Contents
Hash lookup report
After the hash lookup request is processed, available results are displayed on the report page.
A hash lookup report is consistent with a file analysis report.
In the mobile version of Kaspersky Threat Intelligence Portal, only the basic report for the hash is displayed. You can use a desktop version to view the full report.
Depending on the zone, the hash and its status (Malware, Adware and other, Clean, No threats detected, or Not categorized) are displayed on a panel in one of the following colors:
- Red—The hash can be classified as Malware.
- Yellow—The hash is classified as Adware and other (Adware, Pornware, and other programs).
- Grey—No data is available for the hash.
- Green—The executed file has Clean or No threats detected status. The No threats detected status is applied if the file was not classified by Kaspersky, but it was previously scanned and/or analyzed, and no threats were detected at the time of the analysis.
The report page contains the following:
- Overview—Displays general information about the requested hash.
- Detection names—Displays information about detects related to the requested hash and previously reported in Kaspersky statistics.
- Dynamic analysis summary—Displays the last file identified by the requested hash scan date and graphics of detects, suspicious activities, extracted files, and network interactions detected by Kaspersky expert systems.
- Dynamic analysis detects—Displays information about detects registered during the execution of a file identified by the requested hash.
- Triggered network rules—Displays information about SNORT and Suricata rules triggered during analysis of traffic from the file identified by requested hash.
- Premium content—Displays sections that contain blurred data about the requested hash. The actual data is available for users with Premium Access to Kaspersky Threat Intelligence Portal. You can request a demo version to view a full report and explore other Kaspersky Threat Intelligence Portal features.
The following tabs are available if the file identified by the requested hash was previously analyzed in Kaspersky Sandbox:
- Results tab—Displays information about dynamic analysis detects and triggered network rules. For registered users, execution map, information about suspicious activities, and screenshots are also available.
- Static analysis tab—Displays Portable Executable (PE) information and information about strings extracted during file execution.
- Tabs that are available for registered users:
- System activities tab—Displays information about activities that were registered during the file execution.
- Extracted files tab—Displays information about files that were extracted from network traffic or saved by the executed file during the execution.
- Network activities tab—Displays information about network activities that were registered during the file execution.
Overview for hash
Kaspersky Threat Intelligence Portal provides the following general information about a submitted hash and the file identified by the hash:
General information about hash and file
Field name |
Description |
|---|---|
Hits |
Number of hits (popularity) of the file identified by the requested hash detected by Kaspersky expert systems. Number of hits is rounded to the nearest power of 10. |
First seen |
Date and time when the file identified by the requested hash was first detected by Kaspersky expert systems. |
Last seen |
Date and time when the file identified by the requested hash was last detected by Kaspersky expert systems. |
Format |
Type of the file identified by the requested hash. |
Size |
Size of the file identified by the requested hash. |
Signed by |
Organization that signed the hash. |
Packed by |
Packer name (if any). |
MD5 |
MD5 hash. |
SHA1 |
SHA1 hash (if available). |
SHA256 |
SHA256 hash. |
Detection names
Kaspersky Threat Intelligence Portal provides the following information about known detects related to the hash and previously reported in Kaspersky statistics:
- Color of the zone that the detect belongs to (red or yellow).
- Date and time when the detect was last detected by Kaspersky expert systems.
- Name of the detect. You can click any entry to view its description on the Kaspersky threats website.
Dynamic analysis summary
Kaspersky Threat Intelligence Portal provides the following graphical information about detected items, suspicious activities, extracted files, and network interactions detected during execution of the file identified by the requested hash:
Dynamic analysis summary for a hash
Chart name |
Description |
|---|---|
Detects |
The total number of objects detected during execution of the file identified by the requested hash, and the proportion of objects with Malware (red) or Adware and other (yellow) statuses. |
Suspicious activities |
The total number of suspicious activities registered during execution of the file identified by the requested hash and the proportion of activities with High (red), Medium (yellow), or Low (grey) levels. |
Extracted files |
The total number of files that were downloaded or dropped by the file identified by the requested hash during the execution process, and the proportion of files with the status of Malicious (extracted files that can be classified as malicious, in red), Adware and other (extracted files that can be classified as Not-a-virus, in yellow), Clean (extracted files that can be classified as not malicious, in green), or Not categorized (no or not enough information about the extracted files is available to define the category, in grey). |
Network activities |
The total number of registered network activities that the file identified by the requested hash performed during the execution process and the proportion of network interactions with the status of Dangerous (requests to resources with the Dangerous status, in red), Adware and other (requests to resources with the Adware and other status, in yellow), Good (requests to resources with the Good status, in green), or Not categorized (requests to resources with the Not categorized status, in grey). |
Dynamic analysis detects
Kaspersky Threat Intelligence Portal provides the following information about detected objects related to the file identified by the requested hash. If the file identified by the requested hash was previously analyzed in Kaspersky Sandbox, this section is displayed on the Results tab.
Sandbox detection names
Field name |
Description |
|---|---|
Status |
Danger zone (level) associated with object (Malware or Adware and other). |
Name |
Name of the detected object (for example, HEUR:Exploit.Script.Blocker). Each item in the list is clickable—you can click it to view its description on the Kaspersky threats website. |
Triggered network rules
Kaspersky Threat Intelligence Portal provides the following information about SNORT and Suricata rules triggered during analysis of traffic from the file identified by the requested hash. If the file identified by the requested hash was previously analyzed in Kaspersky Sandbox, this section is displayed on the Results tab.
Triggered network rules
Field name |
Description |
|---|---|
Zone |
Danger zone (level) associated with the network traffic detected by the SNORT or Suricata rule (High, Medium, Low, Info). |
Rule |
SNORT or Suricata rule name. |
Information available to users with Premium Access
Kaspersky Threat Intelligence Portal provides the following detailed information about the requested hash, if available, to users with Premium Access.
Signatures and certificates tab
Information about file signatures and certificates
Table name |
Description |
Table fields |
|---|---|---|
File signatures and certificates |
Information about signatures and certificates of the file identified by the requested hash. |
Status—Status of the file certificate. Vendor—Owner of the certificate. Publisher—Publisher of the certificate. Signed—Date and time when the certificate was signed. Issued—Date and time when the certificate was issued. Expires—Expiration date of the certificate. Serial number—Serial number of the certificate. |
Container signatures and certificates |
Information about signatures and certificates of the container. |
Status—Status of the container's certificate. Container MD5—MD5 hash of the container's file. Signed—Date and time when the container's certificate was signed. Issued—Date and time when the container's certificate was issued. Expires—Expiration date of the container's certificate. |
Paths tab
Information about file paths
Table name |
Description |
Table fields |
|---|---|---|
File paths |
Known paths to the file on computers using Kaspersky software. |
Hits—Number of path detections by Kaspersky expert systems. Path—Path to the file on user computers identified by the requested hash. Location—Root folder or drive where the file identified by the requested hash is located on user computers. |
Names tab
Information about file names
Table name |
Description |
Table fields |
|---|---|---|
File names |
Known names of the file on computers using Kaspersky software. |
Hits—Number of file name detections by Kaspersky expert systems. File name—Name of the file identified by the requested hash. |
Downloads tab
Information about web addresses from which the file was downloaded
Table name |
Description |
Table fields |
|---|---|---|
File downloaded from web addresses and domains |
Web addresses and domains from which the file was downloaded. |
Status—Status of web addresses or domains used to download the file identified by the requested hash. Web address—Web addresses used to download the file identified by the requested hash. Last downloaded—Date and time when the file identified by the requested hash was last downloaded from the web address / domain. Domain—Upper domain of the web address used to download the file identified by the requested hash. IP count—Number of IP addresses that the domain resolves to. |
Web addresses tab
Information about web addresses
Table name |
Description |
Table fields |
|---|---|---|
File accessed the following web addresses |
Web addresses accessed by the file identified by the requested hash. |
Status—Status of accessed web addresses. Web address—Web addresses accessed by the file identified by the requested hash. Last accessed—Date and time when the file identified by the requested hash last accessed the web address. Domain—Upper domain of the web address accessed by the file identified by the requested hash. IP count—Number of IP addresses that the domain resolves to. |
Started objects tab
Information about started objects
Table name |
Description |
Table fields |
|---|---|---|
File started the following objects |
Objects started by the file identified by the requested hash. |
Status—Status of started objects. Hits—Number of times the file identified by the requested hash started the object, as detected by Kaspersky expert systems. File MD5—MD5 hash of the started object. Location—Root folder or drive where the started object is located on user computers. Path—Path to the object on user computers. File name—Name of the started object. Last started—Date and time when the object was last started by the file identified by the requested hash. Detection name—Name of the detected object (for example, HEUR:Exploit.Script.Blocker). |
File was started by the following objects |
Objects that started the file identified by the requested hash. |
Status—Status of objects that started the file identified by the requested hash. Hits—Number of times the file identified by the requested hash was started, as detected by Kaspersky expert systems. File MD5—MD5 hash of the object that started the file identified by the requested hash. Location—Root folder or drive where the object is located on user computers. Path—Path to the object on user computers. File name—Name of the object that started the file identified by the requested hash. Last started—Date and time when the file identified by the requested hash was last started. Detection name—Name of the detected object (for example, HEUR:Exploit.Script.Blocker). |
Downloaded objects tab
Information about downloaded objects
Table name |
Description |
Table fields |
|---|---|---|
File downloaded the following objects |
Objects downloaded by the file identified by the requested hash. |
Status—Status of downloaded objects. Hits—Number of times the object was downloaded, as detected by Kaspersky expert systems. File MD5—MD5 hash of the downloaded object. Location—Root folder or drive where the downloaded object is located on user computers. Path—Path to the downloaded object on user computers. File name—Name of the downloaded object. Last downloaded—Date and time when the object was last downloaded by the file identified by the requested hash. Detection name—Name of the detected object (for example, HEUR:Exploit.Script.Blocker). |
File was downloaded by the following objects |
Objects that downloaded the file identified by the requested hash. |
Status—Status of objects that downloaded the file identified by the requested hash. Hits—Number of times the file identified by the requested hash was downloaded, as detected by Kaspersky expert systems. File MD5—MD5 hash of the object that downloaded the file identified by the requested hash. Location—Root folder or drive where the object is located on user computers. File name—Name of the object that downloaded the file identified by the requested hash. Path—Path to the object on user computers. Last downloaded—Date and time when the file identified by the requested hash was last downloaded. Detection name—Name of the detected object (for example, HEUR:Exploit.Script.Blocker). |