Malware Hash Registry (MHR)

WHOIS API

The WHOIS API acts like a standard whois server would, except that a MD5, SHA1, or SHA256 hash value instead of a name or address is passed as an argument. A hash can be passed in for a single lookup, or multiple hashes can be passed for a bulk lookup when combined with GNU’s netcat. When issuing requests for two or more hashes we strongly suggest you use netcat for bulk submissions since there is less overhead for both server and client.

whois -h hash.cymru.com 84af04b8e69682782607a0c5796ca56999eda6b3

# hash                           Unix-Epoch AV-Hit-%
8a62d103168974fba9c61edab336038c 1612027684 29

Netcat can be used to do bulk request via whois. A maximum of 1000 hashes is allowed per-request. To perform a bulk submission, first create a text file that starts with the text "BEGIN" and ends with the text "END", with the hashes you wish to search for newline seperated between those two keywords. Then, pass that file as input to netcat.

# create file list1 with this content
begin
7697561ccbbdd1661c25c86762117613
d48a85139dde1eb00ee7460e80f42c35
8a62d103168974fba9c61edab336038c
end

# Run netcat command
netcat hash.cymru.com 43 < list1

# To get this result:

# Bulk Mode; hash.cymru.com; 2021-03-19 17:43:22.129196 +0000 UTC
# SHA1|SHA256|MD5 TIME(unitx_t) DETECTION_PERCENT
7697561ccbbdd1661c25c86762117613 1616175802 NO_DATA
d48a85139dde1eb00ee7460e80f42c35 1616175802 NO_DATA
8a62d103168974fba9c61edab336038c 1612027684 29

Copyright © 2021 Team Cymru. All Rights Reserved.