Functionally similar files (TCA-0301)
The RHA (ReversingLabs Hashing Algorithm) identifies code similarity between unknown samples and previously seen malware samples. Files have the same RHA1 hash when they are functionally similar.
This API provides a list of SHA1 hashes of files that are functionally similar to the provided file (SHA1 hash) at the selected precision level (grouped by their RHA1 hash).
Precision level represents the degree to which a file is functionally similar to another file. The following precision levels are supported - 25% and 50% for PE and 25% for MachO and ELF executable files. A higher precision level will match fewer files, but the files will have more functional similarity.
The 'extended' option provides SHA1 hashes and related sample reputation information in the response, along with some other properties such as sample size, sample type and download availability.
By using this API, the user can easily get a list of all functionally similar files for the provided file (SHA1 hash) found in the Spectra Intelligence cloud, along with their reputation information.
The user can also filter out results by sample's classification. For example, only malicious files functionally similar to the provided one.
General Info about Requests/Responses
- This query returns a list containing all the SHA1 hashes for the requested SHA1 and precision level (grouped by the RHA1 hash)
- All requests support the format query field, which supports two options: xml and json
- The default response format is XML
Group By RHA1 Single Query
This query returns a list containing all SHA1 hashes of functionally similar samples for the requested SHA1 sample hash and RHA1 precision level.
If the extended option is selected, each SHA1 hash in the list will be expanded with additional metadata:
- reputation information - classification, threat level, trust factor, malware family name, threat name, malware type, targeted platform and subplatform;
- SHA1, MD5, and SHA256 hashes;
- sample size, sample type, download availability, first and last seen dates (UTC);
Request
GET /api/group_by_rha1/v1/query/{rha1_type}/{hash_value}[/{next_page_sha1}]?[format=xml|json]&[limit={1-1000}]&[extended=true|false]&[classification=KNOWN|MALICIOUS|SUSPICIOUS|UNKNOWN]
Path parameters:
rha1_type
- A measure of RHA1 precision level. It represents the degree to which a file is functionally similar to another file. A higher precision level will match fewer files, but the files will have more functional similarity: pe01, elf01, machO01 - 25% precision level; pe02 - 50% precision level
- Required
hash_value
- Must be a valid SHA1 file hash
- Required
next_page_sha1
- An optional parameter used for pagination. It is the SHA1 hash of the first sample on the next page.
- Optional
Query parameters:
format
- Specifies the response format, with possible values being xml (default) and json
- Optional
limit
- The maximum number of sample SHA1 hashes to return. This value has to be an integer in the range from 1 and 1000 (1000 is the default value)
- Optional
extended
- An optional parameter. Supported values are true - extended, and false - non-extended data set (default)
- Optional
classification
- If this parameter is provided in the request, the query will return a filtered list of samples that match the requested classification. Supported values are: KNOWN, SUSPICIOUS, MALICIOUS, UNKNOWN
- Optional
Response
- The query will return a list of
limit
samples. If thelimit
parameter is not provided in the request, 1000 records will be returned by default. - Fields in the response depend on the selected data set. If the
extended
parameter is not set to true, only the list of sample SHA1 hashes will be returned. - If the requested hash doesn't exist in the database records, the server will respond with the status response code 404 and the message "Requested data was not found"
{
"rl": {
"group_by_rha1": {
"query_sha1": "string",
"rha1_type": "string",
"sha1_list": []
}
}
}
query_sha1
- Requested SHA1
rha1_type
- Requested RHA1 type
next_page_sha1
- First SHA1 on the next page. This hash value can be used as the next_page parameter in the next request to retrieve the next page of results
sha1_list
- A list of hashes of functionally similar files
rl.group_by_rha1.sha1_list[]
{
"sha1": "string",
"sha256": "string",
"md5": "string",
"classification": "string",
"sample_type": "string",
"sample_size": 0,
"sample_available": 0,
"trust_factor": 0,
"threat_level": 0,
"first_seen": 0,
"last_seen": 0
}
sha1
- SHA1
sha256
- SHA256
md5
- MD5
first_seen
(optional)- time when the sample was first seen in the ReversingLabs system (UTC)
last_seen
(optional)- time when the sample was last seen in the ReversingLabs system (UTC)
sample_type
- sample type
sample_size
- sample size
sample_available
- sample download availability status
classification
- sample's classification
platform
(optional)- platform targeted by the malware
subplatform
(optional)- subplatform targeted by the malware
threat_name
(optional)- threat name for malicious samples
malware_type
(optional)- malware type for malicious samples
malware_family
(optional)- malware family for malicious samples
threat_level
(optional)- threat level of the sample
trust_factor
(optional)- trust factor of the sample
Examples
Format query field
These examples request different response formats:
/api/group_by_rha1/v1/query/pe01/1b85cbfa30e181c505ba15211db33247c1f8a63f?format=json
/api/group_by_rha1/v1/query/pe01/1b85cbfa30e181c505ba15211db33247c1f8a63f?format=xml
Extended optional parameter used
These examples use different extended parameters:
/api/group_by_rha1/v1/query/pe01/1b85cbfa30e181c505ba15211db33247c1f8a63f?extended=true
/api/group_by_rha1/v1/query/pe01/1b85cbfa30e181c505ba15211db33247c1f8a63f?extended=false
Limit query field
These examples use different query response limits:
/api/group_by_rha1/v1/query/pe01/1b85cbfa30e181c505ba15211db33247c1f8a63f?limit=1
/api/group_by_rha1/v1/query/pe01/1b85cbfa30e181c505ba15211db33247c1f8a63f?limit=100
Different precision levels (RHA1 type)
These examples request different rha1_type precision levels:
/api/group_by_rha1/v1/query/pe01/1b85cbfa30e181c505ba15211db33247c1f8a63f
/api/group_by_rha1/v1/query/pe02/1b85cbfa30e181c505ba15211db33247c1f8a63f
/api/group_by_rha1/v1/query/elf01/8983043176164b960e10b34307f52e88db894b71
/api/group_by_rha1/v1/query/macho01/f1c2712a3881ca795b5eadf65077788198522362
next_page_sha1 query field
These examples use the next page parameter:
/api/group_by_rha1/v1/query/pe01/1b85cbfa30e181c505ba15211db33247c1f8a63f/cd3710af6638b99666a19b4f098b8788723397ab
/api/group_by_rha1/v1/query/pe02/1b85cbfa30e181c505ba15211db33247c1f8a63f/cd3710af6638b99666a19b4f098b8788723397ab