Imphash usage in Malware Analysis – Categorizing Malware

How can imphash usage help the Malware Analysis and what is it

Imphash usage can be categorized as part of Static Malware Analysis. “Imphash” stands for “import hash”. It was implemented by FireEye into the “pefile” python module. This hash is calculated for all the library DLLs that are used in PE executable and also its import functions usage in that executable. The hash can change from different order of the import functions. This is good to help us track down an adversary and tell that all the executables that were compiled / used by them are related.

For example, an adversary can deploy 3 different executables (different file hash), but all of them will have same import functions and DLLs. In this case the “imphash” of all the executables will be the same. Off course if the order of the import functions in the PE executable will change, the hash will change also.

How imphash is working

The “imphash” is calculated from the Import Address Table (IAT) that the compiler linker is building, which is based on a specific order of the import functions. FileEye explains imphash in more details, showing examples. In these examples they change the order of the python functions that implement the import functions and compile the PE executable. Checking the “imphash” results in different values.
In addition, they compiled the executable twice with different order of the files that use the import functions.
First compile was in the order of “1.c and 2.c” and the second compile was in the order of “2.c and 1.c”. The Import Address Table order changed, which means also the “imphash” value changed.

Some tools are compiled with the same packer, so it can be that different tools will have the same “imphash”, since the same packer will have the same import hash value. It doesn’t mean that all the PE executables were compiled by the same adversary, but it can help categorize the executables to one family.

Off course “imphash” isn’t a lifesaver, but could add some entry point on analyzing a threat to an enterprise, since it is easy to use. “Imphash” is part of the “pefile.py” module. This module can parse Portable Executable (PE) files. PE headers always include valuable data.

Installing pefile python module

How to install the “pefile” module for python:
1. The pefile works with python3, so you can download and install python3
2. You can install “pefile” module using “pip” that comes with python. Run in CMD:

pip3 install pefile

*** You can also Download the package from pefile GitHub page
Click on [Clone or Download] then [Download ZIP] and extract the archive.

Imphash usage

How to use the “imphash” function of the “pefile.py” module since it is already imported to the python’s libraries:
1. Run python
2. Execute the lines:

import pefilepe = pefile.PE("YourFile.exe")pe.get_imphash()

More examples can be found on the pefile Usage Examples page.

1 thought on “Imphash usage in Malware Analysis – Categorizing Malware”

Leave a Comment

Your email address will not be published.

This site uses Akismet to reduce spam. Learn how your comment data is processed.