Skip to main content

Malware family detection (TCA-0305)

The Malware Family Detection API takes a file hash and returns all malware families to which that sample belongs, based on the detections from the latest AV scan.

General Info about Requests/Responses

  • All requests accept the format query field which supports two options: XML or JSON.
  • The default response format is JSON (for bulk query, the default is the same as the post format)
  • All bulk query rules will accept post payload in XML or JSON
  • The number of hashes in a bulk request must not be larger than 100

Malware Family Detection Single Query

Request

GET /api/malware/family/detection/v1/query/{hash_type}/{hash_value}[?format=xml|json]

Path parameters:

  • hash_type accepts these options: md5, sha1, sha256
  • hash_value must be a valid hash defined by the hash_type parameter

Query parameters:

  • format parameter specifies the desired return format: xml or json (default)
  • If an entry is not found in single query, HTTP response 404 is returned

Response

{
"rl": {
"sample": {
"sha1": "string",
"family": {
"entries": [
"string"
]
}
}
}
}
  • sha1
    • The SHA1 hash of the sample.
  • family
    • Malware family. Can contain several entries.

Malware Family Detection Bulk Query

This query retrieves the same data as single query does, but for multiple hashes.

Request

POST /api/malware/family/detection/v1/bulk_query/{post_format}[?format=xml|json]

Path parameters:

  • post_format parameter defines the post's payload format
  • post_format parameter accepts the following options: xml or json

Query parameters:

  • format defines the desired return format (xml or json). If not specified, it returns the same format as post_format

Request body:

{
"rl": {
"query": {
"hash_type": "string",
"hashes": [
"string"
]
}
}
}

Response

{
"rl": {
"entries": [
{
"sample": {
"sha1": "string",
"family": {
"entries": [
"string"
]
}
}
}
],
"invalid_hashes": [
"string"
],
"unknown_hashes": [
"string"
]
}
}
  • sha1
    • The SHA1 hash of the sample.
  • family
    • Malware family. Can contain several entries.
  • invalid_hashes
    • List of malformed hashes from the request
  • unknown_hashes
    • List of hashes from the request that were not found in the database

Examples

Single query

Request:

/api/malware/family/detection/v1/query/sha1/7d8f177243cfa055c95cbbf32ebc2d7e8c71d4fb?format=json

Response:

{
"rl": {
"sample": {
"sha1": "7d8f177243cfa055c95cbbf32ebc2d7e8c71d4fb",
"family": {
"entries": [
"Barys",
"ADH"
]
}
}
}
}

Bulk query

Request:

/api/malware/family/detection/v1/bulk_query/json
{
"rl": {
"query": {
"hash_type": "md5",
"hashes": [
"0001f757f6b9523707462066100aa543",
"000202ed4a0fb4c95e68824bc7777a78",
"00026f63fd5a2600b73a866d7ef08b6f",
"6c2eb9d1a094d362bcc7631f2551f5a4",
"a82c781ce0f43d06c28fe5fc8ebb1ca9",
"920f5ba4d08f251541c5419ea5fb3f"
]
}
}
}

Response:

{
"rl": {
"unknown_hashes": [
"6c2eb9d1a094d362bcc7631f2551f5a4",
"a82c781ce0f43d06c28fe5fc8ebb1ca9"
],
"invalid_hashes": [
"920f5ba4d08f251541c5419ea5fb3f"
],
"entries": [
{
"sample": {
"sha1": "0001f757f6b9523707462066100aa543",
"family": {
"entries": [
"SWIZZOR",
"Vundo",
"Swizz",
"Swizzor",
"Packer",
"PolyCrypt",
"Agent_r",
"Lop",
"000155a11",
"Swizzor DP",
"C2Lop BB5",
"Win 121",
"C2Lop"
]
}
}
},
{
"sample": {
"sha1": "000202ed4a0fb4c95e68824bc7777a78",
"family": {
"entries": [
"Ntfs",
"Cutwail",
"04c4f2e11",
"Kobcka",
"PushInf",
"Backdoor2 GCGE",
"DownLoad 47257",
"Win 4126",
"CUTWAIL",
"Protector",
"Pandex"
]
}
}
},
{
"sample": {
"sha1": "00026f63fd5a2600b73a866d7ef08b6f",
"family": {
"entries": [
"SHIZ",
"Shiz NCF",
"Shiz",
"Shiz VP",
"Shiz mhUAm0d46pg",
"MalOb",
"0040f2501",
"20771",
"Simda",
"EncPk"
]
}
}
}
]
}
}