To have a hash of a file, you need the file (or a large portion of the file), especially in the context of antivirus, which searches for very specific files and needs to have a very low false positive and false negative rate. Consequently, they would already have to have the tool (or a large portion of the tool) to find it and retrieve it. A little non-productive, don't you think?

Saying that they "obviously have fingerprints of what they're looking for" is an active attempt to make the events fit a narrative.