/general/report

Description:

Returns a full analysis report about a specific file, identified by either MD5, SHA1, SHA256, SHA512 hash.

Version:

1.0

Resource Information:

Response format: JSON

Requires authentication: yes

Required input fields:

  • api_key - required
  • md5 | sha1 | sha256 | sha512 - required
  • list of output_filters - optional

Parameters:

Name: api_key
Type: single string - required
Description: API key obtained at registration time
Content: valid API key string
Input example: "8000000000000000000000000000000000000000000000000000000000000000"
Output example: -
Name: md5 | sha1 | sha256 | sha512
Type: single string - required
Description: hash of the files to get the details
Content: -
Input example: "56f695d70a1cf1e1cc1e6b2710aab545"
Output example: -

Return codes:

Status code: 404
Description: No result found
Result: JSON with "status" and "errmsg" fields
Status code: 400
Description: Bad request
Result: JSON with "status" and "errmsg" fields
Status code: 428
Description: Sample analysis is still running
Result: -
Status code: 200
Description: Request correctly handled
Result: JSON with "status" and "data" fields

Input examples:

{
    "api_key": "8000000000000000000000000000000000000000000000000000000000000000",
    "md5": "b440ee486d45b3a08a1a1cbdf0bc0bef"
}

Output examples:

{
    "status": "success",
    "data": {
        "url": [
            {
                "username": null,
                "protocol": "",
                "parameters": "",
                "fragment": "",
                "url": " apicvxcvb.ru",
                "sub_domain": "apicvxcvb.ru",
                "tld": "apicvxcvb.ru",
                "query_string": "",
                "path": " apicvxcvb.ru",
                "password": null,
                "port": null,
                "found_in": [
                    "tcp_buffer"
                ]
            },
            {
                "username": null,
                "protocol": "http",
                "parameters": "",
                "fragment": "",
                "url": "http:\/\/apicvxcvb.ru\/api\/auth\/getToken?user=loader&ver=5&key=67d899412493813e1cdba8abcb91505e",
                "sub_domain": "apicvxcvb.ru",
                "tld": "apicvxcvb.ru",
                "query_string": "user=loader&ver=5&key=67d899412493813e1cdba8abcb91505e",
                "path": "\/api\/auth\/getToken",
                "password": null,
                "port": 80,
                "found_in": [
                    "tcp_buffer"
                ]
            },
            {
                "username": null,
                "protocol": "http",
                "parameters": "",
                "fragment": "",
                "url": "http:\/\/mmm.sfsfsdfsfsfapi.ru\/api\/installer\/error?user=loader&ver=5&key=7acbe607e750947a1fd64696a77fba95",
                "sub_domain": "mmm.sfsfsdfsfsfapi.ru",
                "tld": "sfsfsdfsfsfapi.ru",
                "query_string": "user=loader&ver=5&key=7acbe607e750947a1fd64696a77fba95",
                "path": "\/api\/installer\/error",
                "password": null,
                "port": 80,
                "found_in": [
                    "tcp_buffer"
                ]
            },
            {
                "username": null,
                "protocol": "",
                "parameters": "",
                "fragment": "",
                "url": "apicvxcvb.ru",
                "sub_domain": "apicvxcvb.ru",
                "tld": "apicvxcvb.ru",
                "query_string": "",
                "path": "apicvxcvb.ru",
                "password": null,
                "port": null,
                "found_in": [
                    "dns_lookup",
                    "process_strings"
                ]
            },
            {
                "username": null,
                "protocol": "",
                "parameters": "",
                "fragment": "",
                "url": "mmm.sfsfsdfsfsfapi.ru",
                "sub_domain": "mmm.sfsfsdfsfsfapi.ru",
                "tld": "sfsfsdfsfsfapi.ru",
                "query_string": "",
                "path": "mmm.sfsfsdfsfsfapi.ru",
                "password": null,
                "port": null,
                "found_in": [
                    "dns_lookup",
                    "process_strings"
                ]
            },
            {
                "username": null,
                "protocol": "http",
                "parameters": "",
                "fragment": "",
                "url": "http:\/\/megadowl.com\/terms-ru.html",
                "sub_domain": "megadowl.com",
                "tld": "megadowl.com",
                "query_string": "",
                "path": "\/terms-ru.html",
                "password": null,
                "port": 80,
                "found_in": [
                    "process_strings"
                ]
            }
        ],
        "ip": [
            {
                "ip": "188.42.241.234",
                "found_in": [
                    "tcp_connection"
                ]
            }
        ],
        "classification": {
            "result": "Malicious"
        },
        "....": {}
    }
}
{
    "status": "failed",
    "errmsg": "Value 'testfailure' for parameter 'md5' is not in an acceptable format."
}
{
    "status": "failed",
    "errmsg": "No result found"
}

Remarks:

                        In order to retrieve partial report information, please refers to /intel/report                    

/intel/report

Description:

Returns at most 10 fields about a specific report analysis of a given file digest, identified by either MD5, SHA1, SHA256, SHA512 hash.

Version:

1.0

Resource Information:

Response format: JSON

Requires authentication: yes

Required input fields:

  • api_key - required
  • md5 | sha1 | sha256 | sha512 - required
  • list of output_filters - required (at most 10 filters)

Parameters:

Name: api_key
Type: single string - required
Description: API key obtained at registration time
Content: valid API key string
Input example: "8000000000000000000000000000000000000000000000000000000000000000"
Output example: -
Name: md5 | sha1 | sha256 | sha512
Type: single string - required
Description: hash of the files to get the details
Content: -
Input example: "56f695d70a1cf1e1cc1e6b2710aab545"
Output example: -
Name: rules (output_filters)
Type: single string - optional
Description: returns the list of rules matched by the sample
Content: -
Input example: "rules"
Output example: { "rules": [ "sizeOfRawDataTooLarge", "dropExe", "selfUnpack", "autorunRegistryKey", "systemInfo", "codeInjection", "digitalCerts", "runDroppedExe", "backdoor", "unknownHook", "highEntropy", "selfDeletion", "antiVM", "loadImage", "runExe", "invalidPEChecksum", "browserStealer" ] }
Name: info (output_filters)
Type: single string - optional
Description: returns the main details related to the sample
Content: -
Input example: "info"
Output example: { "status": "success", "file_type": "MS-DOS executable", "first_seen": "2015-11-27T10:03:21", "last_seen": "2016-01-28T14:48:11.633364", "file_size": 95744 }
Name: classification (output_filters)
Type: single string - optional
Description: returns the classification result (Malicious, Clean)
Content: -
Input example: "classification"
Output example: { "result": "Malicious" }
Name: dynamic_imported_apis (output_filters)
Type: single string - optional
Description: returns a list of functions dynamically imported
Content: -
Input example: "dynamic_imported_apis"
Output example: { "dynamic_imported_apis": [ "SHGetFolderPathW", "CharLowerBuffW", "DecodePointer", "PathRemoveFileSpecW", "PathAppendW", "EncodePointer", "FlsGetValue", "FlsAlloc", "FlsSetValue", "FlsFree" ] }
Name: sleep (output_filters)
Type: single string - optional
Description: returns a list of sleep values done by each monitored process
Content: -
Input example: "sleep"
Output example: { "process": "C:\\dhhcb\\tgycj.exe", "values": [ 60000 ], "processPID": 3896 }
Name: processes (output_filters)
Type: single string - optional
Description: returns a list of created and deleted processes. Parent field contains the name of the process which has created or deleted a specific process. Child field contains the name of the deleted or created process
Content: -
Input example: "processes"
Output example: { "Create": [ { "blocks": [ { "childPID": 3108, "child": "C:\\jhigj\\gyrpj.exe" } ], "parentPID": 348, "parent": "C:\\jhigj\\gyrpj.exe" }, { "blocks": [ { "childPID": 3456, "child": "C:\\Windows\\explorer.exe" } ], "parentPID": 3108, "parent": "C:\\jhigj\\gyrpj.exe" } ], "Delete": [ { "blocks": [ { "childPID": 3108, "child": "C:\\jhigj\\gyrpj.exe" } ], "parentPID": 348, "parent": "C:\\jhigj\\gyrpj.exe" } ] }
Name: static (output_filters)
Type: single string - optional
Description: returns a full static analysis of the sample
Content: -
Input example: "static"
Output example: { "pe_info": "[...]", "pe_imports": "[...]", "pe_exports": "[...]", "pe_digital_signature": "[...]", "pe_resources": "[...]", "pe_versioninfo": "[...]", "pe_sections": "[...]" }
Name: shutdown (output_filters)
Type: single string - optional
Description: returns a list of processes trying to shutdown or restart the system
Content: -
Input example: "shutdown"
Output example: [ { "process": "C:\\ajchg\\nfntl.exe", "processPID": 3700 } ]
Name: disk_write (output_filters)
Type: single string - optional
Description: returns a list of Master Boot Record and Volume Boot Record write events
Content: -
Input example: "disk_write"
Output example: [ { "process": "[SYSTEM]", "processPID": 4, "blocks": [ { "dataSize": 512, "data": "33c08ed0bc007c8ec08ed8be007cbf0006b90002fcf3a450681c06cbfb60b94701bd2a06d24e0045e2fa44852e701cb82604086862400e830ca33a819684f51210c7032101e1003726bfb5c1376000a3bf0033e28841ffd8e806834cff8eb0007da804e2c14a40cf49a15302b00cabb7c2ea00000000031b0c740404d860b320020ec7814f803e18f0085102ccffb1521066c7818f8033ff6c980499f1600420cc40334ac0c74099071e4002004b12fae80845852e706e4c750402af8f80890362ff98f611f9931cfdc3ba3e51f8931c04040032317c54b6e40744eb4e704436e40723bfd95720a4ad886bbf7857ee223c720422c33740fa45085d0040f0b578e40887adc03740c4fffee1a2f12738009189e3a2b52738221b728322f5273800d330f662f9a86cc90e3006914957d685876698301df3ff067ca204d088476899ff0e4a02cc38f0621000f57931dcdd4000be54027e6a49bb0bc93a8320ec1c1b2029f440f9984f2deaeae11b8c2789d800696f6e207461626c65004572726f72206c6f6164696e67206f7065726174696e672073797374656d004d697373696e67206f7065726174696e672073797374656d000000637b9a419f49c000008020210007df130c000800000020030000df140c07feffff0028030000d07c3e000000000000000000000000000000000000000000000000000000000000000055aa" } ] } ]
Name: tags (output_filters)
Type: single string - optional
Description: returns category and labels assigned to the analyzed sample. Please note that a malicious sample might have either multiple tags or empty tags fields
Content: -
Input example: "tags"
Output example: { "tags": [ "trojan.dridex", "trojan.dropper", "trojan.injector", "trojan.nyxp", "tool.ceeinject", "tool.virtool" ] }
Name: code_injection (output_filters)
Type: single string - optional
Description: return a list of processes showing code injection activities inside, including virtual address and size of the injected code
Content: -
Input example: "code_injection"
Output example: [ { "process": "C:\\Windows\\explorer.exe", "processPID": 3456, "blocks": [ { "codeSize": 24576, "virtualAddress": "280000" } ] } ]
Name: load_image (output_filters)
Type: single string - optional
Description: returns a list of DLLs or drivers loaded by monitored processes
Content: -
Input example: "load_image"
Output example: [ { "Other": [ { "process": "C:\\jhigj\\msjei.exe", "processPID": 348, "blocks": [ { "fileType": "exe", "fileMd5": "2f8869f747a4a5b7fb2afa65b1d8ab0a", "file": "C:\\Users\\Admin\\AppData\\Roaming\\Ixeg\\ekzyz.exe" } ] }, { "process": "C:\\Windows\\System32\\svchost.exe", "processPID": 820, "blocks": [ { "fileType": "exe", "fileMd5": "2f8869f747a4a5b7fb2afa65b1d8ab0a", "file": "C:\\Users\\Admin\\AppData\\Roaming\\Ixeg\\ekzyz.exe" } ] } ], "Driver": [] } ]
Name: hook_usermode (output_filters)
Type: single string - optional
Description: returns details about hooked functions, grouped by process and module name
Content: -
Input example: "hook_usermode"
Output example: [ { "process": "taskhost.exe", "modules": [ { "module": "C:\\Windows\\SYSTEM32\\ntdll.dll", "APIs": [ { "destinationModule": "Unknown", "API": "NtCreateUserProcess", "virtualAddress": "44fd1a", "hookType": "INLINE" }, { "destinationModule": "Unknown", "API": "LdrLoadDll", "virtualAddress": "44fe43", "hookType": "INLINE" } ] } ], "processPID": 1788 } ]
Name: filesystem (output_filters)
Type: single string - optional
Description: returns the list of Write, Read, Create and Delete filesystem events
Content: -
Input example: "filesystem"
Output example: { "Write": [ { "process": "C:\\ceiii\\ykyak.exe", "processPID": 2560, "blocks": [ { "fileType": "exe", "fileMd5": "e2cf08be5d9f2785d0dbb86d65a4d2f3", "file": "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startupx\\system.pif" }, { "fileType": "exe", "fileMd5": "e2cf08be5d9f2785d0dbb86d65a4d2f3", "file": "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startupx\\tmp.exe" } ] } ] }
Name: registry_activities (output_filters)
Type: single string - optional
Description: returns a list of OpenKey, CreateKey, SetValue and QueryValue events, grouped by monitored processes
Content: -
Input example: "registry_activities"
Output example: [ { "CreateKey": [ { "process": "C:\\fdafg\\xsijo.exe", "values": [ "\\REGISTRY\\MACHINE\\Software\\Microsoft\\Tracing\\xsijo_RASMANCS", "\\REGISTRY\\\\REGISTRY\\MACHINE\\SYSTEM\\ControlSet001\\Services\\Tcpip\\Parameters", "\\REGISTRY\\MACHINE\\Software\\Microsoft\\Tracing\\xsijo_RASAPI32" ], "processPID": 1688 } ], "OpenKey": [ { "process": "C:\\fdafg\\xsijo.exe", "values": [ "\\REGISTRY\\MACHINE\\SYSTEM\\CurrentControlSet\\Services\\VBoxGuest", "\\REGISTRY\\MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Uninstall\\Oracle VM VirtualBox Guest Additions", "\\REGISTRY\\MACHINE\\Software\\Microsoft\\Windows NT\\CurrentVersion\\ProfileList\\S-1-5-21-3558273304-2305715256-1486658336-1000" ], "processPID": 1688 } ] } ]
Name: strings (output_filters)
Type: single string - optional
Description: returns a list of dumped strings, included sim hash and md5 of the dumped buffer. Relevant strings (path, email, file extension, registry, URL) are also extracted
Content: -
Input example: "strings"
Output example: [ { "sim_hash": "1000100100101100101010001111101010010011110101001100001000001101", "extracted_strings": { "EXTENSION": [ ".dll" ], "URL": [ "http:\/\/update1.highguarded.com\/?abbr=RTK&action=download&setupType=drop64&setupFileName=dropper64.exe" ] }, "processInfo": [ { "process": "C:\\fdafg\\xsijo.exe", "module": "", "processPID": 1688, "baseAddress": 4194304, "type": "MAIN PROCESS", "size": 823296 } ], "stringList": [ " (949, UTF-8)", " (932, UTF-8)", " (ANSI, UTF-8)", " (1254, OEM, UTF-8)", " (1252, OEM, UTF-8)", " (1250, OEM, UTF-8)&", "*other strings*" ], "md5": "5d22b56e715544959d9b728ec0948fcf" } ]
Name: ip (output_filters)
Type: single string - optional
Description: returns a list of all detected IPs. IPs could be found inside TCP/UDP connection, strings buffer and DNS lookup
Content: -
Input example: "ip"
Output example: [ { "ip": "82.145.215.85", "found_in": [ "tcp_connection" ] } ]
Name: url (output_filters)
Type: single string - optional
Description: returns a list of all detected URLs. URLs could be found inside TCP/UDP connection and strings buffer
Content: -
Input example: "url"
Output example: [ { "username": null, "protocol": "", "parameters": "", "fragment": "", "url": "www.hi-jumper.com", "sub_domain": "www.hi-jumper.com", "tld": "hi-jumper.com", "query_string": "", "path": "www.hi-jumper.com", "password": null, "port": null, "found_in": [ "dns_lookup" ] } ]
Name: connections_tcp (output_filters)
Type: single string - optional
Description: returns details about TCP connections made during sample analysis
Content: -
Input example: "connections_tcp"
Output example: [ { "process": "C:\\Program Files\\Opera\\20.0.1387.77\\opera.exe", "ip": "82.145.215.85", "send": [ { "host": "", "dataSize": 223, "referer": "" } ], "receive": [], "processPID": 2820, "port": 443 } ]
Name: connections_udp (output_filters)
Type: single string - optional
Description: returns details about UDP connections made during sample analysis
Content: -
Input example: "connections_udp"
Output example: [ { "process": "C:\\Program Files\\Safari\\Safari.exe", "ip": "192.168.1.255", "dataSize": 50, "processPID": 2912, "port": 137 } ]
Name: local_services (output_filters)
Type: single string - optional
Description: returns details about services/port interactions made at runtime
Content: -
Input example: "local_services"
Output example: { "UDP": [], "TCP": [ { "process": "C:\\Windows\\system32\\taskhost.exe", "processPID": 1788, "blocks": [ { "remotePort": 0, "state": "LISTEN", "localAddress": "0.0.0.0", "localPort": 25384, "remoteAddress": "0.0.0.0" } ] } ] }
Name: dns_lookup (output_filters)
Type: single string - optional
Description: returns details about dns lookup made at runtime
Content: -
Input example: "dns_lookup"
Output example: [ { "IPlist": [ "82.165.37.26" ], "host": "www.hi-jumper.com", "hostList": [] } ]

Return codes:

Status code: 404
Description: No result found
Result: JSON with "status" and "errmsg" fields
Status code: 400
Description: Bad request
Result: JSON with "status" and "errmsg" fields
Status code: 428
Description: Sample analysis is still running
Result: -
Status code: 200
Description: Request correctly handled
Result: JSON with "status" and "data" fields

Input examples:

{
    "api_key": "8000000000000000000000000000000000000000000000000000000000000000",
    "md5": "b440ee486d45b3a08a1a1cbdf0bc0bef",
    "output_filters": [
        "url",
        "classification",
        "ip"
    ]
}

Output examples:

{
    "status": "success",
    "data": {
        "url": [
            {
                "username": null,
                "protocol": "",
                "parameters": "",
                "fragment": "",
                "url": " apicvxcvb.ru",
                "sub_domain": "apicvxcvb.ru",
                "tld": "apicvxcvb.ru",
                "query_string": "",
                "path": " apicvxcvb.ru",
                "password": null,
                "port": null,
                "found_in": [
                    "tcp_buffer"
                ]
            },
            {
                "username": null,
                "protocol": "http",
                "parameters": "",
                "fragment": "",
                "url": "http:\/\/apicvxcvb.ru\/api\/auth\/getToken?user=loader&ver=5&key=67d899412493813e1cdba8abcb91505e",
                "sub_domain": "apicvxcvb.ru",
                "tld": "apicvxcvb.ru",
                "query_string": "user=loader&ver=5&key=67d899412493813e1cdba8abcb91505e",
                "path": "\/api\/auth\/getToken",
                "password": null,
                "port": 80,
                "found_in": [
                    "tcp_buffer"
                ]
            },
            {
                "username": null,
                "protocol": "http",
                "parameters": "",
                "fragment": "",
                "url": "http:\/\/mmm.sfsfsdfsfsfapi.ru\/api\/installer\/error?user=loader&ver=5&key=7acbe607e750947a1fd64696a77fba95",
                "sub_domain": "mmm.sfsfsdfsfsfapi.ru",
                "tld": "sfsfsdfsfsfapi.ru",
                "query_string": "user=loader&ver=5&key=7acbe607e750947a1fd64696a77fba95",
                "path": "\/api\/installer\/error",
                "password": null,
                "port": 80,
                "found_in": [
                    "tcp_buffer"
                ]
            },
            {
                "username": null,
                "protocol": "",
                "parameters": "",
                "fragment": "",
                "url": "apicvxcvb.ru",
                "sub_domain": "apicvxcvb.ru",
                "tld": "apicvxcvb.ru",
                "query_string": "",
                "path": "apicvxcvb.ru",
                "password": null,
                "port": null,
                "found_in": [
                    "dns_lookup",
                    "process_strings"
                ]
            },
            {
                "username": null,
                "protocol": "",
                "parameters": "",
                "fragment": "",
                "url": "mmm.sfsfsdfsfsfapi.ru",
                "sub_domain": "mmm.sfsfsdfsfsfapi.ru",
                "tld": "sfsfsdfsfsfapi.ru",
                "query_string": "",
                "path": "mmm.sfsfsdfsfsfapi.ru",
                "password": null,
                "port": null,
                "found_in": [
                    "dns_lookup",
                    "process_strings"
                ]
            },
            {
                "username": null,
                "protocol": "http",
                "parameters": "",
                "fragment": "",
                "url": "http:\/\/megadowl.com\/terms-ru.html",
                "sub_domain": "megadowl.com",
                "tld": "megadowl.com",
                "query_string": "",
                "path": "\/terms-ru.html",
                "password": null,
                "port": 80,
                "found_in": [
                    "process_strings"
                ]
            }
        ],
        "ip": [
            {
                "ip": "188.42.241.234",
                "found_in": [
                    "tcp_connection"
                ]
            }
        ],
        "classification": {
            "result": "Malicious"
        }
    }
}
{
    "status": "failed",
    "errmsg": "Value 'testfailure' for parameter 'md5' is not in an acceptable format."
}
{
    "status": "failed",
    "errmsg": "No result found or sample analysis is running"
}

Remarks:

                        For full report download, please refers to /general/report                    

/intel/search/advanced

Description:

Returns a list of MD5 which match a set of specified criteria. By default, at most 250 MD5 can be retrieved (for more details, refer to result_set parameter). All the criteria are applied with an "AND" logic.

Version:

1.0

Resource Information:

Response format: JSON

Requires authentication: yes

Required input fields:

  • api_key - required
  • other parameters - required, at least one

Parameters:

Name: api_key
Type: single string - required
Description: API key obtained at registration time
Content: valid API key string
Input example: "8000000000000000000000000000000000000000000000000000000000000000"
Output example: -
Name: classification
Type: single string - optional
Description: filter by samples classified as malware or clean
Content: "M" Malware, "C" Clean
Input example: "M"
Output example: -
Name: sim_hash
Type: list [1-10] - optional
Description: filter by similar dumped strings. Each dumped buffer string is represented by a 64 binary character string. Similar strings buffers in different samples can be retrieved using this fuzzy hashing feature. Samples simhash can be retrieved with /general/report API
Content: 64 binary characters
Input example: "1011100111001101101011001101110110011011010111110010111000000001"
Output example: -
Name: imp_hash
Type: list [1-10] - optional
Description: filter by samples which has the same imported set of function. The imphash is a MD5 hash of the PE’s import table after some normalization. Samples imphash can be retrieved with /general/report API
Content: valid MD5 string
Input example: "663e38be1620cc887a638385be3ff53e"
Output example: -
Name: url
Type: list [1-10] - optional
Description: filter by samples containing the specified URL. URL are retrieved from TCP/UDP connection, DNS lookup, dumped strings buffers
Content: valid URL string, 5 to 2000 valid URL characters
Input example: "http://pyjeufkvmjkn.biz/ma0hfns72hsudi0xim"
Output example: -
Name: domain
Type: list [1-10] - optional
Description: filter by samples containing the specified domain name. Domains are retrieved from TCP/UDP connection, DNS lookup, dumped strings buffers
Content: valid domain string, 4 to 253 valid URL characters
Input example: "google.com"
Output example: -
Name: strings
Type: list [1-10] - optional
Description: filter by samples containing the specified string inside a dumped buffer string. String search is case insensitive
Content: 3 to 256 characters string
Input example: "AltTab_KeyHookWnd"
Output example: -
Name: ip
Type: list [1-10] - optional
Description: filter by samples containing the specified IP. IPs are retrieved from TCP/UDP connection, strings buffer and DNS lookup. "ip" and "ip_range" filters cannot be used together
Content: valid IPv4 ip
Input example: "5.2.189.251"
Output example: -
Name: ip_range
Type: single string - optional
Description: filter by samples containing any IP inside a the specified IP range. IPs are retrieved from TCP/UDP connection, strings buffer and DNS lookup. "ip" and "ip_range" filters cannot be used together
Content: valid IPv4 range. CIDR notation is not allowed. Use a "start_ip-end_ip" notation
Input example: "5.2.189.251-5.2.190.000"
Output example: -
Name: asn
Type: list [1-10] - optional
Description: filter by samples containing any IP related to the specified Autonomous System Number. IPs are retrieved from TCP/UDP connection, strings buffers and DNS lookup
Content: valid ASN, "as####" format is allowed
Input example: "1111","as112243"
Output example: -
Name: country
Type: list [1-10] - optional
Description: filter by samples containing any IP related to the specified country. IPs are retrieved from TCP/UDP connection, strings buffer and DNS lookup
Content: valid countrycode string, following the standard ISO_3166-1_alpha-2
Input example: "US"
Output example: -
Name: rules
Type: list [1-10] - optional
Description: filter by samples which match the specified rules set
Content: valid set of rules, see remarks for details
Input example: "adsDropper", "avoidDNS"
Output example: -
Name: never_seen
Type: single string - optional
Description: filter by samples with low spread rate at analysis time
Content: boolean value, true|false|True|False|0|1
Input example: "1"
Output example: -
Name: time_delta
Type: single string - optional
Description: filter by samples seen in a specific timerange.
Content: valid time delta format. The time window will be computed with the formula: "now-[time_delta]". Valid formats: [0-999]d (days), [0-999]h (hours), [0-36]m (months)
Input example: "7d"
Output example: -
Name: result_set
Type: single string - optional
Description: used to iterate through the MD5 list of samples who matched the specified criteria. If no "result_set" is specified, at most 250 MD5 will be retrieved.
Content: a valid starting offset, specified in the start parameter, and a valid delta offset (i.e. how many MD5 you want to retrieve), specified in the row parameter
Input example: "start=0", "rows=10"
Output example: -

Return codes:

Status code: 404
Description: No result found
Result: JSON with "status" and "errmsg" fields
Status code: 400
Description: Bad request
Result: JSON with "status" and "errmsg" fields
Status code: 428
Description: Sample analysis is still running
Result: -
Status code: 200
Description: Request correctly handled
Result: JSON with "status" and "data" fields

Input examples:

{
    "api_key": "8000000000000000000000000000000000000000000000000000000000000000",
    "sim_hash": [
        "0010111101111010000001110000101011000100000101101110010000000001"
    ],
    "domain": [
        "ttuoodemeecc.biz"
    ],
    "strings": [
        "key"
    ],
    "result_set": [
        "start=0",
        "rows=10"
    ]
}

Output examples:

{
    "status": "success",
    "data": [
        "b3acb43f402373a9ee975a3e8e24a852",
        "b9cc4353afc4918b8ffa00d4f0ec84a6",
        "d4be4506b858aba97745c9779b7a2009",
        "bafcd0691df88d42d8aeb579e504d1e1",
        "1a03cbbe9bb1e2f8438c4763a9cdc5d2",
        "cc6d8482fcc922010f0f2fc47e12be1b",
        "d5e8361fc946a1188c18d7f7f7b4eb21",
        "5ceced2c8bf5f110ec6404f616fb5ea0",
        "e2cf08be5d9f2785d0dbb86d65a4d2f3"
    ]
}
{
    "status": "failed",
    "errmsg": "No result found or sample analysis is running"
}

Remarks:

                        
            adsDropper
Creates Alternate Data Streams

antiAv
Contains anti-antivirus strings

antiDebugging
Contains anti-debugging code

antiDump
Contains anti-dump tricks

antiVM
Tries to detect whether it is being emulated

appinitDll
Injects .DLL at system startup

autorunRegistryKey
Creates autorun registry key

avoidDNS
Avoids the use of the DNS to connect to some URLs

backdoor
Binds network port

badConnection
Attempts connections to suspicious countries

badIpUrlInStrings
Found IPs or URLs inside strings related to suspicious countries

botnet
Contains botnet controller behaviour

browserStealer
Steals local browser data

bruteforcePasswd
Attempts to brute force passwords

bypassWinFirewall
Contains Windows Firewall manipulation routine

checkAntivirusInstalled
Checks if there is at least one antivirus installed

codeInjection
Injects code into other processes

codeRedirection
EntryPoint code redirection

containsPE
Contains PE inside resources

dataStealer
Steals data

debuggingCode
Contains debugging code

deleteApplicationLogs
Can delete system application logs

deleteOnReboot
Deletes itself after reboot

deleteSecurityLogs
Can delete system security logs

deleteSysRestoreShadowCopies
Can delete System Restore Shadow Copies

deleteSystemVolumeInformation
Deletes backup information

deprecatedFileHeaderCharacteristics
It makes use of some deprecated flags in the Characteristics field of FileHeader

dialer
Might behave as a dialer

digitalCerts
Searches for digital certificates

disableAdminTools
Disables administration tools

disableBrowserSecurity
Disables browser security check

dropDll
Drops .DLL file

dropExe
Drops .EXE file

dropSys
Drops kernel driver

epInWritableSection
EntryPoint points inside a writeable section

epLastSection
EntryPoint points inside the last PE section

epOutOfSections
EntryPoint points out of any PE section

epZeroValue
EntryPoint points of PE set to zero

executableSections
Number of executable sections

format
Can format drives

ftpStealer
Contains FTP stealing routine

highEntropy
May be packed or encrypted

hostsFile
Alterates HOSTS file

IESettings
Manipulates Internet Explorer settings

imageBaseTooLarge
PE ImageBase too large

importAPIByOrdinal
Import API by ordinal instead of API name

importModuleNumber
Number of imported modules

invalidFileAlignament
PE FileAlignament is invalid

invalidImageBase
Invalid PE ImageBase

invalidImageSize
PE image size is invalid

invalidPEChecksum
PE Checksum is invalid

invalidPointerToRawData
PointerToRawData of a PE section is not a multiple of FileAlignament

invalidSectionCharacteristics
Characteristics PE section is not set

invalidSizeOfCode
PE SizeOfCode is invalid

invalidSizeOfHeaders
SizeOfHeaders is not a multiple of FileAlignament

invalidSizeOfImage
SizeOfImage is not a multiple of SectionAlignament

invalidSizeOfRawData
SizeOfRawData of a PE section is not a multiple of FileAlignament

loadDll
Loads .DLL

loadImage
Loads image

loadSys
loads kernel driver

notAscendingSectionVA
Virtual Addresses of PE sections are not in ascending order

notExistsDataDirectory
PE DataDirectory does not exists

notParsablePE
PE is not parsable

overwriteDll
Overwrites .DLL

overwriteExe
Overwrites .EXE

overwriteSys
Overwrites kernel driver

packerSectionName
Contains common packer section names

pdbNameMismatch
PDB names and original PE filename mismatch

pdfCheck
It may contain an exploit

PESignature
PE Signature

rawDiskAccess
Raw access to hard drives

rawMemoryAccess
Raw access to memory

recentlyRegisteredDomainConn
Attempts connection to recently registered domain

recentlyRegisteredDomainDns
Makes DNS lookup of recently registered domain

recentlyRegisteredDomainStrings
Strings contain recently registered domain

requireAdministrator
Requires administrator privileges

reservedDataDirectory
It makes use of the reserved field inside the PE DataDirectory

reservedFileHeaderCharacteristics
It makes use of a reserved flags in the Characteristics field of FileHeader

rootkitLoader
Contains uncommon driver loading routine

runDroppedExe
Runs dropped executable

runExe
Runs existing executable

sampleCrash
Application crashed

sectionAlignamentSmallerFileAlignament
SectionAlignament is smaller than FileAlignament

sectionLess
PE does not have sections

selfDebugging
Contains self-debugging code

selfDeletion
Deletes itself

selfUnpack
Automatically unpack its own code

shutdown
Tries to shutdown the system

shutdownCan
Can shutdown the system

sizeOfRawDataTooLarge
PE section has SizeOfRawData larger than VirtualSize

sleep
Suspicious delay

startup
Creates an executable into the startup folder

stringsContainFiletypeRansomware
Strings contain known file types searched by ransomware

suspiciousSectionName
Contains sections with uncommon name

systemInfo
Gathers system data

tooManySections
PE has too many sections

unknownHook
Creates hook to unknown module

unusualPETimestamp
Unusual PE timestamp

useLoaderFlagsReservedField
It makes use of LoaderFlags which is a reserved field

useNumberOfLinenumbersDeprecatedField
It makes use of NumberOfLinenumbers which is a deprecated field

useNumberOfRelocationsDeprecatedField
It makes use of NumberOfRelocations which is a deprecated field

usePointerToLinenumbersDeprecatedField
It makes use of PointerToLinenumbers which is a deprecated field

usePointerToRelocationDeprecatedField
It makes use of PointerToRelocations which is a deprecated field

useWin32VersionValueReservedField
It makes use of Win32VersionValue which is a reserved field

worm
Tries to spread itself on local network

writablePEFileHeader
PE FileHeader is writable

writeExeSections
Last PE section is both writable and executable

writeMBR
Overwrites Master Boot Record

writeVBR
Overwrites Volume Boot Record

zeroImageBase
PE has ImageBase set to zero

zeroSizeOfRawData
PE section has SizeOfRawData set to zero

zeroVirtualSize
PE section has VirtualSize set to zero                    

/intel/search

Description:

Returns the list of ips, domains and samples containing any information related to the specified string.

Version:

1.0

Resource Information:

Response format: JSON

Requires authentication: yes

Required input fields:

  • api_key - required
  • string - required
  • result_set - optional

Parameters:

Name: api_key
Type: single string - required
Description: API key obtained at registration time
Content: valid API key string
Input example: 8000000000000000000000000000000000000000000000000000000000000000
Output example: -
Name: string
Type: list [1-10] - optional
Description: filter by MD5, IP or domains containing information related to the specified string
Content: 3 to 256 characters string
Input example: "jack"
Output example: -
Name: result_set
Type: single string - optional
Description: used to iterate through the MD5 list of samples, IP list and domain list who matched the specified criteria. If no "result_set" is specified, at most 250 elements will be retrieved
Content: a valid starting offset, specified in the start parameter, and a valid delta offset (i.e. how many MD5 you want to retrieve), specified in the row parameter
Input example: "start=0", "rows=10"
Output example: -

Return codes:

Status code: 404
Description: No result found
Result: JSON with "status" and "errmsg" fields
Status code: 400
Description: Bad request
Result: JSON with "status" and "errmsg" fields
Status code: 428
Description: Sample analysis is still running
Result: -
Status code: 200
Description: Request correctly handled
Result: JSON with "status" and "data" fields

Input examples:

{
    "api_key": "8000000000000000000000000000000000000000000000000000000000000000",
    "string": "jack"
}

Output examples:

{
    "status": "success",
    "data": {
        "IP": [
            "209.172.51.245",
            "74.200.59.248",
            "206.107.127.16",
            "74.200.63.200",
            "99.37.140.119"
        ],
        "TLD": [
            "golfhunter.com.cn",
            "bestwaysex.com",
            "meizu.com",
            "oaa.co",
            "chaojihu.com",
            "metrotrains.com.au"
        ],
        "MD5": [
            "333e94aad6d0e212a36eea15196c4486",
            "c7a57ed4e6d4611fdfe0aa367cb9c902",
            "854324c17a5f2c6b5ebf15f593ca01db",
            "af4d94d93a65ecdd78870dbe3c4a999e",
            "a259806d37605d078fe579072f9de1d0",
            "2f28340e40913d8c4eeb18d740e52c7b"
        ]
    }
}

Remarks:

                        ------                    

/intel/network/domain

Description:

Returns the main details about a specific list of domains: score, whois, found_in, samples tag and sub_domains information

Version:

1.0

Resource Information:

Response format: JSON

Requires authentication: yes

Required input fields:

  • api_key - required
  • time_delta - required, exclusive with domain
  • domain - required, exclusive with time_delta
  • history - optional
  • list of output_filters - optional

Parameters:

Name: api_key
Type: single string - required
Description: API key obtained at registration time
Content: valid API key string
Input example: 8000000000000000000000000000000000000000000000000000000000000000
Output example: -
Name: domain
Type: list [1-10] - required
Description: list of domains for which to retrieve the details
Content: "goiyhoi3j.ru", "yahoo.com"
Input example: domain
Output example: -
Name: whois (output_filters)
Type: single string - optional
Description: filter the result obtaining only whois details
Content: "whois", "sub_domains","score"
Input example: "whois", "sub_domains"
Output example: -
Name: sub_domains (output_filters)
Type: single string - optional
Description: filter the result obtaining only related subdomains details
Content: "whois", "sub_domains","score"
Input example: "whois", "sub_domains"
Output example: -
Name: score (output_filters)
Type: single string - optional
Description: filter the result obtaining only score details
Content: "whois", "sub_domains","score"
Input example: "whois", "sub_domains"
Output example: -
Name: history
Type: single string - optional
Description: If true, retrieve the full history information of the specified domains. Default value is set to false
Content: boolean string value, true|false|True|False|0|1
Input example: "true"
Output example: -
Name: time_delta
Type: single string - optional
Description: Retrieve the list of domains created starting from the specified timestamp
Content: boolean value, true|false|True|False|0|1
Input example: 1M
Output example: -

Return codes:

Status code: 404
Description: No result found or sample analysis is running
Result: JSON with "status" and "errmsg" fields
Status code: 200
Description: Request correctly handled
Result: JSON with "status" and "data" fields

Input examples:

{
    "api_key": "8000000000000000000000000000000000000000000000000000000000000000",
    "domain": [
        "apiufisfivbn.ru"
    ],
    "output_filters": [
        "whois",
        "sub_domains"
    ]
}

Output examples:

{
    "status": "success",
    "data": {
        "apiufisfivbn.ru": {
            "score": {
                "malicious": 0,
                "clean": 1
            },
            "tag": [
                "icloader",
                "graftor",
                "adinstaller"
            ],
            "whois": [
                {
                    "info": {
                        "updated_date": [
                            "2016-02-08 22:26:33"
                        ],
                        "expiration_date": [
                            "2017-01-25 00:00:00"
                        ],
                        "contacts": {
                            "registrant": {
                                "name": "Private Person"
                            }
                        },
                        "registrar": [
                            "REGRU-RU"
                        ],
                        "creation_date": [
                            "2016-01-25 00:00:00"
                        ]
                    }
                }
            ],
            "found_in": [
                {
                    "key": "dns_lookup",
                    "doc_count": 1
                },
                {
                    "key": "process_strings",
                    "doc_count": 1
                },
                {
                    "key": "tcp_buffer",
                    "doc_count": 1
                }
            ],
            "sub_domains": [
                {
                    "resolutions": [
                        {
                            "timestamp": "2016-02-08T19:30:27.428636",
                            "ip_list": [
                                "188.42.244.223"
                            ],
                            "alias_chain": []
                        }
                    ],
                    "name": "apiufisfivbn.ru"
                }
            ]
        }
    }
}
{
    "status": "failed",
    "errmsg": "API takes only one of the following parameters: domain, time_delta."
}
{
    "status": "failed",
    "errmsg": "No result found or sample analysis is running"
}

Remarks:

                        ----                    

/intel/network/ip

Description:

Returns intel details about a specific list of IPs. Get related domains, score, Whois registration history. Specify time_delta if you want to retrieve the last IPs isolated and identified in that specific time range.

Version:

1.0

Resource Information:

Response format: JSON

Requires authentication: yes

Required input fields:

  • api_key - required
  • time_delta - required, exclusive with ip
  • ip - required, exclusive with time_delta
  • history - optional
  • list of output_filters - optional

Parameters:

Name: api_key
Type: single string - required
Description: API key obtained at registration time
Content: valid API key string
Input example: 8000000000000000000000000000000000000000000000000000000000000000
Output example: -
Name: ip
Type: list [1-10] - required
Description: list of ips for which to retrieve the information
Content: valid IP list
Input example: domain
Output example: -
Name: whois (output_filters)
Type: single string - optional
Description: filter the result obtaining only whois details
Content: "whois", "sub_domains","score"
Input example: "whois", "sub_domains"
Output example: -
Name: sub_domains (output_filters)
Type: single string - optional
Description: filter the result obtaining only related subdomains details
Content: "whois", "sub_domains","score"
Input example: "whois", "sub_domains"
Output example: -
Name: score (output_filters)
Type: single string - optional
Description: filter the result obtaining only score details
Content: "whois", "sub_domains","score"
Input example: "whois", "sub_domains"
Output example: -
Name: geoip (output_filters)
Type: single string - optional
Description: filter the result obtaining only geoip details
Content: "whois", "sub_domains","score"
Input example: "whois", "sub_domains"
Output example: -
Name: time_delta
Type: single string - optional
Description: Retrieve the list of ips detected starting from the specified timestamp
Content: boolean value, true|false|True|False|0|1
Input example: 1M
Output example: -
Name: history
Type: single string - optional
Description: If true, retrieve the full history information of the specified IPs. Default value is set to false
Content: boolean string value, true|false|True|False|0|1
Input example: "true"
Output example: -

Return codes:

Status code: 404
Description: No result found
Result: JSON with "status" and "errmsg" fields
Status code: 400
Description: Bad request
Result: JSON with "status" and "errmsg" fields
Status code: 200
Description: Request correctly handled
Result: JSON with "status" and "data" fields

Input examples:

{
    "api_key": "8000000000000000000000000000000000000000000000000000000000000000",
    "ip": [
        "7.78.69.83"
    ],
    "output_filters": [
        "score",
        "whois",
        "geoip",
        "sub_domains"
    ]
}

Output examples:

{
    "status": "success",
    "data": {
        "7.78.69.83": {
            "whois": {
                "info": {
                    "asn_cidr": "NA",
                    "nets": [
                        {
                            "updated": "2006-04-28T00:00:00",
                            "description": "DoD Network Information Center",
                            "name": "DISANET7",
                            "created": "1997-11-24T00:00:00"
                        }
                    ],
                    "asn": "NA"
                },
                "timestamp": "2016-02-08T19:03:31.776653"
            },
            "geoip": {
                "info": {
                    "country_code3": "USA",
                    "country_name": "United States",
                    "region_code": null,
                    "location": {
                        "coordinates": [
                            -97,
                            38
                        ]
                    },
                    "country_code": "US"
                },
                "timestamp": "2016-02-08T19:03:31.776653"
            },
            "tag": [],
            "sub_domains": [],
            "score": {
                "good": 0,
                "malicious": 1
            },
            "found_in": [
                {
                    "key": "tcp_connection",
                    "doc_count": 1
                }
            ]
        }
    }
}

Remarks:

                        ----                    

/sandbox/sample

Description:

Download sample binary identified by hash

Version:

1.0

Resource Information:

Response format: JSON

Requires authentication: yes

Required input fields:

  • api_key - required
  • md5 | sha1 | sha256 | sha512 - required

Parameters:

Name: api_key
Type: single string - required
Description: API key obtained at registration time
Content: valid API key string
Input example: 8000000000000000000000000000000000000000000000000000000000000000
Output example: -
Name: md5 | sha1 | sha256 | sha512
Type: single string - required
Description: sample to download
Content: a valid MD5 string
Input example: "8193692156c70df0c39643f68e890fb4"
Output example: -

Return codes:

Status code: 404
Description: No result found
Result: JSON with "status" and "errmsg" fields
Status code: 400
Description: Bad request
Result: JSON with "status" and "errmsg" fields
Status code: 428
Description: Sample analysis is still running
Result: -
Status code: 200
Description: Request correctly handled
Result: JSON with "status" and "data" fields

Input examples:

{
    "api_key": "8000000000000000000000000000000000000000000000000000000000000000",
    "md5": "a6ca3b8c79e1b7e2a6ef046b0702aeb2"
}

Output examples:

{
    "status": "failed",
    "errmsg": "No result found"
}
{
    "-------BINARY DATA-------": "-Binary data-"
}

Remarks:

                        ----                    

/sandbox/sample/bulk/request

Description:

Multi-download feature, works alongside /sandbox/sample/bulk/retrieve API. This API is used to pass a list of MD5 to samples to be downloaded. Once the request is accepted, a request ID is returned and your request is put on queue. The request ID value should be used with the /sandbox/sample/bulk/retrieve in order to download the requested samples

Version:

1.0

Resource Information:

Response format: JSON

Requires authentication: yes

Required input fields:

  • api_key - required
  • hashes - required

Parameters:

Name: api_key
Type: single string - required
Description: API key obtained at registration time
Content: valid API key string
Input example: 8000000000000000000000000000000000000000000000000000000000000000
Output example: -
Name: hashes
Type: list [1-20] - required
Description: md5 | sha1 | sha256 | sha512 list of samples to download to download
Content: a valid list of md5 | sha1 | sha256 | sha512 strings
Input example: "a6ca3b8c79e1b7e2a6ef046b0702aeb2", "34781d4f8654f9547cc205061221aea5", "a8c5c0d39753c97e1ffdfc6b17423dd6", "5997d769cdb108390dcfaebf442bf816"
Output example: -

Return codes:

Status code: 404
Description: No result found
Result: JSON with "status" and "errmsg" fields
Status code: 400
Description: Bad request
Result: JSON with "status" and "errmsg" fields
Status code: 428
Description: Sample analysis is still running
Result: -
Status code: 200
Description: Request correctly handled
Result: JSON with "status" and "data" fields

Input examples:

{
    "api_key": "8000000000000000000000000000000000000000000000000000000000000000",
    "hashes": [
        "a6ca3b8c79e1b7e2a6ef046b0702aeb2",
        "34781d4f8654f9547cc205061221aea5",
        "a8c5c0d39753c97e1ffdfc6b17423dd6",
        "5997d769cdb108390dcfaebf442bf816"
    ]
}

Output examples:

{
    "status": "success",
    "data": {
        "id_request": 64
    }
}

Remarks:

                        ----                    

/sandbox/sample/bulk/retrieve

Description:

Used to download the package of samples identified by a specific request ID obtained from /sandbox/sample/bulk/request API

Version:

1.0

Resource Information:

Response format: JSON

Requires authentication: yes

Required input fields:

  • api_key - required
  • id_request - required

Parameters:

Name: api_key
Type: single string - required
Description: API key obtained at registration time
Content: valid API key string
Input example: 8000000000000000000000000000000000000000000000000000000000000000
Output example: -
Name: id_request
Type: single string - required
Description: samples packet ID to download
Content: a valid id retrieved with /sandbox/sample/bulk/request API
Input example: "8193692156c70df0c39643f68e890fb4"
Output example: -

Return codes:

Status code: 428
Description: Request processing
Result: -
Status code: 404
Description: No result found
Result: JSON with "status" and "errmsg" fields
Status code: 401
Description: Unauthorized request
Result: JSON with "status" and "errmsg" fields
Status code: 400
Description: No result found
Result: JSON with "status" and "errmsg" fields
Status code: 403
Description: Forbidden. No permission for specified request
Result: JSON with "status" and "errmsg" fields
Status code: 200
Description: Request correctly handled
Result: JSON with "status" and "data" fields

Input examples:

{
    "api_key": "8000000000000000000000000000000000000000000000000000000000000000",
    "id_request": "15"
}

Output examples:

{
    "-------BINARY DATA-------": "-Binary data-"
}
{
    "status": "failed",
    "errmsg": "Request N.15 does not exist."
}

Remarks:

                        ----                    

/sandbox/submit

Description:

Use this API to submit files to Deepviz Sandbox Analysis infrastructure for malware analysis

Version:

1.0

Resource Information:

Response format: multipart/form-data

Requires authentication: yes

Required input fields:

  • api_key - required
  • file - required
  • privacy - optional

Parameters:

Name: api_key
Type: single string - required
Description: API key obtained at registration time
Content: valid API key string
Input example: 8000000000000000000000000000000000000000000000000000000000000000
Output example: -
Name: file
Type: binary file - required
Description: Binary file to submit
Content: -
Input example: -
Output example: -
Name: privacy
Type: single string - optional
Description: Privacy option
Content: boolean value, true|false|True|False|0|1
Input example: -
Output example: -

Return codes:

Status code: 404
Description: No result found
Result: JSON with "status" and "errmsg" fields
Status code: 400
Description: Bad request
Result: JSON with "status" and "errmsg" fields
Status code: 428
Description: Sample analysis is still running
Result: -
Status code: 200
Description: Request correctly handled
Result: JSON with "status" and "data" fields

Input examples:

{
    "api_key": "8000000000000000000000000000000000000000000000000000000000000000"
}
{
    "-------BINARY DATA-------": "-Binary data-"
}

Output examples:

{
    "status": "success",
    "errmsg": "Sample submitted"
}

Remarks:

                        ----