last downloaded—Date and time when the object was last downloaded by the file identified by the requested hash. Detection name—Name of the detected object (for example, HEUR:Exploit.Script.Blocker). |
Items in the table are grouped by status. Items in each group are sorted by the Last downloaded field in descending order. The Path and Location fields can be empty if the file is located in the registry. |
File was downloaded by the following objects |
Objects that downloaded the file identified by the requested hash. |
Status—Status of objects that downloaded the file identified by the requested hash. Hits—Number of times the file identified by the requested hash was downloaded as detected by Kaspersky expert systems. File MD5—MD5 hash of the object that downloaded the file identified by the requested hash. Items are clickable and take you to the Threat Lookup page, where you can search for information about the hash. Location—Root folder or drive where the object is located on user computers. File name—Name of the object that downloaded the file identified by the requested hash. Path—Path to the object on user computers. Last downloaded—Date and time when the file identified by the requested hash was last downloaded. Detection name—Name of the detected object (for example, HEUR:Exploit.Script.Blocker). |
Items in the table are grouped by status. Items in each group are sorted by the Last downloaded field in descending order. The Path and Location fields can be empty if the file is located in the registry. |
File was unpacked from the following objects |
Parent objects of file identified by the requested hash. |
Status—Status of the parent object. Parent MD5—MD5 hash of the parent object. Child MD5—MD5 hash of the child object. For direct parent objects ( Parent size—Size of the parent object (in bytes). Parent type—File type of the parent object. Parent detection name—Detected objects related to the parent object (for example, HEUR:Exploit.Script.Blocker). Level—Parent level. The direct parent of the requested object has |
Items in the table are grouped by parent object status. Items in each group are sorted by the Level field in ascending order. |
File contains the following objects |
Child objects of file identified by the requested hash. |
Status—Status of the child object. Child MD5—MD5 hash of the child object. Parent MD5—MD5 hash of the parent object. For direct child objects ( Child size—Size of the child object (in bytes). Child type—File type of the child object. Child detection name—Detected objects related to the child object (for example, HEUR:Exploit.Script.Blocker). Level—Child level. The direct child of the requested object has |
Items in the table are grouped by child object status. Items in each group are sorted by the Level field in ascending order. |
File was attached to email |
Information about spam attacks in which the requested object was attached to email messages. |
— |
— |
Similar files |
Files that are similar to the requested object. Using machine-learning (ML) methods, Kaspersky systems extract the requested file features and detect similar malicious files. Information about similar files can be used in an incident response to search more extensively for modifications and variations of a malicious object. Also, this information allows you to optimize perimeter protection from certain threats and take into account different modifications and variations of a malicious object. |
Status—Status of the object similar to the file identified by the requested hash. Detection name—Name of the detected object (for example, HEUR:Exploit.Script.Blocker). Confidence—Level of confidence that the object is similar to the file identified by the requested hash. Kaspersky Threat Intelligence Portal displays similar files with a confidence level from 8 to 11. First seen—Date and time when the similar object was detected by Kaspersky expert systems for the first time (for your local time zone). Last seen—Date and time, accurate to one minute, when the similar object was detected by Kaspersky expert systems for the last time (for your local time zone). Hits—Number of hits (popularity) for the object similar to the identified file (by requested hash) detected by Kaspersky expert systems (rounded to nearest power of 10). MD5—MD5 hash of the object similar to the file identified by the requested hash. Items are clickable, you can select the following actions:
Type—Type of the object similar to the file identified by the requested hash. Size—Size of the object similar to the file identified by the requested hash (in bytes). |
Items in the table are grouped and sorted by confidence in descending order. Items in groups with the same confidence are sorted by the Status field in descending order, and then by the Last seen field in descending order. |