Fingerprinting in Malware

Hash functions have a very low probability that two files have different content but the same hash. Changing the file name does not affect the hash of the file.

Method for calculating file hashes:

• Md5sum

• Sha1sum

• Sha256sum

The first two hashes are currently considered insecure. Sha256sum is considered the most secure method for calculating the hash of a file.

Finding similar files using hashes

Some types of hashes can help identify similarity between different files:

• Imphash: Means "import hash". Imports are functions that an executable file imports from other files or a DLL. Imphash is a type of hash of the function/library calls that a malware sample imports and the order in which these libraries are present in the sample, with PEstudio we can calculate this type of hash:

Any malware sample with the same imports will have the same imphash.

In the above screenshot they all have the same imphash which might help us to see which family they belong to.

• Fuzzy/SSDEEP Hashes: A fuzzy hash is a context-triggered piecewise hash (CTPH). This hash is calculated by splitting a file into parts and calculating the hashes of different parts. This method creates multiple entries with similar byte sequences, even though the whole file may be different. This type of hash can be calculated with CyberChef but ssdeep.exe makes it much easier and more convenient.