The Malware Hash Registry (MHR) is a continuously updated repository of file hashes (MD5, SHA1, and SHA256) associated with known malicious or suspicious files. It is maintained in real time to help security professionals identify threats quickly.
By verifying file hashes against MHR, organizations can determine if a file is infected before it spreads within a network. This approach is especially useful in scenarios where full antivirus solutions cannot be deployed (e.g., servers with limited resources or certain IoT devices). MHR also enriches security systems (SIEM, SOAR, EDR, XDR) by providing real-time threat insights.
When a file is uploaded via a website form or detected on a system, its hash can be checked against MHR. If the hash is flagged as malicious, the file is blocked or isolated as a precaution. Since MHR is lightweight, it integrates well with existing security workflows and can supplement traditional antivirus products.
Single Hash Lookup
A single file hash (MD5, SHA1, or SHA256) can be checked by sending a GET request to the following endpoint:
Example Response
Batch Hash Lookup
Multiple file hashes (up to 100) can be checked in a single request by sending a POST to the following endpoint:
Example Response
Response keys
| found | Indicates whether the requested hash exists in the database. |
| infected | Indicates whether the hash is associated with a known infection. |
| last_access | Timestamp of the most recent request for this hash by any API user. |
| created_at | Timestamp when the hash was first added to the database. |
| severity | Infection-prevalence score (0-10). |
| sha256 | SHA-256 digest of the file. |
| sha1 | SHA-1 digest of the file. |
| md5 | MD5 digest of the file. |
| classification | Malware family or threat name assigned to the sample, when available. |
| infection_type | High-level category of the threat (e.g. trojan, worm, adware, backdoor, hoax). |
| platform | Operating system or environment targeted by the malware (e.g. Win32, Android, Linux, MS Office, script). |
| views | Counter of how many times this hash has been queried. |
| size | File size in bytes. |
| downloadable | Shows whether the sample can be downloaded by the current account. |
| download_meta | Additional metadata about the downloadable sample (returned only when downloads are enabled). |
| downloads | Number of times the file has been downloaded (returned only when downloads are enabled). |
| storage | List of Threat Lab datacentres where a hot copy of the file is stored (returned only when downloads are enabled). |
| ssdeep | Context-triggered piecewise hash (SSDEEP) of the file. Read more. |
| peinfo | Parsed Portable-Executable header information (for Windows binaries). |
| apkinfo | Extracted manifest and certificate data from an Android APK. |
| magic | Human-readable file-type string derived from magic bytes. |
| tags | User- or system-assigned tags that label the file (e.g. ransomware, cobalt-strike, leaked). |