Imphash similarity (TCA-0302)
Imphash Index provides a list of all available SHA1 hashes for files sharing the same import hash (imphash). An imphash is a hash calculated from a string which contains the libraries imported by a Windows Portable Executable (PE) file.
General Info about Requests/Responses
- All requests support the format query field which supports two options: xml or json
- The default response format is xml
ImpHash Index Single Query
This query returns a response containing SHA1 hashes for the requested imphash value. The response can contain a maximum of 1000 records per page. If more than 1000 records match the requested criteria, the next page of records can be retrieved by providing the SHA1 hash returned in the next_page_sha1 response field as the next_page_sha1 parameter of the next request.
Request
GET /api/imphash_index/v1/query/{hash_value}[/start_sha1/{next_page_sha1}][?format=xml|json]
Path parameters:
hash_value- Must be a valid ImpHash hash
- Required
next_page_sha1- Optional parameter used for pagination. It is the SHA1 hash of the first sample on the next page.
- Optional
Query parameters:
format- Specifies the response format. Supported values: xml (default), json
- Optional
Response
Response code 404 is returned with data: requested data was not found when the hash is not found in the database records.
{
"rl": {
"imphash_index": {
"next_page_sha1": "string",
"query_imphash": "string",
"sha1_list": [
"string"
]
}
}
}
rl.imphash_index
query_imphash- Imphash value from the query
next_page_sha1- First SHA1 on the next page
sha1_list- List of sha1 hashes grouped by rha1 for given imphash
Examples
Format query field
Here the format for query response is varying:
/api/imphash_index/v1/query/0931e97555ac33eb10aa9539fe890070?format=json
/api/imphash_index/v1/query/0931e97555ac33eb10aa9539fe890070?format=xml
next_page_sha1 query field
/api/imphash_index/v1/query/0931e97555ac33eb10aa9539fe890070/start_sha1/dccc8cd495be5729742d0a7b75188d2b0f33429a