Today we have the pleasure to announce availability of imphash pivoting directly integrated into totalhash! If you aren’t familiar with imphash, you can read more about it here, thanks to Mandiant!
Both an imphash (Import Hash) and pehash are shown side by side in the totalhash analysis output for a given sample. Here is such an example:
Notice that we have hyperlinked the pehash and the impash, so you can follow those links to see what other samples might be related to this one by those hashing techniques. Sure enough, if we follow them, we find some other related malware:
PEHASH – 27 Results so far
IMPHASH – 12 Results so far
Now, the method isn’t perfect but it can be a quick and dirty way of pivoting onto potentially related samples that share some of the same properties.
You can also combine this if you know other characteristics of the malware such as:
This will show all samples matching that imphash which also have the AV Signature name ‘VBCrypt.BXJ’ associated with it.
Virustotal has also recently added this function to their analysis output so any imphash you find here should be searchable there, and vice-versa!