Advanced Search

Introduction

The Advanced Search feature introduces rich metadata search capabilities on the ReversingLabs Spectra Analyze appliance, makes it easier to search across large data sets (both locally and in ReversingLabs Spectra Intelligence), and enables faster, more powerful malware discovery with increased coverage.

With 100+ keywords, 30+ anti-virus vendors, 130+ sample types and subtypes and 280+ tags, Advanced Search makes it possible to build more than 500 unique search queries using Boolean operators and keyword auto-completion.

Users can create targeted, multi-conditional queries and combine search criteria using logical operators to quickly identify potential threats.

The Advanced Search feature can be used to perform local searches without a Spectra Intelligence account. Using Advanced Search to retrieve Spectra Intelligence results is available to customers at additional cost. For more information, contact ReversingLabs Sales Support (insidesales@reversinglabs.com).

Important notes about the Advanced Search feature

1. Different search queries return results at different speeds - for some combinations of keywords and operators, it can take longer to load the results. To ensure quicker response times for long and complex queries, returned results may contain fewer samples than are available in the database; i.e., the service will only return the latest matches found within a reasonable timeframe.

important

To improve search query responsiveness and performance, Cloud results prioritize First Seen within the last month by default. However, this may result in zero results if users specify time ranges outside this time frame. In such cases, the results page provides links to expand the search results. If the query returns some results but there are more in the previous months, clicking the link next to the query summary under the drop-down menu filters broadens the search to encompass a wider time range. Alternatively, users can set the provided drop-down filters to the desired expanded time range.

1. Local-only keywords will not work on the Cloud tab, as local-only keywords cannot be used to search for samples in the Spectra Intelligence cloud. Only actual file submissions will be returned as results. Local-only keywords are: filecount, tag-user, submission-user, submission-time and processing-status. To perform Spectra Intelligence searches or search for extracted files, remove any local keywords from the query.

2. The maximum length of a single search query is 1024 characters. Queries longer than 1024 characters cannot be shared or added to Favorites. Attempting to submit queries longer than 1024 characters will result in an error. This does not apply to Bulk hash search queries.

3. The maximum amount of Cloud results that can be returned for a search query is 100 000. Although there may be more samples matching the query in the Spectra Intelligence cloud, the Spectra Analyze will only allow browsing through 100 000 of them.

4. Currently it is only possible to export a single page of search results. To export all results from the list, the user would have to browse pages one by one and manually export them. It is possible to adjust the amount of results displayed per page in the navigation bar, thus increasing or decreasing the number of results that will appear in the exported CSV file.

5. The *Fetch & Analyze* option for Cloud results is currently limited to downloading 100 samples at a time, with a daily limit of 10 000 samples in total. Samples that already exist on Spectra Analyze will not be downloaded again. It is not possible to fetch and analyze all samples in the Cloud results list at once.

6. Large volumes of data indexed for Advanced Search in the Spectra Intelligence cloud are constantly updated in order to return the most relevant information. During synchronization of various Spectra Intelligence services, searching for samples the cloud may return inconsistent or incorrect results in some cases. The data is updated multiple times per hour. This can cause discrepancies between the results offered on the Local and Public (Spectra Intelligence) results tabs.

How to Write Search Queries

Note

Local-only keywords will not work on the Cloud tab, as local-only keywords cannot be used to search for samples in the Spectra Intelligence cloud. Only actual file submissions will be returned as results. Local-only keywords are: filecount, tag-user, submission-user, submission-time and processing-status. To perform Spectra Intelligence searches or search for extracted files, remove any local keywords from the query.

Local-only keywords, when added using the drop-down menus, will not be shown in the Advanced Search box as part of the query, but they will still be applied to the results, saved to the Recent queries list, and shared using the Share query button.

To create a search query, start typing into the Advanced search box. The pull-down list with all matching search keywords or their predefined values will open. The keywords are listed alphabetically.

Every search query must contain at least one keyword and one value. Search queries are built according to the following formula.

keyword:value OPERATOR keyword2:value OPERATOR keyword3:[value1,value2,...]

The values for a keyword can be typed in manually, or if the keyword supports it, selected from the pull-down list.

Selecting a keyword that supports predefined values (for example, classification, riskscore) displays all those values in the pull-down list.

Selecting a keyword that supports date and time ranges (such as lastseen or firstseen) displays the date picker. To add a custom range to the search box, select “Custom” in the date picker and click the Apply button.

Keywords have short usage examples in the pull-down list. For a detailed overview of supported keywords and their features, refer to the Supported Search Keywords section.

Some keywords have aliases - additional forms that can be used to search for the same values. Aliases are indicated in the Supported Search Keywords section in parentheses next to keyword names, and in the interface as illustrated in the screenshot below.

To run a search query, click the Search button in the search box, or press Enter.

---

The following is an example of a basic search query that returns all samples classified as suspicious:

classification:suspicious

What can and cannot be included in a search query depends on the values and operators supported by the keyword, as well as on the restricted words and characters.

The maximum length of a single search query that can be entered into the Advanced search box is 1024 characters.

Restricted Words and Characters

All restricted words and characters should be escaped with double quotation marks in the search query.

Example: a query contains one of the restricted characters [, ], (, ), :

pdb:"C:\Windows*"

Example: a query contains one of the restricted words (AND, OR, NOT)

cert-subject-name:"AND"

If the search query contains spaces, use double quotation marks around it.

cert-subject-org:"microsoft corporation"

Searching for Exact Matches

For more precise results, use quotation marks in search queries, especially when looking for a specific string.

The underscore character ( _ ) is treated as a delimiter. Phrases containing the underscore should be enclosed in quotation marks to get exact matches.

For example, searching for pe-function:"Py_Initialize" returns results that match the exact phrase, including the underscore character.

Searching for pe-function:Py_Initialize returns results that match either “Py” or “Initialize”, or both.

Using Wildcards for Partial Matching

Some search keywords support partial matching with wildcard symbols.

The * symbol matches any sequence of characters. The ? symbol matches any single character.

Example: this query returns all samples that have the string “emo” anywhere in their threat name (such as Wemosis, Remora, Temonde).

av-detection: *emo*

Example: this query returns all samples with the threat name “Emotet” and any other variant where the first letter T is replaced by any other character (such as Emonet, Emoret).

av-detection: emo?et

Searching for a Range and Greater/Less-Than Values

For keywords that support searching for a range of values, the formula looks like this.

keyword:[value1 TO value2]

size:[50000 TO 70000]

To search for greater/less-than values, create an open-ended range using the wildcard symbol *

keyword:[value TO *] - for greater-than values

keyword:[* TO value] - for less-than values

This example returns all samples that have a trust factor lower than and equal to 4.

trustfactor:[* TO 4]

Searching for a List of Values

To search for any of the values in a list, the following formula is used.

keyword:[value1, value2, value3]

The values must be comma-separated.

classification:[suspicious, unknown]

av-detection:[emotet,wannacry]

sha1:[91b21fffe934d856c43e35a388c78fccce7471ea,4e8c5b9fc9a6650f541fa0dbe456731309a429e4,
66720a660761e9b3b9b071ba4c16d6ab69c442bb]

Creating Multi-keyword Search Queries

Search operators and parentheses can be used to combine multiple keywords and create advanced search queries.

The following search operators are supported: AND, OR, NOT

If an operator is not provided, AND is used as the default. Operators are case-insensitive, so the following queries all return the same results.

firstseen:2018-01-01T00:00:00Z AND classification:malicious

firstseen:2018-01-01T00:00:00Z and classification:malicious

firstseen:2018-01-01T00:00:00Z classification:malicious

The NOT operator excludes search results that match the search criteria. In the following example, malicious and suspicious files will be excluded from the results:

av-detection:*linux* NOT classification:[malicious, suspicious]

The OR operator can be used to look for any of the values supported by a single keyword:

classification:suspicious OR classification: malicious

It can also be used to look for any of the different keywords and their values:

pdb:JigsawRansomware.pdb OR uri:"http://btc.blockr.io/api/v1/"

The OR operator cannot be used instead of a comma when searching for a list of values. The following example is not a valid query:

av-detection:[emotet OR wannacry]

Parentheses can be used to combine keywords. The following two queries show how to format the same request using square brackets versus parentheses:

firstseen:2018-01-01T00:00:00Z av-detection:[trojan,wannacry]

firstseen:2018-01-01T00:00:00Z (av-detection:trojan OR av-detection:wannacry)

Apart from using parentheses with the same keyword, they can be used to combine multiple different keywords, operators, and even a range:

firstseen:2018-01-01T00:00:00Z (av-detection:trojan AND type:binary NOT positives:[* TO 3])

Saving and Sharing Search Queries

There are several ways to save search queries on the Spectra Analyze appliance.

1. Search queries can be saved as Favorites on the Spectra Analyze appliance itself. Run any query and click the star button right of the search box to save it. The query will be listed under Favorites in the Suggestions menu. It can be modified to include other search keywords and parameters, or removed from the appliance at any time. The maximum of 20 search queries can be saved in this way.

2. Search queries can be saved using the built-in bookmarking functionality of the web browser. Run any query and bookmark the results page. In this case, any active filtering parameters (such as sorting and number of results per page) are also preserved in the bookmarked URL. A search query saved in this way will only work on the Spectra Analyze instance specified in the bookmarked URL.

Similarly, search queries can be shared in several ways:

1. by using the Share query option on the Spectra Analyze appliance. Type in any query and click the Share button right of the search box. The Share Query dialog opens, where recipient email addresses have to be entered. Clicking the Share button in the dialog will send the selected query to provided email addresses. The email Subject field will contain the username of the Spectra Analyze user who shared the query.
2. by copying the URL of the search results page from the address bar of the browser, and sending it manually via email or other communication channel. A search query shared in this way will only work if the recipient can log into the same Spectra Analyze instance from which the query was sent.
3. by copying a favorite query to the clipboard (hover over the query in the Favorites list and select the Copy option from the triple-dot menu), then sharing it manually via email or other communication channel.

Non-keyword Queries

Advanced search queries can be quickly built without using keywords. Non-keyword search is available only for a particular subset of indicators of compromise:

• SHA1, SHA256 and MD5 hashes
• URLs
• IP addresses
• domains
• emails

Non-keyword Search Queries

Non-keyword searches can be performed as standalone queries containing one or more non-keyword values, or be combined with traditional keyword searches. Email and IP (IPv4, IPv6) non-keyword queries support wildcard matching.

If a list of non-keyword search values contains invalid entries, search will respond with the message “Unrecognized nonkeyword argument” and return the first invalid non-keyword. In cases where the query contains only hashes, the response returns “Invalid value for hashes field”.

Using commas between non-keyword search values will result in an invalid query. Searching for strings containing commas and other special characters is supported by using quotation marks.

For example, IPV6 addresses or URLs containing colons, commas, or brackets must be enclosed in quotation marks:

"2001:0db8:85a3:0000:0000:8a2e:0370:7334"

"http://www.evildomain.com/gate.php?13,35869"

Single non-keyword search

This can be any one of the IOCs listed above.

Example: SHA1

0000038704cb5f0e1bd87d6a75e904529af0d6ac

Multiple non-keyword search

To combine multiple non-keyword search values, separate them by space. The whole query will be enclosed in brackets and the spaces will be interpreted as the operator OR. Other operators (AND/NOT) can be explicitly provided to build more complex queries.

Example: IPV4, IPV6 and domain

127.0.0.1 "2620:119:35::35" google.com

Example: Hashes only

0000038704cb5f0e1bd87d6a75e904529af0d6ac 2abcd3fb8b7761526d177ab007c40e74 4dea2daa9a41dd6c4cb172eb6d8d8a1d1811360e21c5fa0c8ce2e20fd6903041

Non-keyword with keyword

When combining non-keyword search values with keywords, consecutive non-keyword values will be enclosed in brackets and the spaces between them will be interpreted as the operator OR. Spaces between non-keyword search values and keywords will be interpreted using the operator AND, meaning that the order of keywords and non-keyword values in the query is important.

Example: Samples containing the provided URL that are classified as goodware

"https://hope-bd.com/googledocs.php" class:goodware

Combining queries with the NOT operator

The NOT operator excludes search results that match the defined criteria.

Example: Query using the operator NOT

NOT *@mockmail.com "https://hope-bd.com/googledocs.php" AND NOT 0000038704cb5f0e1bd87d6a75e904529af0d6ac class:MALICIOUS

Non-keyword Search Examples

Query Type	Example	Syntax	Outcome
Single non-keyword	0000038704cb5f0e1bd87d6a75e904529af0d6ac	NK	NK
Non-keyword search values combined with keywords	“https://hope-bd.com/googledocs.php” class:goodware	NK K	NK AND K
Multiple non-keyword values (hashes only)	0000038[…]af0d6ac 2abcd3[…]7c40e74 4dea2da[…]6903041	NK NK NK NK	(NK OR NK OR NK OR NK)
Multiple non-keyword values	127.0.0.1 “2620:119:35::35” google.com	NK NK NK NK	(NK OR NK OR NK OR NK)
Multiple non-keyword values with an AND operator	mock@mockmail.com 127.0.*.1 AND google.com “https://hope-bd.com/googledocs.php”	NK NK AND NK NK	(NK OR NK) AND (NK OR NK)
Multiple keywords combined with multiple non-keyword values	class:MALICIOUS mock@mockmail.com google.com firstseen:2018-04-05T21:11:47Z	K NK NK K	K AND (NK OR NK) AND K
Combining queries with the NOT operator	NOT *@mockmail.com “https://hope-bd.com/googledocs.php” AND NOT 0000038[…]af0d6ac class:MALICIOUS	NOT NK NK AND NOT NK AND K	(NOT NK OR NK) AND NOT NK AND K

Note

The final, transformed queries will be returned in the Advanced search box and added to the Recent queries list. They can be saved as favorites by clicking the star button to the right of the search box.

Supported Search Keywords

User-friendly modifiers

Some keywords support modifiers that serve as shorthand notation for search expressions.

Numbers

Keywords that accept numbers as values also accept a trailing plus or minus sign.

For example:

• 5+ (five or more)
• 42- (fourty-two or less)

Exceptions:

• Spaces are not allowed.
• Prefixes are also not allowed (only trailing plus or minus).
• Modifiers can't be used in range queries. For example, [3+ to 5-] is invalid.

List of keywords that accept numbers

• av-count
• av-threatlevel
• document-pages
• elf-section-count
• filecount
• macho-section-count
• macho-segment-count
• pe-section-count
• riskscore
• size
• submissions
• threatlevel

Dates

Keywords that accept dates also accept period abbreviations and trailing plus/minus.

Accepted abbreviations:

• h for hours
• d for days
• w for weeks
• m for months
• y for years

The trailing plus or minus sign behaves just like for numbers.

For example:

• 2023-04-11T08:10:00+ (on April 11 2023 at 08:10, or after that time)
• 3d+ (three days or more)
• 1w- (one week or less)

Exceptions:

• Spaces are not allowed.
• Prefixes are also not allowed (only trailing plus or minus).
• Modifiers can't be used in range queries. For example, [3d to 5w] is invalid.

List of keywords that accept dates

• firstseen
• lastanalysis
• lastseen
• pe-timestamp
• signer-valid-from
• signer-valid-to
• submission-time
• taggant-valid-from
• taggant-valid-to

Sizes

Keywords that accept sizes also accept unit abbreviations (KB, MB, GB...) and trailing plus/minus.

The abbreviations are case-insensitive. If an abbreviation is not specified, the expression is evaluated in bytes. Byte multiples are supported in both decimal (kilo-, mega-, giga-...) and binary (kibi-, mebi-, gibi-...) form.

For example:

• 5MB+ (five megabytes or larger)
• 13kib- (thirteen kibibytes or smaller)

Exceptions:

• Spaces are not allowed.
• Prefixes are also not allowed (only trailing plus or minus).
• Modifiers can't be used in range queries if they contain a trailing plus or minus sign. For example, [3kB+ to 5MB] is invalid. However, if you use them without a trailing plus/minus, they can be used in a range query. For example, [3kb TO 5mb] is allowed.

The only keyword that accepts a size is size.

Group keywords

When using group keywords, the provided search query will be used with all single keywords in the group's respective list. Refer to the single keyword descriptions for more information.

Keyword aliases are enclosed in parentheses.

certificate	Group keyword
Includes	cert-issuer-name cert-issuer-org cert-issuer-unit cert-subject-name cert-subject-org cert-subject-unit
Examples	Case-insensitive wildcard matching is supported. Wildcard: certificate:*micr*

certificate-country	Group keyword
Includes	cert-issuer-country cert-subject-country
Examples	Case-insensitive wildcard matching is supported. List (any of the values): certificate-country:[HR, US]

document	Group keyword
Includes	document-author document-subject document-title document-description
Examples	Case-insensitive wildcard matching is supported. List (any of the values): document:[adobe, microsoft, *confidencial] Wildcard: document:*soft

mutex	Group keyword
Includes	mutex-config mutex-dynamic
Examples	The keyword is case-sensitive and doesn't accept wildcards. Exact: mutex:111c List (any of the values): mutex:[111c, 2124]

ipv4 (ip)	Group keyword
Includes	ipv4-static ipv4-dynamic
Examples	Wildcard matching supported. Wildcard: ipv4:192.* List (any of the values): ipv4:[1.0.0.0,1.0.2.1]

ipv6	Group keyword
Includes	ipv6-static (IPv6 address strings detected by ReversingLabs Dynamic Services)
Examples	If the address contains colons or brackets, enclose it in quotation marks. Wildcard matching supported. Wildcard: ipv6:c* Exact: ipv6:"2002::/16" List (any of the values): ipv6:["2001:db8*", "3731:54:"]

section	Group keyword
Includes	pe-section-name elf-section-name macho-section-name
Examples	Case-insensitive wildcard matching is supported. Wildcard: section:*data List (Any of the values): section:[.ndata, bss]

segment	Group keyword
Includes	macho-segment macho-segment-name elf-segment-sha1
Examples	Case-insensitive wildcard matching is supported. Wildcard: segment:page* List (any of the values): segment:[pagezero, text]

software	Group keyword
Includes	software-package software-description software-author
Examples	The keyword does not accept wildcards. Exact: software:"James Newton-King"List (any of the values): software:[Microsoft, "This package consists of multiple activities that simplify the processes in Excel."]

upload-data	Group keyword
Includes	upload-source upload-source-tag
Examples	Examples:upload-data:myapp, upload-data:myemail*

uri	Group keyword
Includes	uri-source uri-static uri-config uri-dynamic
Examples	Case-insensitive wildcard matching is supported. (uri* keywords don't support IP addresses. For that, use ip* keywords.) Wildcard: uri:mozilla.org* List (any of the values): uri:[\*.tor,*.onion,*.exit]

Single keywords

actor
Description	Search for files by the organization name of the certificate issuer. Case-insensitive wildcard matching is supported.
Examples	Wildcard: cert-issuer-org:*authority List (any of the values): cert-issuer-org:[verisign, microsoft]

android-app-name
Description	Search for Android applications by their process name. Case-insensitive wildcard matching is supported.
Examples	Wildcard: android-app-name:*SkypeApplication* List (any of the values): android-app-name:[MainApp, *alt.ywuajgf*]

android-features
Description	Search for Android applications by their features. Case-insensitive wildcard matching is supported.
Examples	Wildcard: android-features:*hardware.camera* List (any of the values): android-features:[camera, telephony]

android-import
Description	Search for Android applications by one or more shared libraries that the applications are linked against. Case-insensitive wildcard matching is supported.
Examples	Wildcard: android-import:org.apache.http.legacy* List (any of the values): android-import:[sec_fe?ture, *google*]

android-package
Description	Search for Android applications by their package name. Case-insensitive wildcard matching is supported.
Examples	Wildcard: android-package:*com.picklieapps.player* List (any of the values): android-package:[*ruckygames*, *skype.raider*]

android-permission
Description	Search for Android applications by their permissions. Case-insensitive wildcard matching is supported.
Examples	Wildcard: android-permission:*WRITE_SETTINGS* List (any of the values): android-permission:[*storage*, *disable_keyguard*]

appid-company-name (appid-author)
Description	Search for applications and libraries by their publisher. Case-insensitive wildcard matching is supported.
Examples	Exact: appid-company-name:"Mozilla Foundation" List (any of the values): appid-company-name:["Mozilla Foundation", "Microsoft Corporation"]

appid-description
Description	Search for applications and libraries by their description. Case-insensitive wildcard matching is supported.
Examples	Wildcard: appid-description:"*Firefox Plugin Hang UI*"*

appid-product-name
Description	Search for files with a matching product name. Case-insensitive wildcard matching is supported.
Examples	Exact: appid-product-name:"Mozilla Firefox Plugin Hang UI" List (any of the values): appid-product-name:["Mozilla Firefox Plugin Hang UI", "Mozilla Firefox Helper"]

appid-product-type (appid-category)
Description	Search for applications and libraries by their type. Case-insensitive wildcard matching is supported.
Examples	Exact: appid-product-type:browser List (any of the values): appid-product-type:[browser, development]

attack-tactic
Description	Search for files that use a specific Mitre ATT&CK tactic. The keyword is case-sensitive and doesn't accept wildcards.
Examples	Exact: attack-tactic:TA0007 List (any of the values): attack-tactic:[TA0007, TA0005]

attack-technique
Description	Search for files that use a specific Mitre ATT&CK technique. The keyword is case-sensitive and doesn't accept wildcards.
Examples	Exact: attack-technique:T1222 List (any of the values): attack-technique:[T1222, T1112]

av-count (positives, p, antivirus)
Description	The number of antivirus scanners that have detected a sample as malicious. Currently supports any integer from 0 to 46 (46 being the number of active AV scanners).
Examples	Exact: av-count:5 Range: positives:[10 TO 20] Greater than 5: positives:[5 TO *] List (any of the values): av-count:[5,3]

av-detection (engines)
Description	Detection string generated by the antivirus engines. Case-insensitive wildcard matching is supported.
Examples	Wildcard: av-detection:micro* List (any of the values): av-detection:[W32.Duqu, *Vitro]

av-<name> (<name>)
Description	Search for all samples or samples of specific malware detected by a selected antivirus vendor. Case-insensitive wildcard matching is supported.
Examples	Wildcard: av-[vendor]:*wannacry* List (any of the values): [vendor]:[win32, emotet]

available (in, shareable)
Description	Indicates whether a sample is available for download from the cloud. The only supported values are true and false (case-insensitive).
Examples	available:TRUE in: false

browser-package
Description	Search for web browser extensions by their package name. Supported package formats: Chrome, Safari, Firefox. Case-insensitive wildcard matching is supported.
Examples	Wildcard: browser-package:*Click2Save* List (any of the values): browser-package:[*priiceechOp*, *iCalc*]

cert-issuer-country
Description	Search for files by the country code in the country name property field of the issuer of the certificate used to sign the file. Case-insensitive wildcard matching is supported.
Examples	Exact: cert-issuer-country: US List (any of the values): cert-issuer-country:[Z?,G*]

cert-issuer-name
Description	Search for files by the name of the certificate authority (CA). Case-insensitive wildcard matching is supported.
Examples	Exact: cert-issuer-name: COMODO List (any of the values): cert-issuer-name:[microsoft,*VeriSign*]

cert-issuer-org
Description	Search for files by the organization name of the certificate issuer. Case-insensitive wildcard matching is supported.
Examples	Wildcard: cert-issuer-org:*authority List (any of the values): cert-issuer-org:[verisign, microsoft]

cert-issuer-unit
Description	Search for files by the organizational unit name of the issuer unit of the certificate authority (CA). Case-insensitive wildcard matching is supported.
Examples	Wildcard: cert-issuer-unit:*root* List (any of the values): cert-issuer-unit:["trust network", *root*]

cert-serial
Description	Search for a file by the serial number of the file certificate provided by the CA that issued the certificate. The keyword is case-sensitive and doesn't accept wildcards.
Examples	Exact: cert-serial:6101CF3E00000000000F List (any of the values): cert-serial:[<value1>,<value2>]

cert-subject-country
Description	Search for files by the country code in the country name property field of the subject to which the certificate has been issued. Case-insensitive wildcard matching is supported.
Examples	Exact: cert-subject-country:DE List (any of the values): cert-subject-country:[US, B*]

cert-subject-name
Description	Search for files by the name of the organization/system to which the certificate has been issued. Case-insensitive wildcard matching is supported.
Examples	Exact: cert-subject-name:Piriform List (any of the values): cert-subject-name:[cinectic*, google]

cert-subject-org
Description	Search for files by the organization name of the certificate authority organization (CA). Case-insensitive wildcard matching is supported.
Examples	Exact: cert-subject-org:apple List (any of the values): cert-subject-org:[apple, Microsoft]

cert-subject-unit
Description	Search for files by the organizational unit name inside the organization to which the certificate has been issued. Case-insensitive wildcard matching is supported.
Examples	Exact: cert-subject-unit:"Developer Relations" List (any of the values): cert-subject-unit:[Developer*, "Trust Network"]

cert-thumbprint
Description	Search for files by their unique certificate thumbprint. A thumbprint of a file certificate is a hash value (SHA256). The keyword doesn't accept wildcards.
Examples	Exact: cert-thumbprint:277D42[...]2A17DD List (any of the values): cert-thumbprint:[<value1>, <value2>]

classification (class)
Description	Search for files by their Malware Presence status designation. Accepted values: malicious, known, suspicious, unknown (case-insensitive).
Examples	Exact: classification:malicious List (any of the values): classification:[KNOWN, suspicious]

dex-class-name
Description	Search for DEX files by the names of classes they contain. Case-insensitive wildcard matching is supported.
Examples	Wildcard: dex-class-name:android.content.DialogInterface.On* List (any of the values): dex-class-name:[android.content.DialogInterface.On*, android.support.v4.*]

dex-method-name
Description	Search for DEX files by method names their classes call to perform an action. Method names are indexed regardless of their visibility, meaning both public and private methods are searchable. Case-insensitive wildcard matching is supported.
Examples	Wildcard: dex-method-name:unregisterCallB* List (any of the values): dex-method-name:[getLocation, invok*]

document-author
Description	Search for files by the contents of their document author metadata property. Case-insensitive wildcard matching is supported.
Examples	List (any of the values): document-author:[adobe, microsoft] Wildcard: document-author:*soft

document-description (doc-description)
Description	Search for files by the document description field, as provided by the document author. Case-insensitive wildcard matching is supported.
Examples	List (any of the values): document-description:["Carta personal", *confidencial] Wildcard: document-description:*Math*

document-pages (doc-pages)
Description	Search for files by their number of pages. In case of spreadsheet documents, this number represents the number of sheets. The keyword accepts only integer values.
Examples	Exact: document-pages:73 Range: document-pages:[4 TO 20] More than 4: document-pages:[4 TO *]

document-subject
Description	Search for files by the contents of their document subject metadata property. Case-insensitive wildcard matching is supported.
Examples	Wildcard: document-subject:*search List (any of the values): document-subject:[free, download]

document-title
Description	Search for files by the contents of their document title metadata property. Case-insensitive wildcard matching is supported.
Examples	Exact: document-title:"Powered by" List (any of the values): document-title:[*free*, README]

document-version
Description	Search for files by the contents of their document version metadata property. Wildcard matching is supported.
Examples	Wildcard: document-version:1.1* List (any of the values): document-version:[1.7, 2.*]

domain
Description	Search for files by any associated domain. Case-insensitive wildcard matching is supported.
Examples	Wildcard: domain:mozilla.org* List (any of the values): domain:[*.tor,google.com,*.exit]

dotnet-assembly
Description	Search for .NET files by assemblies they reference. Case-insensitive wildcard matching is supported.
Examples	Wildcard: dotnet-assembly:*mscorlib* List (any of the values): dotnet-assembly:[*iJnJWYUQA*, "NanoCore Client"]

dotnet-method-name
Description	Search for .NET files by method names their classes call to perform an action. Method names are indexed regardless of their visibility, meaning both public and private methods are searchable. Case-insensitive wildcard matching is supported.
Examples	Wildcard: dotnet-method-name:get_Url List (any of the values): dotnet-method-name:[?oadCompl*, *HoldEnd]

dotnet-module-id
Description	Search for .NET files by IDs of modules they contain. Case-insensitive wildcard matching is supported.
Examples	Wildcard: dotnet-module-id:*20DEC3DA-523F* List (any of the values): dotnet-module-id:[*9249F5D0-1821*, *E133ACC7-60C9*]

dotnet-module-name
Description	Search for .NET files by names of modules they contain. Case-insensitive wildcard matching is supported.
Examples	Wildcard: dotnet-module-name:*TeSt.exe* List (any of the values): dotnet-module-name:[Posh.exe, adobe.exe]

dotnet-pinvoke-function
Description	Search for .NET files by pinvoke functions. Case-insensitive wildcard matching is supported.
Examples	Wildcard: dotnet-pinvoke-function:EncodePointer* List (any of the values): dotnet-pinvoke-function:["EncodePointer", "DecodePointer"]

dotnet-pinvoke-import
Description	Search for .NET files by pinvoke imports. Case-insensitive wildcard matching is supported.
Examples	Exact: dotnet-pinvoke-import:kernel32.dll List (any of the values): dotnet-pinvoke-import:["kernel32.dll", "user32.dll"]

dotnet-resource
Description	Search for .NET files by resources they contain. Case-insensitive wildcard matching is supported.
Examples	Exact: dotnet-resource:"Hidden Tear" List (any of the values): dotnet-resource:[*Orcus*, *Clientloaderform*]

dotnet-type-name
Description	Search for .NET files by type names found in them. Case-insensitive wildcard matching is supported.
Examples	Wildcard: dotnet-type-name:Form1* List (any of the values): dotnet-type-name:[Form1*, NetscapeRevocationUrl]

elf-section-count
Description	Search for ELF files by the amount of sections they contain. The keyword accepts only integer values.
Examples	Exact: elf-section-count:5 Range: elf-section-count:[5 TO 15] More than 5: elf-section-count:[5 TO *]

elf-section-name
Description	Search for ELF files by names of the sections they contain. Case-insensitive wildcard matching is supported.
Examples	Wildcard: elf-section-name:*data List (any of the values): elf-section-name:[.rodata, .ndata, .bss]

elf-segment-sha1 (elf-segment-hash)
Description	Search for files by the SHA1 hash of their ELF segment. The keyword is case-sensitive and doesn't accept wildcards.
Examples	Exact: elf-segment-sha1:116e279b55b58e5b9619aac80a8e85bfa9c839fc

email-from
Description	Search for files by the sender of an email associated to a file. Includes "from", "reply-to" and "sender" fields. Case-insensitive wildcard matching is supported.
Examples	Wildcard: email-from:*@kiski.net List (any of the values): email-from:[*@domain.com, *@orbitz.com]

email-static (email)
Description	Search for files by associated email address(es) detected by Spectra Core. Case-insensitive wildcard matching is supported.
Examples	Wildcard: email-static:*@Compartir.es List (any of the values): email-static:[*@gmail.com, *@hotmail.com]

email-subject
Description	Search for files by the subject of an email associated to a file. Case-insensitive wildcard matching is supported.
Examples	Wildcard: email-subject:*HackTool List (any of the values): email-subject:[Invitation*, *Nova*]

email-to
Description	Search for files by the receiver of an email associated to a file, specified in the "to" field. Case-insensitive wildcard matching is supported.
Examples	Wildcard: email-to:*@netnook.com List (any of the values): email-to:[*@dekalb.net, *@rogers.com]

email-x-key
Description	Search for files with non-standard header fields, called X-extensions. Security vendors use X-extensions to annotate emails that have been scanned using their product. Case-insensitive wildcard matching is supported.
Examples	Wildcard: email-x-key:*MDRemoteIP List (any of the values): email-x-key:[*Indiv, *Markup]

email-x-value
Description	Search for files by values stored in non-standard (X-extension) header fields. Case-insensitive wildcard matching is supported. Case-insensitive wildcard matching is supported.
Examples	Wildcard: email-x-value:?HAILAND List (any of the values): email-x-value:[Produced*, BHUTAN]

exif
Description	Search for multimedia files by the contents of their EXIF metadata fields. Case-insensitive wildcard matching is supported.
Examples	Wildcard: exif:Picasa* List (any of the values): exif:["Paint.NET v3.5.8", Picasa*]

exploit
Description	Search for samples that are exploiting a specific vulnerability, identified either by ReversingLabs or by antivirus scanners.
Examples	Examples Wildcard: exploit:cve-2024-** List (any of the values): exploit:["CVE-2014-0114", "CVE-2018-15982"]

filecount
Description	Search for a file by the number of unpacked files it contains (if it's a container). Accepts any integer number. Note: this keyword currently returns only Local samples as results.
Examples	Exact: filecount:25 Range: filecount:[3 TO 10] More than 20: filecount:[20 TO *]

filename (name)
Description	Search for a file by its full or partial file name, predicted file name (generated by Spectra Core for samples without a file name), or file extension. Case-insensitive wildcard matching is supported.
Examples	Exact: filename:notepad.exe List (any of the values): filename:[*.PDF, *.epub]

firstseen (fs)
Description	Time when a file was first analyzed by Spectra Intelligence. Supported time format is UTC timestamp.
Examples	Exact: fs:2018-04-03T12:58:27Z Range (time period): firstseen:[2017-12-01T11:36:59Z TO 2018-03-06T11:36:59Z]

hashes
Description	Allows mixing different types of hashes in one search query, without the need to explicitly name the hash type or to group hashes by type. All hash types (MD5, SHA1, SHA256) can be used with this keyword. The maximum length of a single query is 1024 characters. The keyword is case-sensitive and doesn't support wildcards.
Examples	Exact: hashes: <sha1> List (any of the values): hashes:[<sha1>, <sha1>, <md5>, <sha256>, <md5>]

imphash
Description	Hash based on library/API names and their specific order within the executable. Used to find similar PE files. The keyword doesn't support wildcards.
Examples	Exact: imphash:f34d5f2d4577ed6d9ceec516c1f5a744 List (any of the values): imphash [<value1>, <value2>]

indicators
Description	Search for files by their static analysis behaviors. The keyword is case-sensitive and doesn't accept wildcards. The full list of indicator IDs and their descriptions can be found here.
Examples	Exact: indicators:"2150" List (any of the values): indicators:["2150", "2102"]

ios-app-name
Description	Search for iOS applications by their name. Case-insensitive wildcard matching is supported.
Examples	Wildcard: ios-app-name:FruitNinja* List (any of the values): ios-app-name:[FruitNinja*, *facebook*]

ios-author
Description	Search for iOS applications by their author name. Case-insensitive wildcard matching is supported.
Examples	Wildcard: ios-author:*halfbrick* List (any of the values): ios-author:[*halfbrick*, Apple*]

ios-package
Description	Search for iOS applications by their package name. Case-insensitive wildcard matching is supported.
Examples	Wildcard: ios-package:*FruitNinja* List (any of the values): ios-package:[*FruitNinja*, *facebook*]

ipv4-dynamic
Description	Search for files by IPv4 address strings detected by ReversingLabs Dynamic Services. Wildcard matching supported.
Examples	Wildcard: ipv4-dynamic:192.* List (any of the values): ipv4-dynamic:[1.0.0.0,1.0.2.1]

ipv4-static
Description	Search for files by IPv4 address strings detected by Spectra Core analysis. Wildcard matching supported.
Examples	Wildcard: ipv4-static:192.* List (any of the values): ipv4-static:[1.0.0.0,1.0.2.1]

ipv6-static
Description	Search for files by IPv6 address strings detected by Spectra Core analysis. If the address contains colons or brackets, enclose it in quotation marks. Wildcard matching supported.
Examples	Wildcard: ipv6-static:c* Exact: ipv6-static:"2002::/16" List (any of the values): ipv6-static:["2001:db8*", "3731:54:"]

lastanalysis (la)
Description	Search for files by the date and time of their last AV scan. Supported time format is UTC timestamp.
Examples	Exact: lastanalysis:2018-05-17T11:27:19Z Range (time period): lastanalysis:[2018-05-17T11:27:19Z TO 2018-05-24T11:27:19Z]

lastseen (ls)
Description	Time when a file was last analyzed by Spectra Intelligence. Supported time format is UTC timestamp.
Examples	Exact: ls:2018-04-03T12:58:27Z Range (time period): lastseen:[2017-12-01T11:36:59Z TO 2018-03-06T11:36:59Z]

macho-import
Description	Search for MachO files by the names of imported libraries found in them. Case-insensitive wildcard matching supported.
Examples	Wildcard: macho-import:*/usr/lib/* List (any of the values): macho-import:[/usr/lib/libgcc_s.1.dylib, /usr/lib/libSystem.B.dylib]

macho-section-count
Description	Search for MachO files by the number of sections they contain. The keyword accepts only integer values.
Examples	Exact: macho-section-count:10 Range: macho-section-count:[5 TO 15] More than 5: macho-section-count:[5 TO *]

macho-section-name
Description	Search for MachO files by the names of the sections they contain. Case-insensitive wildcard matching supported.
Examples	Exact: macho-section-name:data List (any of the values): macho-section-name:[bss, common, data]

macho-segment (macho-segment-name)
Description	Search for MachO files by their segment names. Case-insensitive wildcard matching supported.
Examples	Exact: macho-segment:pagezero List (any of the values): macho-segment:[linkedit, pagezero, text]

macho-segment-count
Description	Search for MachO files by the count of segments they contain. The keyword accepts only integer values.
Examples	Exact: macho-segment-count:30 Range: macho-segment-count:[2 TO 8] More than: macho-segment-count:[11 TO *]

macho-segment-sha1 (macho-segment-hash)
Description	Search for files by the SHA1 hash of their MachO segment. The keyword is case-sensitive and doesn't accept wildcards.
Examples	Exact: macho-segment-sha1:116e279b55b58e5b9619aac80a8e85bfa9c839fc

macho-symbol
Description	Search for MachO files by their symbol names. Case-insensitive wildcard matching supported.
Examples	Wildcard: macho-symbol:f* List (any of the values): macho-symbol:[exit, malloc, umask]

md5
Description	String of hexadecimal digits representing a MD5 hash of the file sample. Keyword is case-sensitive and doesn't accept wildcards.
Examples	Exact: md5:76baa04885ec40af25294a51d8e7c006 List (any of the values): md5:[<value1>, <value2>]

mutex-config
Description	Search for files by their malware configuration mutexes detected by Spectra Core. The keyword is case-sensitive and doesn't accept wildcards.
Examples	Exact: mutex-config:")!VoqA.I4" Exact: mutex-config:"--((Mutex))--" List (any of the values): mutex-config:[111c, 2124]

mutex-dynamic
Description	Search for files by malware configuration mutexes detected by ReversingLabs Dynamic Services. The keyword is case-sensitive and doesn't accept wildcards.
Examples	Wildcard: mutex-dynamic:111c* List (any of the values): mutex-dynamic:[111c, 2124]

pdb-path (pdb)
Description	Search for files associated with specific PDB (program database) paths. Used to find files with the same PDB path created during file sample compilation. If the path contains restricted characters, enclose it in quotation marks.
Examples	Exact: pdb:"D:DevTin7InstallDir" List (any of the values): pdb:["C:Windows", "c:Program FilesPerforce"]

pe-company-name
Description	Search for PE files by the contents of their company name field in the version information metadata. Case-insensitive wildcard matching supported.
Examples	Wildcard: pe-company-name:*enix List (any of the values): pe-company-name:[microsoft, ADOBE]

pe-copyright
Description	Search for PE files by the contents of their legal copyright field in version information metadata. Case-insensitive wildcard matching supported.
Examples	Wildcard: pe-copyright:Copyright* List (any of the values): pe-copyright:[*Corporation, regsvr32]

pe-description
Description	Search for PE files by the contents of their file description field in version information metadata. Case-insensitive wildcard matching supported.
Examples	Wildcard: pe-description:*proged List (any of the values): pe-description:[DisplaySwitch, WizardFramework]

pe-export (exports)
Description	Search for PE files by exported symbol names. Case-insensitive wildcard matching supported.
Examples	Wildcard: pe-export:MS* List (any of the values): exports:[GetMemoSize, DeleteFile]

pe-function
Description	Search for PE files by the name of the function that the PE file imports. Case-insensitive wildcard matching supported.
Examples	Wildcard: pe-function:RegEnum* List (any of the values): pe-function:[RegEnumKeyW, GetUserNameA]

pe-import (imports)
Description	Search for PE files by the name of the dynamic link library that the PE file imports. Case-insensitive wildcard matching supported.
Examples	Exact: pe-import:URLMON.DLL List (any of the values): imports:[win*, url*]

pe-language
Description	Find PE files by languages mentioned in the PE file resources. Case-insensitive wildcard matching supported. Supported Languages for PE and Document Formats.
Examples	Exact: pe-language:russian List (any of the values): pe-language:[eng*, Russian]

pe-original-name
Description	Search for PE files by the contents of their file description field in version information metadata, and any other fields using the original name of the file. The keyword can be used to investigate how the file was named during compilation. Case-insensitive wildcard matching supported.
Examples	Wildcard: pe-original-name:crack* List (any of the values): pe-original-name:[*install.exe, "sample doc.exe"]

pe-overlay-sha1 (pe-overlay-hash)
Description	Find PE files by the SHA1 hash calculated for their overlay part. Overlay hashes are calculated by Spectra Core to better represent the true boundary of the file region. Users should use hash values calculated by ReversingLabs products with this keyword. Keyword is case-sensitive and doesn't accept wildcards.
Examples	Exact: pe-overlay-sha1:4b4a2436b827d42b204b1f112b45d7a6d1b7ca52 List (any of the values): pe-overlay-sha1:[<value1>, <value2>, <value3>]

pe-product-name
Description	Search for PE files by the contents of their product name field in version information metadata. Case-insensitive wildcard matching supported.
Examples	Wildcard: pe-product-name:*shop List (any of the values): pe-product-name:[Firefox, "Microsoft Word"]

pe-resource
Description	Search for PE files by name or type of resources they contain. Case-insensitive wildcard matching supported.
Examples	Exact: pe-resource:Properties List (any of the values): pe-resource:[Tcpview, Aboutbox]

pe-resource-sha1 (pe-resource-hash)
Description	Find PE files by the SHA1 hash calculated for their resources part. Keyword is case-sensitive and doesn't accept wildcards.
Examples	Exact: pe-resource-sha1:4260284ce14278c397aaf6f389c1609b0ab0ce51 List (any of the values): pe-resource-sha1:[<value1>, <value2>]

pe-section-count
Description	Search for PE files by the count of sections they contain. The keyword accepts only integer values.
Examples	Exact: pe-section-count:15 Range: pe-section-count:[2 TO 10] More than: pe-section-count:[5 TO *]

pe-section-name
Description	Search for PE files by names of the sections they contain. The maximum section name length is 8 characters. Case-insensitive wildcard matching supported.
Examples	Wildcard: pe-section-name:*rdata List (any of the values): pe-section-name:[.Rdata, .Ndata, *rsrc]

pe-section-sha1 (pe-section-hash)
Description	Find PE files by the SHA1 hash calculated for their section part. Section hashes are calculated by Spectra Core to better represent the true boundary of the file region. Users should use hash values calculated by ReversingLabs products with this keyword. Keyword is case-sensitive and doesn't accept wildcards.
Examples	Exact: pe-section-sha1:7640a007e39b487bf1dbbde6487724faa131f6a8 List (any of the values): pe-section-sha1:[<value1>, <value2>, <value3>]

pe-timestamp (pets)
Description	Search for a PE file by the date when it was compiled. Supported time format is UTC timestamp.
Examples	Exact: pets:2017-06-26T00:00:00Z Range (newer than): pets:[2018-03-06T10:57:29Z TO *]

sampletype (filetype, type, format)
Description	Search for files by type as detected by Spectra Core. Case-insensitive wildcard matching supported. Appendix B - Supported Sample Types_
Examples	Exact: sampletype:Image/None List (any of the values): type:[elf*,macho*]

sha1
Description	String of hexadecimal digits representing a SHA-1 hash of the file. Keyword is case-sensitive and doesn't accept wildcards.
Examples	Exact: sha1:f1a62a7092e49577206b7361bf1a7ff0776bb6a4 List (any of the values):sha1:[<value1>, <value2>]

sha256
Description	String of hexadecimal digits representing a SHA-256 hash of the file sample. Keyword is case-sensitive and doesn't accept wildcards.
Examples	Exact: sha256:f35a3(...)1d2d5 List (any of the values): sha256:[<value1>, <value2>]

signer-valid-from (cert-valid-from)
Description	Search for files that have been signed by certificates valid from a specific time.
Examples	Range (newer than): signer-valid-from:[2018-03-06T10:57:29Z TO *]

signer-valid-to (cert-valid-to)
Description	Search for files that have been signed by certificates valid to a specific time.
Examples	Range (newer than): signer-valid-to:[2018-03-06T10:57:29Z TO *]

similar-to
Description	Search for files that are functionally similar to the requested file hash. Functionally similar files are defined by RHA (ReversingLabs Hashing Algorithm) that identifies code similarity between unknown samples and previously seen malware samples. All hash types (MD5, SHA1, SHA256) can be used with this keyword. Only one similar-to keyword can be used in a single query. The keyword is case-sensitive and doesn't support wildcards.
Examples	Exact: similar-to: <sha1>

size
Description	Search for files by size (in bytes). Accepts integers up to 2147483647.
Examples	Exact: size:30000 Range: size:[1000 TO 50000] Greater than: size:[500000 TO *]

software-author
Description	Search for software packages by their author/publisher.
Examples	Exact: software-author:"James Newton-King" List (any of the values): software-author:["Amazon Web Services", Microsoft]

software-description
Description	Search for software packages by their description.
Examples	Exact: software-description:"This package consists of multiple activities that simplify the processes in Excel."

software-package
Description	Search for specific software packages. The keyword is case-sensitive and doesn't accept wildcards.
Examples	Exact: software-package:tidal List (any of the values): software-package:[tidal, "AWSSDK.WorkLink"]

submissions
Description	Search for files by the amount of times they have been submitted for analysis. The keyword accepts only integer values.
Examples	Exact: submissions:3 Greater than: submissions:[3 TO *] Less than: submissions:[* TO 4]

tag
Description	Search for files by metadata tags generated by Spectra Core. Tags identify interesting properties of a sample, such as being packed, password-protected, or digitally signed. Supported Tags.
Examples	Exact: tag:packed List (any of the values): tag:[capability-execution, cert, crypto]

tag-yara
Description	YARA supports adding custom tags to rules. Files that match those rules get automatically tagged after analysis. This keyword looks for files tagged by YARA rules, including those that were classified by YARA tags ("malicious" and "suspicious"). Case-insensitive wildcard matching is supported. Note that changes to YARA tags are not immediately reflected in search results. For example, if a tag is removed from a YARA rule, it will still return search results until files that match the rule are reanalyzed with Spectra Core.
Examples	Exact: tag-yara:malicious List (any of the values): tag-yara:[malicious, suspicious]

taggant-name
Description	Search for PE files by name of the packer that was used to pack them. Taggant is a technology that guarantees the packed file came from a reliable source. Case-insensitive wildcard matching supported.
Examples	Exact: taggant-name:themida List (any of the values): taggant-name:[enigma*, vmprotect*]

taggant-valid-from
Description	Search for files by the time it was signed using taggant.
Examples	Range (newer than): taggant-valid-from:[2018-03-06T10:57:29Z TO *]

taggant-valid-to
Description	Search for files by the expiry time provided by taggant.
Examples	Range (newer than): taggant-valid-to:[2018-03-06T10:57:29Z TO *]

third-party-library
Description	Search for PE files by the name(s) of third-party libraries they contain. Case-insensitive wildcard matching is supported.
Examples	Exact: third-party-library:Microsoft.WindowsAPICodePack-Core List (any of the values): third-party-library:[*oak-json*, Microsoft.Web.WebJobs*]

third-party-publisher
Description	Search for PE files by publishers of the third-party libraries found in the files. Case-insensitive wildcard matching is supported.
Examples	Wildcard: third-party-publisher:Microsoft* List (any of the values): third-party-publisher:[Microsoft*, "Xamarin Inc."]

threatlevel
Description	Search for files by ReversingLabs scale of threat severity. Higher number indicates higher severity. Accepted values are 0-5.
Examples	Exact: threatlevel:3 Greater than: threatlevel:[2 TO *] Range: threatlevel:[0 TO 3] List (any of the values): threatlevel:[2, 3]

threatname
Description	Search for files by malware threat name according to ReversingLabs malware naming standard. Case-insensitive wildcard matching supported.
Examples	Exact: threatname:Win32.PUA.Casonline List (any of the values): threatname:["WIN32.PUA.casino eldorado", *crytex]

trustfactor
Description	Search for files by the ReversingLabs trust factor. Trust factor indicates the trustworthiness of files. Lower number means higher trust. Accepted values are 0-5.
Examples	Exact: trustfactor:1 List (any of the values): trustfactor:[4, 5] Range: trustfactor:[1 TO 3] Greater than: trustfactor:[3 TO *]

upload-source
Description	Search for samples that were uploaded with a specific source parameter. Possible sources: s3, fileshare, azure-data-lake, smtp, abusebox, icap-proxy, falcon, api, rlsdk
Examples	upload-source:api, upload-source:s3

upload-source-tag
Description	Search for samples uploaded with a specific user-defined source tag.
Examples	upload-source-tag:myapp, upload-source-tag:myemail*

uri-config (c2)
Description	Malware configuration C&C (Command & Control), extracted by Spectra Core. C&C infrastructure is used to control malware, particularly botnets. Case-insensitive wildcard matching is supported.
Examples	Wildcard: c2:*dns* List (any of the values): uri-config:[dydns.org, hldns.ru]

uri-dynamic
Description	Search for files by URI strings (URLs, domains) detected by ReversingLabs Dynamic Services. Case-insensitive wildcard matching is supported.
Examples	Wildcard: uri-dynamic:mozilla.org* List (any of the values): uri-dynamic:[*.tor,*.onion,*.exit]

uri-source (itw)
Description	Search for files by the URI source from which they were downloaded. Case-insensitive wildcard matching is supported.
Examples	Wildcard: uri-source:*warez* List (any of the values): itw:[softonic.com, *cnet.com]

uri-static
Description	Search for files by URI strings (URLs, domains) detected by Spectra Core. Case-insensitive wildcard matching is supported.
Examples	Wildcard: uri-static:mozilla.org* List (any of the values): uri-static:[*.tor,*.onion,*.exit]

vertical
Description	Search for files by the type of vertical feed in which they were found. Case-insensitive wildcard matching is supported.
Examples	Exact: vertical:ransomware List (any of the values): vertical:[ransomware,apt,financial]

Supported File Types and Subtypes

• Native files and subtypes

• Native binary file types and identifications

• Native PE file types and identifications

• Native PE SFX file types and identifications

• Native multimedia file types and identifications

• Native text file types and identifications

• Native ELF file types and identifications

• Native ELF SFX file types and identifications

• Native script file types and identifications

• Verified software and package identities

• Known vulnerabilities

• Supported unpacking format list

• Spectra Core certificate trust store

Supported Tags

See the complete list of supported tags.

Indicators

See the complete list of Spectra Core Indicators.

Supported Languages for PE and Document Formats

afrikaans	english belize	kannada
albanian	english can	kashmiri india
arabic algeria	english caribbean	kashmiri sasia
arabic bahrain	english eire	kashmiri
arabic egypt	english jamaica	kazak
arabic iraq	english nz	konkani
arabic jordan	english philippines	korean
arabic kuwait	english south africa	korean
arabic lebanon	english trinidad	kyrgyz
arabic libya	english uk	latvian
arabic morocco	english us	lithuanian classic
arabic oman	english zimbabwe	lithuanian
arabic qatar	english	lithuanian
arabic saudi arabia	esperanto	macedonian
arabic syria	estonian	malay brunei darussalam
arabic tunisia	faeroese	malay malaysia
arabic uae	farsi	malay
arabic yemen	finnish	malayalam
arabic	french belgian	maltese
armenian	french canadian	manipuri
assamese	french luxembourg	maori
azeri cyrillic	french monaco	marathi
azeri latin	french swiss	mongolian
azeri	french	nepali india
basque	french	nepali
belarusian	gaelic manx gaelic scottish	neutral
bengali	gaelic	norwegian bokmal
breton	gaelic	norwegian nynorsk
bulgarian	galician	norwegian
catalan	georgian	oriya
chinese hongkong	german austrian	polish
chinese macau	german liechtenstein	portuguese brazilian
chinese simplified	german luxembourg	portuguese
chinese singapore	german swiss	portuguese
chinese traditional	german	punjabi
chinese	german	rhaeto_romance
cornish	greek	romanian moldavia
croatian	gujarati	romanian
croatian	hebrew	romanian
czech	hindi	russian moldavia
danish	hungarian	russian
default	icelandic	russian
divehi	indonesian	saami
dutch belgian	invariant	sanskrit
dutch surinam	italian swiss	serbian cyrillic
dutch	italian	serbian latin
dutch	italian	serbian
english aus	japanese	sindhi
slovak	spanish peru	tswana
slovenian	spanish puerto rico	turkish
sorbian	spanish uruguay	ukrainian
spanish argentina	spanish venezuela	urdu india
spanish bolivia	spanish	urdu pakistan
spanish chile	spanish	urdu
spanish colombia	sutu	uzbek cyrillic
spanish costa rica	swahili	uzbek latin
spanish dominican republic	swedish finland	uzbek
spanish ecuador	swedish	venda
spanish el salvador	swedish	vietnamese
spanish guatemala	syriac	walon
spanish honduras	sys default	welsh
spanish mexican	tamil	xhosa
spanish modern	tatar	zulu
spanish nicaragua	telugu
spanish panama	thai
spanish paraguay	tsonga