Imphash Malware Pivoting

Today we have the pleasure to announce availability of imphash pivoting directly integrated into totalhash! If you aren’t familiar with imphash, you can read more about it here, thanks to Mandiant!

Mandiant Imphash Write-up

Both an imphash (Import Hash) and pehash are shown side by side in the totalhash analysis output for a given sample. Here is such an example:

http://totalhash.cymru.com/analysis/8a9e24dc5e49965cd4cab5e1a3bb01934ac01dfb

It shows:

  • PEHASH c8e405e2d686d79a0eae5d14f513ee30b06c1213
  • IMPHASH 3243b13e562279ab7fbe2f31e45d3a95

  • Notice that we have hyperlinked the pehash and the impash, so you can follow those links to see what other samples might be related to this one by those hashing techniques. Sure enough, if we follow them, we find some other related malware:

    PEHASH – 27 Results so far
    http://totalhash.cymru.com/search/hash:c8e405e2d686d79a0eae5d14f513ee30b06c1213

    IMPHASH – 12 Results so far
    http://totalhash.cymru.com/search/hash:3243b13e562279ab7fbe2f31e45d3a95

    Now, the method isn’t perfect but it can be a quick and dirty way of pivoting onto potentially related samples that share some of the same properties.

    You can also combine this if you know other characteristics of the malware such as:

    hash:3243b13e562279ab7fbe2f31e45d3a95 AND av:VBCrypt.BXJ

    This will show all samples matching that imphash which also have the AV Signature name ‘VBCrypt.BXJ’ associated with it.

    Virustotal has also recently added this function to their analysis output so any imphash you find here should be searchable there, and vice-versa!