Multi-similarity searches
On the results page of an intelligence search you can click on this icon on a given search result sample row in order to search samples similar to the one under consideration using multiple factors.
After clicking, multiple tabs will open with the following searches:
- similar-to: Files that are structurally similar to the one provided. As described on this article.
- imphash: Portable Executables with the given import hash, can be used to identify samples belonging to the same family.
- main_icon_dhash: Files with a visually similar icon or thumbnail. This is obviously very useful for locating malware that tries to impersonate certain brands (e.g. banks), for spotting evil at a glance (e.g. executables with a PDF icon) and to immediately see that a similarity search is indeed grouping things that truly have things in common. Moreover, it is a great way to cluster together malware variants belonging to similar campaigns.
- ssdeep: Files that are similar to the one having the ssdeep hash provided.