LIVE NEWSROOM · --:-- · May 15, 2026
A LIBRARY FOR SECURITY RESEARCHERS

TOOLS  /  HASH REPUTATION

Hash Reputation Checker

Paste an MD5, SHA-1, or SHA-256 hash. Or drop a file (we hash it locally — never uploaded). Cross-references MalwareBazaar and VirusTotal feeds.

Or (max 50 MB, hashed locally in your browser):

    What it does

    When you encounter an unknown executable, the fastest triage step is hash reputation: compute its cryptographic fingerprint and check threat-intel feeds for prior submissions. Our checker queries MalwareBazaar (abuse.ch’s curated malicious-sample database) and VirusTotal, returning the aggregated verdict plus per-source details. If you drop a file, we compute SHA-256 locally in your browser via WebCrypto — only the hash is transmitted, never the file itself.

    How to use it

    1. Paste a hash (MD5 = 32 chars, SHA-1 = 40 chars, SHA-256 = 64 chars) OR drop a file (we hash it locally).
    2. Results: detection ratio from VirusTotal (e.g. 66/75), malware family from MalwareBazaar.
    3. For known-malicious samples: review tags (e.g. "stealer", "trojan") and first-seen date to gauge campaign age.
    4. Cross-reference with our news posts mentioning the family for IOC packs and YARA rules.

    Common use cases

    EDR alert triage When your EDR flags an unknown process by hash, check here before quarantining — known-clean software hashes return cleanly.
    File-attachment phishing screening Compute the hash of suspicious attachments and check before opening in a sandbox.
    Threat-hunting validation When a hunting query surfaces a candidate IOC, validate it’s actually associated with malware before pivoting.
    Verifying a vendor-supplied IOC list Some vendor IOC packs include stale or false-positive hashes — verify each independently.

    Frequently asked questions

    Is my file uploaded when I drop it? +
    No. SHA-256 is computed in your browser using the WebCrypto API — only the resulting 64-character hash is sent to our server. The file contents never leave your device.
    Why does VirusTotal show "not_in_database"? +
    The hash has never been submitted to VT. Either the file is new (less than a few hours old in the wild), purely internal (one-off corporate build), or rare. Cross-check MalwareBazaar.
    What does the detection ratio mean? +
    66/75 means 66 of the 75 antivirus engines on VirusTotal flagged the file as malicious. ≥ 10 detections is high confidence malicious. 1–3 detections may be a false positive — investigate further.
    Which hash type is most reliable? +
    SHA-256 — collision-resistant and used by all modern threat feeds. SHA-1 and MD5 still work for lookups but are cryptographically broken.
    What’s the rate limit? +
    30 lookups per IP per hour for the free tier. If you need more for sustained use, contact us.

    Related tools

    Related coverage on Ciphers Security

    Free for everyone, no signup required. Tool runs at /tools/hash-reputation/ — bookmark or share.

    Scroll to Top