Keypoints
- New release: hashr v2.0.1 published by CERT-AGID.
- Detects malicious files by computing and comparing file hashes against known fingerprint lists.
- Free, open-source distribution under the EUPL license and available for download.
- Supports custom search lists and direct use of CERT-AGID’s IoC feed for accredited Public Administrations.
- CERT-AGID’s IoC feed provides real-time IP addresses, URLs, and file hashes observed in campaigns.
- Useful for forensic investigations, file integrity verification, and scanning large filesystems.
- Enables quicker identification of compromised files and integration into incident-response workflows.
MITRE Techniques
- [T1203] Indicator of Compromise – Utilizes known malicious file hashes to identify compromised files. (‘comparing the hash values of found files with a list of known hash fingerprints.’)
- [T1040] Malware Analysis – Derives IoCs from analyzed campaigns to populate detection feeds. (‘hashes derived from recorded malicious campaigns that impact the Italian territory.’)
- [T1070] File Integrity Monitoring – Monitors file integrity by scanning and comparing current file hashes against known-good or malicious hashes. (‘searching files with hashes related to known malicious campaigns or APTs analyzed by CERT-AGID, enabling quick identification of compromised files.’)
Indicators of Compromise
- [IP addresses] IoC feed context – Article states the feed includes IP addresses used for fraudulent activities; no specific IP addresses are listed in the article.
- [URLs/domains] IoC feed context – The feed lists URLs of malicious sites and phishing destinations; the article does not provide explicit example domains.
- [File hashes] Detection context – The tool and feed use file hashes to detect compromises; the article references hashes of harmful files but does not list concrete hash values.
hashr v2.0.1 is a filesystem scanning utility that computes cryptographic hashes of discovered files and compares them against a reference set of known fingerprints to flag matches. It is distributed as free, open-source software under the EUPL license and can be run with user-supplied lists or with a centralized feed; the core procedure is straightforward: traverse target directories, compute file hashes (e.g., SHA-256), and check each hash against the configured blocklist or IoC list.
For accredited Public Administrations, CERT-AGID provides a real-time IoC feed containing IP addresses, malicious URLs, and file hashes observed during monitoring. Administrations can register to receive the feed and import its lists into hashr (the feed is published in a simple list format suitable for automated ingestion), allowing hashr to search targets for hashes derived from campaigns and known APT activity.
Operational use cases include large-scale integrity scans, forensic triage, and incident response automation: run hashr across filesystems to quickly identify files whose hashes match IoCs, use custom lists for internal baselines, and incorporate results into investigation workflows to prioritize remediation. The combination of local hashing and a live IoC feed accelerates detection of compromised files without requiring complex signature engines.
Read more: https://cert-agid.gov.it/news/rilasciata-una-nuova-versione-del-tool-hashr/