Glossary

Need help using our site? Send us an email to totalhash (at) cymru (dot) com

Search Term Glossary

Having trouble getting what you want from the search feature? Here are some pointers to using each of the available search terms.

av – search for samples that contain a specific phrase in all anti virus output.

example: av:*poison*
example: av: Trojan.Poison

dnsrr – search for samples that contain a specific phrase in any DNS requests made during dynamic analysis.

example: dnsrr:*.3322.org
example: dnsrr:mta5.am0.yahoodns.net

email – search for samples that contain a specific phrase in any email address that the malware sample has sent to during dynamic analysis.

example: email:*@mail.ru
example: email:fernanda88@hotmail.com

filename – search for samples that contain a specific phrase in any filenames that have been created/modified/deleted during dynamic analysis.

Example: filename:*sdra64.exe

hash – search for samples that have a specific SHA1 or MD5 hash. The hash maybe the whole sample or sections within a sample.

Example: hash:da39a3ee5e6b4b0d3255bfef95601890afd80709

ip – search for samples that have generated a network connection towards a specific IP address or an IP address seen in a DNS record.

Example;

ip:8.8.8.8

mutex – search for samples that contain a specific phrase in a mutex value the sample has created during dynamic analysis.

Examples;

mutex:DC_MUTEX_*
mutex:ASPLOG

pdb – search for samples that contain a specific phrase found in the pdb path embedded in a sample.
Example;
pdb:*Documents and Settings*

registry – search for samples that contain a specific phrase found in registry values that have been created/modified/deleted during dynamic analysis.

Example;

registry:*rundll32.exe*

url – search for samples that contain a specific phrase found in any URLs generated during dynamic analysis.

Example;

url:*/gate.php

useragent – search for samples that contain a specific phrase found in any user-agent strings seen in HTTP requests during dynamic analysis.

Example;

useragent:malware.exe
useragent:*wget*

version – search for samples that contain a specific phrase found in the version string embedded in the sample.

Example;

version:*calc.exe*

Search terms can be combined using the logical operators AND, OR, NOT. For example the following term could be used to find poison ivy samples that do not use the default mutex;

av:*poison* NOT mutex:)!VoqA.I4