hashdd

Build and Search Threat Feeds.

Fresh Feeds

Active Feeds

Latest Entries

About hashdd

Build feeds, get more from your tools, and understand the threat

hashdd aims to help analysts make convictions faster by joining datasets and presenting them in an easy way.

  • Build Feeds

    Create an indicator feed using status update style formatting, then compare your findings to others. Check out our example feeds.

  • Query Third Party APIs

    Use third-party APIs for a quick determination on indicators without writing a line a code. Set up your API keys here.

  • Block the bad

    Subscribe and ingest feeds or use our free extensions to block threats.

Sign up Now!

hashdd stats

13.1m
Hashes
1.2k
Queries a Day
212
Total Users
278
Operating Systems

Frequently Asked Questions

How do I get an API Key?

API Keys are FREE with registration! Just click Sign In to get one!

What Hash type is best to lookup?

hashdd supports lots of different hash types, however sometimes third party data isn't as robust. Becuase of this, we recommend searching by MD5.

Are "Known Good" things included too?

Yes! hashdd started as a Known Good database! We've pulled in NSRL data, spent countless hours profiling operating system and software package installations so you can tell if what you're looking at is a good or bad!

Can I download things?

Yes! Authenticated users can download any files with a bad intent. This includes user-uploaded files that the community has decided are bad (negative votes). The download button will be shown for all hashes, however the button will only be functional for bad ones.

Goodies

pyhashdd

At hashdd's core is pyhashdd, a killer Python library for profiling files and building hash databases. You can use pyhashdd as a command line tool or a python import to make your own hashdd, or query our API.

Browser extension

We've built a browser extension so that you can use the hashdd.com API to identify if the file is known good or bad. Once your download completes, click the hashdd extension icon, then drag and drop the download into the analyze field.


Bloom Filters

Our Bloom Filters allow of super fast offline lookups and are built using popular open source libraries. This enables you to include hashdd data in your own applications!

Slack Integration

Want hashdd features in the comfort of your own channel? Add the hashdd slash command for quick lookups. Registered users with third party API keys defined also see results from those integrations!

Query the API

The API provides an easy way to interact with hashdd. Some API access requires an key, but don't worry, keys are free! Just click Sign In to get one!

Get Entries from an Indicator

You can search which feeds and entries are associated with a given hash, domain, IP or URL. This endpoint doesn't require a key, but is rate limited.

curl https://api.hashdd.com/f/google.com

{"google.com": {"feeds": [{"feed_id": "1346972c-c129-4700-aba4-4f93db0dd91c", "entry": "http://79[.]docs[.]google[.]com/ http://www.phishtank.com/phish_detail.php?phish_id=3496687 #phishing", "feed_user": "hashdd", "feed_name": "phishtank", "timestamp": 1537736997000.0}], "result": "SUCCESS", "tags": ["phishing"]}, "result": "SUCCESS"}

Get Entries from a Feed

You can pull entries for any feed via the /e/<user>/<feed>/get endpoint. In this example hashdd is the user, testfeed is the feed. This returns the last 100 entries. Requires API Key.

curl -d 'api_key=YOUR_API_KEY' https://api.hashdd.com/e/hashdd/testfeed/get

{"result": "SUCCESS", "entries": [{"username": "hashdd", "user_id": "855202e0-2ef4-4521-a256-c13d4e9abed6", "feedname": "testfeed", "timestamp": "1539040996", "raw": "https://xn--security2018-qpa[.]weebly[.]com/ http://www.phishtank.com/phish_detail.php?phish_id=5809247 #phishing", "gravatar_hash": "8da9e1bee957d2ebc8c63a3199fdfb71", "feed_id": "9853cbcd-7d2f-4338-a8ac-6f92384948e1", "entry_id": "08416727-82ba-481f-991e-7230a0150ab9"}]}

Posting observables to a feed

Share new observables via the /e/<user>/<feed> endpoint. In this example hashdd is the user, testfeed is the feed. Defanged URLs, IPs, and domains are processed as indicators, leading carets (^) designate evidence, # designate tags, fanged URLs are references, and -- are for comments.

import requests

entry = 'http://buithiyennhi[.]com:80/smt/loki/fre.php ^8e3951897bf8371e6010e3254b99e86d #lokibot -- C2 for lokibot'

requests.post('https://api.hashdd.com/e/hashdd/testfeed', data={ 'entry': entry, 'api_key': 'YOUR_API_KEY' } ).json()

{u'message': u'Entry Added', u'result': u'SUCCESS'}

Hash status lookup with curl

By default, hashdd will return the status of a given hash.

curl -d 'hash=838DE99E82C5B9753BAC96D82C1A8DCB' https://api.hashdd.com/

{"838DE99E82C5B9753BAC96D82C1A8DCB": {"known_level": "Good", "result": "SUCCESS"}, "result": "SUCCESS"}

NSRL RDS lookup with curl

To lookup only NSRL RDS hashes, query /nsrl.

curl -d 'hash=838DE99E82C5B9753BAC96D82C1A8DCB' https://api.hashdd.com/nsrl

{"838DE99E82C5B9753BAC96D82C1A8DCB": {"data": {"hashes": {"crc32": "FA710E86", "sha256": "C58728794FD9D114556F8ED7BE0CD55EB99CA9F8CF65FC87F0F187536F1B23AA", "sha512": "", "md5": "838DE99E82C5B9753BAC96D82C1A8DCB", "sha1": "00085A2444A9DE0D5735580E6CE1C00567858453"}, "fileinfo": {"opsystemversion": "none", "name": "servdeps.dll", "language": "English", "opsystemmfg": "Unknown", "opsystemname": "TBD", "productmfg": "Microsoft", "productname": "MSDN Disc 1847/1848", "applicationtype": "MSDN Library", "size": 53248, "productversion": "November 2002"}, "general": {"importdate": "None", "nsrl_version": ""} }, "result": "SUCCESS"} }

Detail lookup with Python

To get full detail on a hash, including NSRL, query /detail.

import requests

resp = requests.post('https://api.hashdd.com/detail', data={ 'hash': '838DE99E82C5B9753BAC96D82C1A8DCB', 'api_key': 'YOUR_API_KEY' })

print resp.text