VirusShare-related archives

This directory contains VirusShare-related database archives.


WARNING: After you register VirusShare, you will be exposed to real malware samples. YOU HAVE BEEN WARNED.

This directory does not include malware itself. Use VirusShare to find and download malware samples.

The purpose of these archives is to provide robust way to find and understand malware files. To achieve this, I am making full metadata corpus based on VirusShare malware samples.



2017-07-10: fast clustering tool is now available!

Thanks to bit-parallel processing of ssdeep digests, my in-house tool is now about 20 times faster. I can now deliver you cluster lists much faster and I could resume distributing cluster list with threshold value 79 (distributed as version 1.0 but suspended updates on 2014 because of different threshold value in version 1.1 and huge computation resource required).

Also, my in-house tool fast-ssdeep-clus is now open-sourced.

2015-09-20: exiftool JSON files were corrupted

Most of exiftool JSON files in version 5 revision 1 were corrupted because my internal tool has a bug when exiftool encounters an error.

New revision, revision 2 files are now OK to use.

2015-08-07: SHA-3 is now finalized!

NIST has finally announced FIPS PUB 202 (SHA-3). I confirmed that the final version is unchanged from one in draft (as of May 2014) and you can use draft SHA-3 hashes in my database as final SHA-3 hashes.

2014-11-13: Archive SHA-1 lists are available!

I released list of SHA-1 hashes of all VirusShare archive files. I hope this is useful when you are verifying archive files you downloaded. You can use .torrent files to verify the file piece-by-piece. I don't explain details here (and now) but this is possible.

2014-10-15: ssdeep bug before 2.11

There was a bug which may generate wrong hash values before ssdeep 2.11. As a result of full disk scan, I confirmed no files are affected by this issue.

2014-07-21: Revisions of SHA-3 draft

2014-04 revision of SHA-3 draft had some issues in text explaining algorithm and will not compute correct hashes if we use the program LITERALLY conforms this revision of SHA-3 draft. These issues are fixed in 2014-05 revision of SHA-3 draft.

spongeshaker claimed it conforms 2014-04 revision of SHA-3 draft but actually, it ignores portions of wrong parts of SHA-3 draft (because they were clear as errors). As a result, spongeshaker computes hashes of 2014-05 revision of SHA-3 draft. It means we don't have to fix the SHA-3 draft hashes in version 4 PREVIEW hash lists.

Please note that VirusShare samples may contain copyrighted materials. However, you can use this database (splitted as multiple archives) in any ways. I consider first and last 32-bytes of malwares are not covered by copyright rights because they are mostly uncreative and they don't expose (maybe copyrighted) main contents of samples.

This corpus is created, formatted and managed by Tsukasa OI (who is not a VirusShare administrator) in 2013 through 2017.


For these archives, I may reserve sui generis database right. However, to the extent possible under law, I have dedicated all copyright and related and neighboring rights to these archives to the public domain worldwide. These archives are distributed without any warranty. See <> for details of the public domain dedication (the reason I use CC0 is because we cannot waive moral rights in Japan I live).

VirusShare hashes and file types

These hash and file type lists contain archive hashes information. File signature lists are also included as separate files (or archives). They are too big for single file and separated to multiple archives. All files are generated for each VirusShare's BitTorrent download (except individual "corrupted but fixed" samples). For part 0, it may include BitTorrent archives that are no longer available.

Download (format version 5 - Hashes)

Unlike previous versions, version 5 hashes archive does not include file type information. You will need to download file type lists separately (if you need it).

This version contains following columns in `hashes' file (same as version 4):

  1. Hex of First 32 bytes (including dashes for small files)
  2. Hex of Last 32 bytes (including dashes for small files)
  3. CRC32
  4. Adler-32
  5. MD5
  6. RIPEMD-160
  7. Whirlpool
  8. SHA-1
  9. SHA-224
  10. SHA-256
  11. SHA-384
  12. SHA-512
  13. SHA-512/224
  14. SHA-512/256
  15. SHA3-224
  16. SHA3-256
  17. SHA3-384
  18. SHA3-512
  19. File size
  20. ssdeep
  21. File name

If you see (FINAL) in the last updated column, the archive is the final version. You won't need to redownload those files unless you don't own corresponding version 5 archives or the archives are revised/discarded.

File nameSizeMD5Last UpdatedArchived RangeNotes
vxshare-hashes-000-v5.tar.xz441.2MiB3f23af2fbcf2ffb6dc63baf7670a10432017-04-08OthersLatest archive including hashes from
vxshare-hashes-001-v5.tar.xz408.5MiB4108a997301f370df115c6ca3d901d742015-07-24 (FINAL)00000 - 00004-
vxshare-hashes-002-v5.tar.xz406.3MiB9ad3fd8775a42530535968ca5fee19292015-07-24 (FINAL)00005 - 00009-
vxshare-hashes-003-v5.tar.xz404.2MiB03668adea3b666b3b9e4189372a482002015-07-24 (FINAL)00010 - 00014-
vxshare-hashes-004-v5.tar.xz403.8MiB350bb2ce9d26c351d22ef99a18e3466b2015-07-24 (FINAL)00015 - 00019-
vxshare-hashes-005-v5.tar.xz408.9MiBbf1abb7d23599ceb0fcea293613505bb2015-07-24 (FINAL)00020 - 00024-
vxshare-hashes-006-v5.tar.xz407.4MiB71a24a94e3b2a0ef3aac6a3326d9eb172015-07-24 (FINAL)00025 - 00029-
vxshare-hashes-007-v5.tar.xz409.4MiBc51b1ab794fb82a3f03f16ca951dc8042015-07-24 (FINAL)00030 - 00034-
vxshare-hashes-008-v5.tar.xz410.8MiB536dad1b25bf5160b53ae5cc1cb20a2d2015-07-24 (FINAL)00035 - 00039-
vxshare-hashes-009-v5.tar.xz411.4MiB11afce1490d503b6fedc04b42d32ba652015-07-24 (FINAL)00040 - 00044-
vxshare-hashes-010-v5.tar.xz409.5MiBed34ab752bff5565658df083c820c9442015-07-24 (FINAL)00045 - 00049-
vxshare-hashes-011-v5.tar.xz411.4MiB142f5eef13797baa99cdbb4d7fd50a332015-07-24 (FINAL)00050 - 00054-
vxshare-hashes-012-v5.tar.xz411.9MiB523f37ff591095316b089fa1bf9c61fb2015-07-24 (FINAL)00055 - 00059-
vxshare-hashes-013-v5.tar.xz412.6MiBc5a558fc90b5c798739a79c8a2b95c022015-07-24 (FINAL)00060 - 00064-
vxshare-hashes-014-v5.tar.xz410.3MiB57c2cd8103f4c0633f9b4de401683ccd2015-07-24 (FINAL)00065 - 00069-
vxshare-hashes-015-v5.tar.xz412.0MiB988e155c7b745eb82027e7e553c5af952015-07-24 (FINAL)00070 - 00074-
vxshare-hashes-016-v5.tar.xz410.5MiB317b3b016f115055f0712c3520e19d322015-07-24 (FINAL)00075 - 00079-
vxshare-hashes-017-v5.tar.xz410.8MiBadea5cbbbd2804467849ca4dd279de882015-07-24 (FINAL)00080 - 00084-
vxshare-hashes-018-v5.tar.xz405.6MiB523495b884d7ba597f0f8ae47dbe5c4d2015-07-24 (FINAL)00085 - 00089-
vxshare-hashes-019-v5.tar.xz410.5MiB9100bb7766ce497f47d5f52bb0925ea02015-07-24 (FINAL)00090 - 00094-
vxshare-hashes-020-v5.tar.xz409.5MiB88846ad7759706f9fa9f2da1462a18f02015-07-24 (FINAL)00095 - 00099-
vxshare-hashes-021-v5.tar.xz408.5MiB429664f631f7d3b9c32765568019cc7f2015-07-24 (FINAL)00100 - 00104-
vxshare-hashes-022-v5.tar.xz409.4MiB712a90c8892441a108de9a4d9df9458b2015-07-24 (FINAL)00105 - 00109-
vxshare-hashes-023-v5.tar.xz404.9MiBc8b29629d0f0309db35fcde5e929728e2015-07-24 (FINAL)00110 - 00114-
vxshare-hashes-024-v5.tar.xz405.8MiB979af9a523d2005f5a3d368023c18f0f2015-07-24 (FINAL)00115 - 00119-
vxshare-hashes-025-v5.tar.xz407.5MiBd2daa3e05d1a4adecf30888f2d7cd3172015-07-24 (FINAL)00120 - 00124-
vxshare-hashes-026-v5.tar.xz404.5MiB70876e7c00aac95c97802c4b8642fedf2015-07-24 (FINAL)00125 - 00129-
vxshare-hashes-027-v5.tar.xz403.0MiB3f5cf65cecfac33e5e55a20b98854ee02015-07-24 (FINAL)00130 - 00134-
vxshare-hashes-028-v5.tar.xz398.2MiBae28e92d563a4ba49d50308ce2bb9ff42015-07-24 (FINAL)00135 - 00139-
vxshare-hashes-029-v5.tar.xz401.6MiB104eef5ae868b61dad6fbf03f16c73512015-07-24 (FINAL)00140 - 00144-
vxshare-hashes-030-v5.tar.xz364.5MiB304f485989eff3cb3b023aad208af9542015-07-24 (FINAL)00145 - 00149-
vxshare-hashes-031-v5.tar.xz407.6MiB281b693f79dcae8bda35f52d8d96d4e92015-07-24 (FINAL)00150 - 00159-
vxshare-hashes-032-v5.tar.xz407.8MiBa4e803dec6bb4fb269ea1ff92df40c672015-09-20 (FINAL)00160 - 00169-
vxshare-hashes-033-v5.tar.xz408.5MiB0989143e37f327eb98df81c051f92d202015-10-08 (FINAL)00170 - 00179-
vxshare-hashes-034-v5.tar.xz408.1MiBe9e2a54fef59ec63f2953b131efc98a92015-10-28 (FINAL)00180 - 00189-
vxshare-hashes-035-v5.tar.xz405.4MiB6f7997014317edbfb348a9f22326a9162015-11-30 (FINAL)00190 - 00199-
vxshare-hashes-036-v5.tar.xz404.9MiB3e91d93e49a3c3ac0eba6990927d466b2015-12-28 (FINAL)00200 - 00209-
vxshare-hashes-037-v5.tar.xz400.9MiB24d6bce677204f0168e12d38dfbc7ba92016-02-13 (FINAL)00210 - 00219-
vxshare-hashes-038-v5.tar.xz398.5MiB8fc0d783001d695e88deeb4f8afa02072016-05-02 (FINAL)00220 - 00229-
vxshare-hashes-039-v5.tar.xz402.3MiB3f87342962345cb2c4078e0f4b1d4bdc2016-05-25 (FINAL)00230 - 00239-
vxshare-hashes-040-v5.tar.xz405.7MiBb58a7743b85be36f2bf2d6e452f5d88a2016-06-07 (FINAL)00240 - 00249-
vxshare-hashes-041-v5.tar.xz407.7MiBe5e1bd87956725f15da966f1d4b0ef862016-07-09 (FINAL)00250 - 00259-
vxshare-hashes-042-v5.tar.xz402.7MiB7d57bdd74625354f67da2517ba45ef6b2016-10-19 (FINAL)00260 - 00269-
vxshare-hashes-043-v5.tar.xz395.2MiB76de0d35fc1939d884a7e46493aa83ab2017-03-01 (FINAL)00270 - 00279-
vxshare-hashes-044-v5.tar.xz397.0MiBf2cc0be5bcfd7d4e41d50d838063cba82017-05-09 (FINAL)00280 - 00289-
vxshare-hashes-045-v5.tar.xz237.6MiB484c3f335bbf04f4006821d6de1771332017-07-2600290 - 00295Latest archive including hashes from

Download (format version 5 - File types)

This archive includes file type information (in JSON format) retrieved by following tools (as of revision 2):

These archives do not include hash information. You will need hashes list (if you need).

If you see (FINAL) in the last updated column, the archive is the final version. You won't need to redownload those files unless you don't own corresponding version 5 revision 2 archives or the archives are revised/discarded.

File nameSizeRevisionMD5Last UpdatedArchived RangeNotes
vxshare-filetypes-000-v5.tar.xz29.1MiB2b4dd3a893ca0c3a4bc040e80be2ce3472017-04-08OthersLatest archive including file type signatures from
vxshare-filetypes-001-v5.tar.xz116.0MiB2a1a59d2195489a1e224df56d12e030232015-09-20 (FINAL)00000 - 00019-
vxshare-filetypes-002-v5.tar.xz116.4MiB2a8a9d22a7c943cf3312ba0513f5092422015-09-20 (FINAL)00020 - 00039-
vxshare-filetypes-003-v5.tar.xz121.5MiB2071be7806ed390e0e2043dfcc34101782015-09-20 (FINAL)00040 - 00059-
vxshare-filetypes-004-v5.tar.xz128.1MiB26332194c5484ce020f1f80e6ccad14dc2015-09-20 (FINAL)00060 - 00079-
vxshare-filetypes-005-v5.tar.xz134.2MiB2d21b1f82863f0dd754c4e787449863122015-09-20 (FINAL)00080 - 00099-
vxshare-filetypes-006-v5.tar.xz124.7MiB260dadd8cb3b725c299f1954e200b805a2015-09-20 (FINAL)00100 - 00119-
vxshare-filetypes-007-v5.tar.xz118.1MiB21cd5d5d885113179754473dda8d06ced2015-09-20 (FINAL)00120 - 00139-
vxshare-filetypes-008-v5.tar.xz94.8MiB2ff8ec6d6f0fe9ffef876c65503cf91c22015-09-20 (FINAL)00140 - 00159-
vxshare-filetypes-009-v5.tar.xz115.5MiB21737aa3550e9e8e4bbbe386de94ca6f92015-11-30 (FINAL)00160 - 00199-
vxshare-filetypes-010-v5.tar.xz117.6MiB25162f0bee4fd3dec33ad21f51aa650602016-05-25 (FINAL)00200 - 00239-
vxshare-filetypes-011-v5.tar.xz107.8MiB2393dd0636499d0ba0ae46b49bfe5e3fa2017-03-01 (FINAL)00240 - 00279-
vxshare-filetypes-012-v5.tar.xz47.4MiB24c54c2bf32cdcfdab8ef63da270d30d62017-07-2600280 - 00295Latest archive including file type signatures from

VirusShare clusters (by ssdeep)

This cluster list contains malware clusters based on ssdeep similarity score.

All ssdeep hashes are clustered using parallel ssdeep-compatible in-house tool "fast-ssdeep-clus" which generates the same result as clustering mode on ssdeep 2.13. This will help finding similar files. Available threshold parameters are 49 and 79.

Download (Cluster List; version 1.2)

File nameThresholdSizeMD5Last UpdatedNotes
vxshare-clusters-49.tar.xz49342.2MiBb2d957df748779ea2d9dbf910dba96bf2017-07-26Latest archive including ssdeep hashes from
vxshare-clusters-79.tar.xz79201.3MiB00bdcea75afd1f28cfb2a2819238265c2017-07-26Latest archive including ssdeep hashes from


When generating version 1.1 cluster lists, following hashes were not clustered correctly:

This issue is fixed on version 1.2.

Archive hashes