threat_intel_by_hash
Query VirusTotal for threat intelligence on a file hash. Get detection results from 70+ antivirus engines, file metadata, and behavioral analysis to validate suspicious files or enrich IOCs.
Instructions
Get threat intelligence for a file hash from VirusTotal/Google Threat Intelligence.
This tool queries VirusTotal's database to retrieve comprehensive threat intelligence about a file based on its cryptographic hash. The hash can be in MD5, SHA1, or SHA256 format.
What this tool provides:
Malware detection results from 70+ antivirus engines
File metadata (size, type, names, creation dates)
Behavioral analysis results
YARA rule matches
Crowdsourced threat intelligence
Relationships with other files, URLs, domains, and IPs
Community comments and votes
Signature information (digital signatures, if present)
Common Use Cases:
Incident response: Validate if a suspicious file is malicious
Threat hunting: Research known malware samples
Malware analysis: Get context about a file before deeper investigation
IOC enrichment: Add threat intelligence to indicators of compromise
Args: hash_value: File hash in MD5, SHA1, or SHA256 format (case-insensitive).
Returns: JSON string containing comprehensive threat intelligence data including: - Detection statistics (e.g., 45/70 engines detected as malicious) - File attributes and metadata - Last analysis date and statistics - Community reputation score - Related threat intelligence - MITRE ATT&CK techniques (if applicable)
Examples: MD5: "44d88612fea8a8f36de82e1278abb02f" SHA1: "3395856ce81f2b7382dee72602f798b642f14140" SHA256: "275a021bbfb6489e54d471899f7db9d1663fc695ec2fe2a2c4538aabf651fd0f"
Notes: - Requires a valid VirusTotal API key (PURPLEMCP_VT_API_KEY environment variable) - Results are cached by VirusTotal and may not reflect real-time scans - File must have been previously submitted to VirusTotal to have results - Private API keys have higher rate limits and additional features
Not Found Response: When a hash is not found, returns a JSON response with this structure: { "found": false, "resource": "hash_value", "resource_type": "file", "message": "File hash 'hash_value' was not found in VirusTotal's database..." }
Raises: ThreatIntelligenceClientError: If there's an error communicating with the API (not for not-found cases). RuntimeError: If the API key is not configured.
Input Schema
| Name | Required | Description | Default |
|---|---|---|---|
| hash_value | Yes |
Output Schema
| Name | Required | Description | Default |
|---|---|---|---|
| result | Yes |