top of page
Securing Your DNS from Unknown Networks

Malware Hash Registry (MHR)

Free. Forever.

A virus and malware validation force

Automate your searches across 30+ databases to catch what your other detection tools have missed

Discover Malware Hash Registry

Identify new or emerging malware that may not be detected by your existing anti-malware tools.

MHR is our free malware validation tool that searches against 30+ antivirus databases and our own malware database to serve as a force multiplier for malware detection and validation. It’s like having an army of malware detectors giving you insight single antivirus solutions cannot.

Researchers and analysts can submit their malware hashes via the MHR portal to get near-real-time results that tell them the percentage of malware databases containing signature matches.


Developers and networks security teams can integrate MHR into existing workflows to augment malware detection.


Malware Hash Registry Features

  • Access to 8+ years of Team Cymru malware analysis

  • Support for MD5, SHA-1 and SHA-256

  • Ask us about our REST API!

Validate file samples quickly and easily by cross-referencing 30+ antivirus databases and Team Cymru’s malware analysis in a single lookup.​

Use Cases


Integrate With...

  • Secure Gateways

  • Cloud Access Security Brokers

  • Document Management Systems

For non-commercial use only.

Help us ensure stable service.

If you are planning on implementing or automating the use of this service in any free or open software, application or host, PLEASE let us know in advance. We would like to adequately plan for capacity and make sure that we can handle the additional load you may generate. Please use the WHOIS-based service for larger queries. We have had instances where large deployments are put in place without informing us in advance, making it difficult to maintain a stable service for the rest of the community.

Attempting to enumerate the malware registry via the public service interface is not only impractical, it is also strictly prohibited. Contact us if the public interface is insufficient for your needs and we may be able to come up with alternative arrangement.


  • Near-real-time results include file #, Time Stamp (EPOC) and signature match percentage.

  • Positive hits return the last time we saw the sample along with an approximate antivirus detection percentage.

  • Cross-references 30+ antivirus databases and 8+ years of Team Cymru malware analysis.

  • Support for MD5,  SHA-1 and SHA-256 hashes.

  • Access via HTTPS, DNS, WHOIS

  • False positive mitigation:

    • We don’t list items with less than 10% detection rate.

    • We exclude entries present in the NIST database.

    • We try to exclude multiple copies of polymorphic malware.

Service Options

Whois (TCP 43) *

DNS (UDP 53) *


Ask us about our REST API!

* Please be mindful of your risk tolerance and privacy concerns when choosing your transport protocol. DNS is convenient and a standard internet protocol, but does not normally afford the user integrity and confidentiality. HTTPS is recommended for those wanting increased integrity and confidentiality.

  • How do I use the reputation feed?
    This is designed to be a near-real-time feed to allow subscribers to monitor for infected computers visiting their networks. Subscribers can utilize the IP Reputation Feed to identify compromised hosts as they access their networks, thus enabling them to monitor or block these infected hosts before they can cause any damage. Combine the other categories we include and you have the most complete list possible. Possible uses include: Banks checking for infected customers at sign-on Companies pro-actively monitoring for exfiltration of data via bots ISPs checking for infected customers and other abuse Vendors importing data for enterprise appliances
  • Where do you get the data?
    This information is gathered through a number of methods, including malware analysis, observation of botnet command and control (C&C) botnets that we have uniquely decoded, and monitoring of dark IP space (darknets).
  • What is the ‘REPUTATION_SCORE’ entry?
    As part of the XML file for this report, each IP has been assigned a “reputation” value derived from various methods. The key used to calculate this value is included in the feed. The intention is that clients determine what issues are most important to them and adapt their policy accordingly. At Team Cymru, we understand that no one can make that determination for you better than you. To facilitate that decision-making capability, we prefer to give you a reputation value to assist you. You may decide that some threats are important, and others are not. This value will help you along the way.
bottom of page