ethical.blue Magazine

// Cybersecurity clarified.

Calculate Malware Sample Hash with PowerShell

2022-04-13   Dawid Farbaniec
...

The Idea of Hashing Malware Samples

The hash function gives fixed-size value from provided malware sample data (file). Security analysts can use this functions to easily compare whether the samples of a given malware are the same. Thanks to this, it is possible to check whether someone has already analyzed a given sample. The simplest example is copy-pasting the hash value to search engine like Google or Bing (or DuckDuckGo) and looking for existing reports about selected malware sample. Notice the very simple definition to remember if someone asks us about hash functions: The smallest change of any byte value in the malware sample causes a big change in the calculated hash value.

hashcalc.ps1 (PowerShell Script)

$filepath = "C:\Users\x\Desktop\sample.bin";

$md5 = Get-FileHash $filepath -Algorithm MD5 | Select -ExpandProperty "Hash";
$sha1 = Get-FileHash $filepath -Algorithm SHA1 | Select -ExpandProperty "Hash";
$sha256 = Get-FileHash $filepath -Algorithm SHA256 | Select -ExpandProperty "Hash";
$sha384 = Get-FileHash $filepath -Algorithm SHA384 | Select -ExpandProperty "Hash";
$sha512 = Get-FileHash $filepath -Algorithm SHA512 | Select -ExpandProperty "Hash";
$filename = [System.IO.Path]::GetFileName($filepath);
Write-Host "Calculating hashes... ($filename)";
Write-Host "SHA-256:";
Write-Host "$sha256";
Write-Host "SHA-384:";
Write-Host "$sha384";
Write-Host "SHA-512:";
Write-Host "$sha512";
Write-Host "Calculating deprecated hashes...";
Write-Host "MD5:";
Write-Host "$md5";
Write-Host "SHA-1:";
Write-Host "$sha1";
Write-Host "The algorithms MD5 and SHA-1 are no longer considered secure. These algorithms should only be used for simple modification checks and should not be used to create hash values used for tampering checks.";

Enable Running PowerShell Script

When trying to execute the hash calculator script one can encounter following error:
PS C:\Users\iamda> C:\Users\iamda\Desktop\hashcalc.ps1

C:\Users\iamda\Desktop\hashcalc.ps1 : File C:\Users\iamda\Desktop\hashcalc.ps1 cannot be loaded because running scripts
is disabled on this system. For more information, see about_Execution_Policies at https:/go.microsoft.com/fwlink/?Link
ID=135170.
At line:1 char:1
+ C:\Users\iamda\Desktop\hashcalc.ps1
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo          : SecurityError: (:) [], PSSecurityException
    + FullyQualifiedErrorId : UnauthorizedAccess

One can enable running script using:
powershell -ExecutionPolicy Bypass -File C:\Users\iamda\Desktop\hashcalc.ps1

Notice that changing execution policy for one script is more secure than turning it on globally.

Successful execution looks like this:
Calculating hashes...

SHA-256:
59DDCD5E4973B1139688B4596BB822E5C45615DDFF7A81B2096D72F13CFE716F
SHA-384:
12918DB32C8BD015666C49104813C321653CF4B194B16A9A092D6E2E010741A223D0E76746CE836E0FA80FC7F9598CDD
SHA-512:
EFBA2CAED23811875FB420AA1E60AFC2D4E828C991140B461194A7EFCDC55369421E869053323499E1DA9FAF99052E3D0389958CDB240B6AD70723BD7B42FC08
Calculating deprecated hashes...
MD5:
89ADE3F73E7C74D70C9FAC0807E43620
SHA-1:
0B7AE236BF066D8B0E696A5EB51C7448A7CEAD85
The algorithms MD5 and SHA-1 are no longer considered secure. These algorithms should only be used for simple modification checks and should not be used to create hash values used for tampering checks.



Summary

When thinking which hash calculator to choose in the future, keep in mind that the checksum can be calculated with the PowerShell which is built into Windows operating system.

Bibliography

https://docs.microsoft.com/en-us/powershell/module/microsoft.powershell.utility/get-filehash [access: 2022-04-13]