Malware Hash Registry (MHR)

DNS API

The DNS API supports MD5, SHA1, and SHA256 hashes, and is designed for rapid lookups, much in the same way as other remote blackhole list (RBL) lookups are done. Using DNS has the advantage of communicating over UDP and caching answers locally, so there is much less overhead on both the server and client. There are two types of DNS queries you can perform:

  • A
  • TXT
A Query

The A query will give you a simplified answer. If your hash is considered malware, we will always return 127.0.0.2. If not, no answer will be returned, and the query's status will be set to NXDOMAIN.

TXT Query

The TXT query will give more verbose output, including a scan timestamp and our antivirus package detection rate, if your hash is considered malware in our registry. If it is not, no answer will be returned, and the query's status will be set to NXDOMAIN.

DIG

To query with DNS, prepend your hash to the hostname hash.cymru.com in a DIG command. The DNS API supports the following hash types:

  • MD5
  • SHA1
  • SHA256

Note: Due to the limitations of DNS, SHA256 hashes must be split up into two 32-character segments.

Examples
dig +short 8a62d103168974fba9c61edab336038c.hash.cymru.com TXT

# "[Unix Epoch] [AV Hit %]"
"1611956489 28"
dig +short 8a62d103168974fba9c61edab336038c.hash.cymru.com A

# positive result found
127.0.0.2
dig +short 9b573bc2555d8d35e4a2e927cc14217e.b112f0725cb4ebff4878976a229fde45.hash.cymru.com A

# positive result found
127.0.0.2

Copyright © 2021 Team Cymru. All Rights Reserved.