Kaspersky Threat Intelligence Portal

Hash lookup report

After the hash lookup request is processed, available results are displayed on the report page.

A hash lookup report is consistent with a file analysis report.

In the mobile version of Kaspersky Threat Intelligence Portal, only the basic report for the hash is displayed. You can use a desktop version to view the full report.

Depending on the zone, the hash and its status (Malware, Adware and other, Clean, No threats detected, or Not categorized) are displayed on a panel in one of the following colors:

  • Red—The hash can be classified as Malware.
  • Yellow—The hash is classified as Adware and other (Adware, Pornware, and other programs).
  • Grey—No data is available for the hash.
  • Green—The executed file has Clean or No threats detected status. The No threats detected status is applied if the file was not classified by Kaspersky, but it was previously scanned and/or analyzed, and no threats were detected at the time of the analysis.

The report page contains the following:

  • Overview—Displays general information about the requested hash.
  • Detection names—Displays information about detects related to the requested hash and previously reported in Kaspersky statistics.
  • Dynamic analysis summary—Displays the last file identified by the requested hash scan date and graphics of detects, suspicious activities, extracted files, and network interactions detected by Kaspersky expert systems.
  • Dynamic analysis detects—Displays information about detects registered during the execution of a file identified by the requested hash.
  • Triggered network rules—Displays information about SNORT and Suricata rules triggered during analysis of traffic from the file identified by requested hash.
  • Premium content—Displays sections that contain blurred data about the requested hash. The actual data is available for users with Premium Access to Kaspersky Threat Intelligence Portal. You can request a demo version to view a full report and explore other Kaspersky Threat Intelligence Portal features.

The following tabs are available if the file identified by the requested hash was previously analyzed in Kaspersky Sandbox:

  • Results tab—Displays information about dynamic analysis detects and triggered network rules. For registered users, execution map, information about suspicious activities, and screenshots are also available.
  • Static analysis tab—Displays Portable Executable (PE) information and information about strings extracted during file execution.
  • Tabs that are available for registered users:
    • System activities tab—Displays information about activities that were registered during the file execution.
    • Extracted files tab—Displays information about files that were extracted from network traffic or saved by the executed file during the execution.
    • Network activities tab—Displays information about network activities that were registered during the file execution.
Page top
[Topic HashReport]

Overview for hash

Kaspersky Threat Intelligence Portal provides the following general information about a submitted hash and the file identified by the hash:

General information about hash and file

Field name

Description

Hits

Number of hits (popularity) of the file identified by the requested hash detected by Kaspersky expert systems.

Number of hits is rounded to the nearest power of 10.

First seen

Date and time when the file identified by the requested hash was first detected by Kaspersky expert systems.

Last seen

Date and time when the file identified by the requested hash was last detected by Kaspersky expert systems.

Format

Type of the file identified by the requested hash.

Size

Size of the file identified by the requested hash.

Signed by

Organization that signed the hash.

Packed by

Packer name (if any).

MD5

MD5 hash.

SHA1

SHA1 hash (if available).

SHA256

SHA256 hash.

Page top
[Topic OverviewHash]

Detection names

Kaspersky Threat Intelligence Portal provides the following information about known detects related to the hash and previously reported in Kaspersky statistics:

  • Color of the zone that the detect belongs to (red or yellow).
  • Date and time when the detect was last detected by Kaspersky expert systems.
  • Name of the detect. You can click any entry to view its description on the Kaspersky threats website.
Page top
[Topic DetectionNamesHash]

Dynamic analysis summary

Kaspersky Threat Intelligence Portal provides the following graphical information about detected items, suspicious activities, extracted files, and network interactions detected during execution of the file identified by the requested hash:

Dynamic analysis summary for a hash

Chart name

Description

Detects

The total number of objects detected during execution of the file identified by the requested hash, and the proportion of objects with Malware (red) or Adware and other (yellow) statuses.

Suspicious activities

The total number of suspicious activities registered during execution of the file identified by the requested hash and the proportion of activities with High (red), Medium (yellow), or Low (grey) levels.

Extracted files

The total number of files that were downloaded or dropped by the file identified by the requested hash during the execution process, and the proportion of files with the status of Malicious (extracted files that can be classified as malicious, in red), Adware and other (extracted files that can be classified as Not-a-virus, in yellow), Clean (extracted files that can be classified as not malicious, in green), or Not categorized (no or not enough information about the extracted files is available to define the category, in grey).

Network activities

The total number of registered network activities that the file identified by the requested hash performed during the execution process and the proportion of network interactions with the status of Dangerous (requests to resources with the Dangerous status, in red), Adware and other (requests to resources with the Adware and other status, in yellow), Good (requests to resources with the Good status, in green), or Not categorized (requests to resources with the Not categorized status, in grey).

Page top
[Topic DynamicAnalysisSummaryHash]

Dynamic analysis detects

Kaspersky Threat Intelligence Portal provides the following information about detected objects related to the file identified by the requested hash. If the file identified by the requested hash was previously analyzed in Kaspersky Sandbox, this section is displayed on the Results tab.

Sandbox detection names

Field name

Description

Status

Danger zone (level) associated with object (Malware or Adware and other).

Name

Name of the detected object (for example, HEUR:Exploit.Script.Blocker). Each item in the list is clickable—you can click it to view its description on the Kaspersky threats website.

Page top
[Topic DynamicAnalysisDetectsHash]

Triggered network rules

Kaspersky Threat Intelligence Portal provides the following information about SNORT and Suricata rules triggered during analysis of traffic from the file identified by the requested hash. If the file identified by the requested hash was previously analyzed in Kaspersky Sandbox, this section is displayed on the Results tab.

Triggered network rules

Field name

Description

Zone

Danger zone (level) associated with the network traffic detected by the SNORT or Suricata rule (High, Medium, Low, Info).

Rule

SNORT or Suricata rule name.

Page top
[Topic TriggeredNetworkRulesHash]

Information available to users with Premium Access

Kaspersky Threat Intelligence Portal provides the following detailed information about the requested hash, if available, to users with Premium Access.

Signatures and certificates tab

Information about file signatures and certificates

Table name

Description

Table fields

File signatures and certificates

Information about signatures and certificates of the file identified by the requested hash.

Status—Status of the file certificate.

Vendor—Owner of the certificate.

Publisher—Publisher of the certificate.

Signed—Date and time when the certificate was signed.

Issued—Date and time when the certificate was issued.

Expires—Expiration date of the certificate.

Serial number—Serial number of the certificate.

Container signatures and certificates

Information about signatures and certificates of the container.

Status—Status of the container's certificate.

Container MD5—MD5 hash of the container's file.

Signed—Date and time when the container's certificate was signed.

Issued—Date and time when the container's certificate was issued.

Expires—Expiration date of the container's certificate.

Paths tab

Information about file paths

Table name

Description

Table fields

File paths

Known paths to the file on computers using Kaspersky software.

Hits—Number of path detections by Kaspersky expert systems.

Path—Path to the file on user computers identified by the requested hash.

Location—Root folder or drive where the file identified by the requested hash is located on user computers.

Names tab

Information about file names

Table name

Description

Table fields

File names

Known names of the file on computers using Kaspersky software.

Hits—Number of file name detections by Kaspersky expert systems.

File name—Name of the file identified by the requested hash.

Downloads tab

Information about web addresses from which the file was downloaded

Table name

Description

Table fields

File downloaded from web addresses and domains

Web addresses and domains from which the file was downloaded.

Status—Status of web addresses or domains used to download the file identified by the requested hash.

Web address—Web addresses used to download the file identified by the requested hash.

Last downloaded—Date and time when the file identified by the requested hash was last downloaded from the web address / domain.

Domain—Upper domain of the web address used to download the file identified by the requested hash.

IP count—Number of IP addresses that the domain resolves to.

Web addresses tab

Information about web addresses

Table name

Description

Table fields

File accessed the following web addresses

Web addresses accessed by the file identified by the requested hash.

Status—Status of accessed web addresses.

Web address—Web addresses accessed by the file identified by the requested hash.

Last accessed—Date and time when the file identified by the requested hash last accessed the web address.

Domain—Upper domain of the web address accessed by the file identified by the requested hash.

IP count—Number of IP addresses that the domain resolves to.

Started objects tab

Information about started objects

Table name

Description

Table fields

File started the following objects

Objects started by the file identified by the requested hash.

Status—Status of started objects.

Hits—Number of times the file identified by the requested hash started the object, as detected by Kaspersky expert systems.

File MD5—MD5 hash of the started object.

Location—Root folder or drive where the started object is located on user computers.

Path—Path to the object on user computers.

File name—Name of the started object.

Last started—Date and time when the object was last started by the file identified by the requested hash.

Detection name—Name of the detected object (for example, HEUR:Exploit.Script.Blocker).

File was started by the following objects

Objects that started the file identified by the requested hash.

Status—Status of objects that started the file identified by the requested hash.

Hits—Number of times the file identified by the requested hash was started, as detected by Kaspersky expert systems.

File MD5—MD5 hash of the object that started the file identified by the requested hash.

Location—Root folder or drive where the object is located on user computers.

Path—Path to the object on user computers.

File name—Name of the object that started the file identified by the requested hash.

Last started—Date and time when the file identified by the requested hash was last started.

Detection name—Name of the detected object (for example, HEUR:Exploit.Script.Blocker).

Downloaded objects tab

Information about downloaded objects

Table name

Description

Table fields

File downloaded the following objects

Objects downloaded by the file identified by the requested hash.

Status—Status of downloaded objects.

Hits—Number of times the object was downloaded, as detected by Kaspersky expert systems.

File MD5—MD5 hash of the downloaded object.

Location—Root folder or drive where the downloaded object is located on user computers.

Path—Path to the downloaded object on user computers.

File name—Name of the downloaded object.

Last downloaded—Date and time when the object was last downloaded by the file identified by the requested hash.

Detection name—Name of the detected object (for example, HEUR:Exploit.Script.Blocker).

File was downloaded by the following objects

Objects that downloaded the file identified by the requested hash.

Status—Status of objects that downloaded the file identified by the requested hash.

Hits—Number of times the file identified by the requested hash was downloaded, as detected by Kaspersky expert systems.

File MD5—MD5 hash of the object that downloaded the file identified by the requested hash.

Location—Root folder or drive where the object is located on user computers.

File name—Name of the object that downloaded the file identified by the requested hash.

Path—Path to the object on user computers.

Last downloaded—Date and time when the file identified by the requested hash was last downloaded.

Detection name—Name of the detected object (for example, HEUR:Exploit.Script.Blocker).

Page top
[Topic PremiumAccessHash]