[josu]

>One of the ways that virustotal IS used however is by checking the hash of their malware to see if it has shown up yet. That lets them know if someone has taken an interest in it yet, and if they have, it means they need to start rolling a new version.

But once they upload the file to see if the hash already exists, they can no longer check, since their hash will already be indexed. No?

[Dublum]

you can check a hash without uploading the file in question. VT only stores a set of results if it has seen the actual file, not if a hash is checked against it. This is why, when doing incident response, a lot of people suggest not uploading suspicious files to VT, because it lets the attackers change up and start using new malware

[thefreeman]

You can search on a hash, so I imagine they would hash it themselves and just perform a search.