Home/Tools/Security/File Hash Checker & Malware Hash Lookup

File Hash Checker & Malware Hash Lookup

Drag in a file to hash it locally (SHA-256/SHA-1, nothing uploaded), or paste MD5/SHA-1/SHA-256 hashes — single or in bulk — and check them against known malware with VirusTotal & MalwareBazaar deep-links.

Loading File Hash Checker & Malware Hash Lookup...

Mode

Hash Value

Loading interactive tool...

JavaScript Required

This interactive tool requires JavaScript to function. Please enable JavaScript in your browser to use the full features.

The tool description and documentation above provide information about this tool's capabilities. For the best experience, please enable JavaScript and refresh the page.

Suspicious Files on Your Network?

Our incident response team investigates malware, performs forensic analysis, and contains threats.

Learn About 24/7 Detection & Response Explore Penetration Testing

File Hash Checker & Malicious Hash Lookup

This tool answers two questions fast: what is this file's hash, and is that hash known malware?

Drag in a file and it is hashed entirely in your browser with the Web Crypto API — SHA-256 (recommended) or SHA-1. The file's bytes never leave your device; nothing is uploaded to or logged by our servers. The computed hash is then checked automatically.
Paste a hash (MD5, SHA-1, or SHA-256) to look it up directly, or paste many hashes for a bulk check — results are tabulated with a per-hash malware verdict and exportable to CSV, JSON, or TXT.
Every result links out to the public VirusTotal file page and MalwareBazaar (abuse.ch) so you can confirm against 70+ antivirus engines and a live malware corpus.

What a Hash Check Tells You

A cryptographic hash is a fixed-length fingerprint of a file. Change one bit and the hash changes completely, so a hash is a reliable file identifier. Checking that fingerprint against malware databases lets you classify a file as known malicious without ever executing it — the core of malware triage and incident response.

Algorithm	Length	In-browser file hashing	Notes
MD5	32 hex chars	Not available	Legacy; still common in older malware feeds. Paste-lookup supported.
SHA-1	40 hex chars	Yes	Deprecated for signing, still used as a file identifier.
SHA-256	64 hex chars	Yes (recommended)	Current standard; what most threat feeds key on.

Why no in-browser MD5? The Web Crypto API (crypto.subtle.digest) deliberately omits MD5. For file hashing we use SHA-256 or SHA-1; you can still paste an MD5 hash to look it up.

How to Use It

Check a file: open the File Hash Check tab, drop a file (or click to browse). It hashes locally and looks the hash up automatically.
Check one hash: paste it in the Single Hash Lookup tab — the type (MD5/SHA-1/SHA-256) is detected automatically.
Check many at once: paste up to 100 hashes, one per line, in the Batch Lookup tab and export the results table.
Confirm the verdict: click the VirusTotal or MalwareBazaar link on any result for an authoritative, multi-source reputation.

A "Clean" Result Is Not a Guarantee

Hash lookup finds exact matches only. A "clean" / "not found" result means the hash is not in our local known-malware list — it does not prove the file is safe. Zero-day, polymorphic, and packed malware change their hash with every build and will not match. Always confirm uncertain files on VirusTotal/MalwareBazaar, and use behavioral analysis for anything suspicious.

Privacy

File hashing and hash detection run 100% client-side. Files are read into memory in your browser, hashed with Web Crypto, and discarded — they are never uploaded. Hash lookups are matched locally; only when you click an external link does a hash leave the page, and only to the reputation service you chose.

References & Citations

Troy Hunt. (2024). Pwned Passwords. Have I Been Pwned. Retrieved from https://haveibeenpwned.com/Passwords (accessed January 2025)
Google. (2024). VirusTotal. Retrieved from https://www.virustotal.com/ (accessed January 2025)
NIST. (2024). National Software Reference Library (NSRL). Retrieved from https://www.nist.gov/itl/ssd/software-quality-group/national-software-reference-library-nsrl (accessed January 2025)

Note: These citations are provided for informational and educational purposes. Always verify information with the original sources and consult with qualified professionals for specific advice related to your situation.

Frequently Asked Questions

Common questions about the File Hash Checker & Malware Hash Lookup

Open the File Hash Check tab and drag a file in (or click to browse). The file is hashed entirely in your browser with the Web Crypto API — SHA-256 by default, or SHA-1 — and the resulting hash is automatically looked up against known malware. The file itself is never uploaded.

Yes. Hashing uses the browser's built-in Web Crypto API (crypto.subtle.digest). The file is read into memory locally, hashed, and discarded. Its bytes are never sent to our servers and nothing is logged. You can verify this in your browser's network tab — there is no upload request.

Paste a hash (MD5, SHA-1, or SHA-256) or hash a file, and the tool checks it against a curated known-malware list and shows a clear verdict. For an authoritative answer, click the VirusTotal or MalwareBazaar (abuse.ch) link on the result to see detections from 70+ antivirus engines and a live malware corpus.

Yes. Use the Batch Lookup tab to paste up to 100 hashes, one per line. Each is checked and the results are shown in a sortable table you can export to CSV, JSON, or TXT — useful for triaging IOCs from an incident or a threat feed.

The Web Crypto API intentionally does not support MD5, so in-browser file hashing is offered for SHA-256 (recommended) and SHA-1. MD5 is still fine for pasting an existing MD5 hash to look it up — many older malware feeds key on MD5.

Use SHA-256. It is the current standard and what most threat-intelligence feeds key on. MD5 and SHA-1 are still found in older databases and are supported for lookup, but both have known collision weaknesses and should not be relied on for new work.

No. Hash lookup matches exact, previously-seen hashes only. A not-found result means the hash is not in our known-malware list — it is not proof of safety. New, polymorphic, or packed malware produces a fresh hash each time and will not match. Confirm uncertain files on VirusTotal/MalwareBazaar and use behavioral analysis when in doubt.

No. The tool does not call the VirusTotal API. Reputation is checked against a local known-malware list, and each result includes a deep-link that opens VirusTotal's and MalwareBazaar's public results pages for that hash — a fast, no-account way to get an authoritative multi-engine verdict.

Yes. A single-hash or file-hash result updates the page URL with the hash (for example ?hash=…), so you can copy the link and share it. Opening that link re-runs the lookup automatically.

Yes. Computing a file's hash and checking it against malware databases is a standard, legitimate security practice used in malware triage, incident response, and threat hunting. The tool only fingerprints files you provide and never accesses file contents beyond computing the hash.

ℹ️ Disclaimer

This tool is provided for informational and educational purposes only. All processing happens entirely in your browser - no data is sent to or stored on our servers. While we strive for accuracy, we make no warranties about the completeness or reliability of results. Use at your own discretion.