BinTrust - Known-Good Hash Lookup#

BinTrust is HashWatch’s answer to the IR team’s most common triage question:

Is this file something that has ever been seen before by a legitimate source?

It checks submitted hashes against two independent known-good sources and returns an instant classification - no manual research required.

How it works#

When you call POST /api/v1/intel/lookup, HashWatch checks each hash against two sources in priority order:

1. HashWatch vendor releases (highest confidence)#

These are hashes HashWatch fetches directly from official vendor channels - the same records shown on the public dashboard. They are:

Downloaded or verified against the vendor’s published manifest
HMAC-signed by HashWatch at ingest time
Enriched with vendor name, executable name, version, and platform

A match here means the file is byte-for-byte identical to what the vendor distributed. This is the highest-confidence classification.

2. NSRL/catalog corpus (broad coverage)#

The NIST National Software Reference Library (NSRL) is a reference database of file hashes published by the U.S. government. It contains SHA-256, SHA-1, and MD5 values for millions of files from commercial software, operating systems, and open-source projects.

A match here means the file is a known quantity - recognised as part of some software product, but not necessarily the specific vendor binary HashWatch actively monitors.

Classifications#

Classification	Meaning	Action
`known_vendor_release`	Matches a HashWatch-verified vendor release	High confidence the file is genuine - clear from triage
`known_file`	In the NSRL/catalog corpus, but not a HashWatch-tracked release	Known quantity - may still warrant context depending on what it is
`unknown`	Not found in any known-good source	Investigate further

Supported hash types#

BinTrust accepts any combination of MD5 (32 chars), SHA-1 (40 chars), and SHA-256 (64 chars) in a single request. All values are normalised to lowercase hex before lookup. You do not need to specify the algorithm - the length determines it automatically.

Limits#

Maximum 100 hashes per request
Duplicate hashes in the same request are deduplicated automatically
The request body must be valid JSON with a hashes array

Quick example#

curl -X POST https://api.hashwatch.us/api/v1/intel/lookup \
  -H "X-API-Key: <team-id>.<secret>" \
  -H "Content-Type: application/json" \
  -d '{
    "hashes": [
      "b94d27b9934d3e08a52e52d7da7dabfac484efe04294e576e9e7c3e07ccb1e83",
      "d41d8cd98f00b204e9800998ecf8427e",
      "aabbccddeeff00112233445566778899aabbccddeeff001122334455"
    ]
  }'

Response:

{
  "results": {
    "b94d27b9934d3e08a52e52d7da7dabfac484efe04294e576e9e7c3e07ccb1e83": {
      "classification": "known_vendor_release",
      "source": "hashwatch_vendor",
      "vendor": "Google LLC",
      "executable_name": "chrome-win64.msi",
      "version": "124.0.6367.82",
      "platform": "windows"
    },
    "d41d8cd98f00b204e9800998ecf8427e": {
      "classification": "known_file",
      "source": "nsrl_minimal",
      "file_name": "empty",
      "product_name": "Windows 10 22H2"
    },
    "aabbccddeeff00112233445566778899aabbccddeeff001122334455": {
      "classification": "unknown"
    }
  }
}

API details#

→ POST /api/v1/intel/lookup

Required permission: intel:lookup
Required tier: basic

The NSRL corpus#

HashWatch draws its known-file data from the NIST NSRL RDS - a dataset of cryptographic hashes for known software, published roughly quarterly by the U.S. National Institute of Standards and Technology. HashWatch uses the current RDS v3 “modern” dataset, covering on the order of 72 million distinct SHA-256 hashes of modern operating-system and application files.

POST /api/v1/intel/lookup returns known_vendor_release results from HashWatch’s own verified vendor releases regardless of NSRL state; the NSRL data adds the known_file classification on top.

Keeping the corpus current#

The NSRL corpus is maintained by HashWatch and refreshed automatically as NIST publishes new RDS releases (roughly quarterly). There is nothing for you to do, and lookups stay available throughout - POST /api/v1/intel/lookup works regardless of the corpus state. The corpus only adds the known_file classification on top of the known_vendor_release results, which come from HashWatch’s own continuously verified vendor releases.

Trust model#

Source	Who controls it	Confidence level
`hashwatch_vendor`	HashWatch - fetched directly from vendor, HMAC-signed	High: byte-identical to vendor distribution
`nsrl_minimal` / `nsrl_full`	NIST - U.S. government reference corpus	Medium: known quantity, but context matters

Important: known_file from the NSRL corpus does not mean the file is safe to execute. It means the hash appears in NIST’s reference database for some software product. Always combine BinTrust results with other detections (EDR telemetry, network activity, process behaviour) during an investigation.