Malware hunting
The Malware Hunting APIs enable threat researchers to search for samples, find similar files, create custom detection rules, and track malware families across the Spectra Intelligence repository.
Common Use Cases
Search for samples
- Advanced search (TCA-0320) - Build complex queries using keywords and operators to filter samples by classification, file type, threat name, and more.
- Indicators of Compromise (TCA-0330) - Retrieve structured IoC data for samples and URLs with filtering by classification, malware family, threat actor, and vertical.
Find similar files
- Functionally similar files (TCA-0301) - Find files with similar code structure using ReversingLabs Hashing Algorithm (RHA1).
- Functionally similar files (analytics) (TCA-0321) - Get statistics on how many malicious, suspicious, and known files are functionally similar to a sample.
- Imphash similarity (TCA-0302) - Find Windows PE files sharing the same import hash.
Create custom detection rules
- YARA hunting (TCA-0303) - Upload YARA rules to match against new samples entering the system.
- YARA retro hunting (TCA-0319) - Run YARA rules against the last 90 days of stored samples.
Track malware families
These APIs provide statistics and search capabilities for the Targeted and industry-specific file indicator feeds (TCF-0401-0406).
- Vertical feeds statistics (TCA-0307-0311, 0317) - Get weekly statistics on malware families by industry category.
- Vertical feeds search (TCA-0312-0316, 0318) - Search for new malware hashes by family name within industry-specific feeds.
All Malware Hunting APIs
📄️ Advanced search (TCA-0320)
The Advanced Search enables users to filter samples by search criteria submitted in a POST request. A wide range of search keywords is available, and they can be combined using search operators to build advanced queries.
📄️ YARA hunting (TCA-0303)
The ReversingLabs YARA Hunting service enables users to create custom YARA rules containing textual or binary patterns, and upload them to the service to obtain matches using the APIs described in this document. When a sample matches the pattern found in a YARA rule, it receives the classification defined by that rule.
📄️ YARA retro hunting (TCA-0319)
The ReversingLabs YARA Retro Hunting service enables users to run their own YARA rules and retroactively match them against files from the ReversingLabs sample set. The YARA Retro Hunting sample set is based on the last 90 days of stored samples, excluding samples larger than 200 MB and archives. Samples extracted from archives are not excluded.
📄️ Functionally similar files (TCA-0301)
The RHA (ReversingLabs Hashing Algorithm) identifies code similarity between unknown samples and previously seen malware samples. Files have the same RHA1 hash when they are functionally similar.
📄️ Functionally similar files (analytics) (TCA-0321)
The ReversingLabs Hashing Algorithm (RHA) identifies code similarity between unknown samples and previously seen malware samples. Files have the same RHA1 hash when they are functionally similar.
📄️ Imphash similarity (TCA-0302)
Imphash Index provides a list of all available SHA1 hashes for files sharing the same import hash (imphash). An imphash is a hash calculated from a string which contains the libraries imported by a Windows Portable Executable (PE) file.
📄️ Vertical feeds statistics (TCA-0307-0311, 0317)
ReversingLabs Malware Detection Family Feed V2 provides information about new malware samples detected in the Spectra Intelligence system, filtered by category (industry). Categories and API codes correspond to ReversingLabs Targeted and Industry-Specific File Indicator Feeds (e.g., Financial, Retail, Exploits...).
📄️ Vertical feeds search (TCA-0312-0316, 0318)
This service can be used to retrieve information about new malware samples from ReversingLabs Targeted and Industry-Specific File Indicator Feeds by searching for malware family names.
📄️ Indicators of Compromise (TCA-0330)
ReversingLabs Indicators of Compromise (IoC) service delivers access to large volumes of structured threat intelligence data for samples and URLs. It supports both detailed data retrieval and summary statistics, with filtering by type (sample or URL), time format (timestamp or UTC), classification, threat level, malware family, malware type, threat actor, sample type, platform, and vertical. The results are returned in JSON format, and can be limited and paginated.