Skip to main content

Indicators of Compromise (TCA-0330)

ReversingLabs Indicators of Compromise (IoC) service delivers access to large volumes of structured threat intelligence data for samples and URLs. It supports both detailed data retrieval and summary statistics, with filtering by type (sample or URL), time format (timestamp or UTC), classification, threat level, malware family, malware type, threat actor, sample type, platform, and vertical. The results are returned in JSON format, and can be limited and paginated.

General Info about Requests/Responses

  • Default response format is JSON.
  • When a non-existing value is provided for a string field (malware_family, threat_actor, sample_type), the API will validate only the allowed characters. If disallowed characters are used, a 400 status code is returned with an error message (e.g., "Not allowed characters in threat_actor used"). And if the value contains only allowed characters, but does not match any known entries, a 200 status code is returned with an empty response.

Indicators of Compromise Query

This query returns IoC data based on the specified parameters.

Request

GET /api/ioc/v1/query/{type}/{time_format}/{time_value}/page/{page}

Path parameters:

  • type
    • The type of the IoC to query. Supported values: sample or url.
    • Required
  • time_format
    • The format of the time value. Supported values: timestamp or utc.
    • Required
  • time_value
    • The time value to query. The format depends on the time_format parameter.
    • Required
  • page
    • Specifies the page of results to retrieve. Use the next_page value from the response to get the next page of results.
    • Optional

Query parameters:

  • limit
    • The maximum number of results to be retrieved. Default is 1000.
  • classification
    • The classification of the IoC. Supported values: malicious or suspicious.
  • threat_level
    • The threat level of the IoC. Supported values: 1 - 5.
  • vertical
    • The vertical of the IoC. Supported values: financial, ransomware, apt, exploit, retail, bots, healthcare. Applicable only for samples.
  • malware_family
    • The family of the malware associated with the IoC.
  • malware_type
    • The type of the malware associated with the IoC. Supported values: Infostealer, Dropper, Spyware, Trojan, Backdoor, Dialer, Worm, Downloader, Keylogger, Adware, Malware, Rogue, PUA, Packed, Exploit, Virus, Hacktool, Browser, Network, Rootkit, Phishing, Ransomware, Coinminer, Spam. Applies only when the type is sample. If the type is url, any string value is accepted (e.g., hyperlink).
  • threat_actor
    • The threat actor associated with the IoC. Applicable only for samples.
  • sample_type
    • The type of the sample associated with the IoC. Applicable only for samples.
  • platform
  • The platform of the IoC. Supported values: ABAP, Android, AOL, Archive, Audio, Binary, Blackberry, Boot, ByteCode, Console, Document, DOS, Email, EPOC, Firmware, FreeBSD, Image, iOS, Linux, MacOS, Menuet, Novell, OS2, Package, Palm, Script, Shortcut, Solaris, SunOS, Symbian, Text, Unix, Video, WebAssembly, Win32, Win64, WinCE. Applicable only for samples.

Response

The response is a JSON object containing the query parameters and the entries that match the requested query.

{
  "rl": {
    "query": {
      "time_range": {
        "to": "string",
        "from": "string"
      }
    },
    "entries": [
      {
        "sha1": "string",
        "sha256": "string",
        "md5": "string",
        "threat_level": 1,
        "malware_family": "string",
        "malware_type": "string",
        "platform": "string",
        "threat_name": "string",
        "classification": "string",
        "sample_type": "string",
        "first_seen": "string",
        "threat_actors": [
          "string",
          "string"
        ],
        "verticals": [
          "string",
          "string"
        ],
        "reason": "string"
      }
    ],
    "next_page": "string"
  }
}

rl.query

  • Contains the query parameters used in the request.

rl.entries

  • sha1
    • The SHA1 hash of the IoC. Hexadecimal hash value of the sample. Applicable only for samples.
  • sha256
    • The SHA256 hash of the IoC. Hexadecimal hash value of the sample. Applicable only for samples.
  • md5
    • The MD5 hash of the IoC. Hexadecimal hash value of the sample. Applicable only for samples.
  • URL
    • The URL of the IoC. Applicable only for URLs.
  • threat_level
    • The threat level of the IoC. Malware severity indicator for suspicious and malicious samples, expressed as an integer between 1 and 5, where 5 indicates the most dangerous threats (highest severity).
  • malware_family
    • The family of the malware associated with the IoC.
  • malware_type
    • The type of the malware associated with the IoC. Supported values: Infostealer, Dropper, Spyware, Trojan, Backdoor, Dialer, Worm, Downloader, Keylogger, Adware, Malware, Rogue, PUA, Packed, Exploit, Virus, Hacktool, Browser, Network, Rootkit, Phishing, Ransomware, Coinminer, Spam. Applies only when the type is sample. If the type is url, any string value is accepted (e.g., hyperlink).
  • platform
    • The platform of the IoC. Applicable only for samples.
  • threat_name
  • classification
    • The classification of the IoC.
  • sample_type
    • The type of the sample associated with the IoC. Applicable only for samples.
  • first_seen
    • The first time the IoC was seen.
  • threat_actors
    • A list of threat actors associated with the IoC. Applicable only for samples.
  • verticals
    • A list of verticals associated with the IoC. Supported values: financial, ransomware, apt, exploit, retail, bots, healthcare. Applicable only for samples.
  • reason
    • The reason for the classification of the IoC.

rl.next_page

  • Specifies the page of results to retrieve. Provides a value to get the next page of results.

Examples

Fetch 4 malicious samples with threat_level 4 or 5, retail industry starting from timestamp 1736497955000.

GET /api/ioc/v1/query/sample/timestamp/1736497955000?classification=MALICIOUS&threat_level=4|5&vertical=retail&limit=4

Fetch 1000 URLs with malware_type exploit from 2025-01-01T10:00:00 starting from page 1641083310a45ab18fb7a06dd5ecb44bf6c221a951f974059f.

GET /api/ioc/v1/query/url/utc/2025-01-01T10:00:00/page/1641083310a45ab18fb7a06dd5ecb44bf6c221a951f974059f?malware_type=Exploit

Indicators of Compromise Latest Query

This query returns the latest IoC data based on the specified parameters.

Request

GET /api/ioc/v1/query/{type}/latest/page/{page}

Path parameters:

  • type
    • The type of the IoC to query. Supported values: sample or url.
    • Required
  • page
    • Specifies the page of results to retrieve. Use the next_page value from the response to get the next page of results.
    • Optional

Query parameters:

  • limit
    • The maximum number of results to be retrieved. Default is 1000.
  • classification
    • The classification of the IoC. Supported values: malicious or suspicious.
  • threat_level
    • The threat level of the IoC. Supported values: 1 - 5.
  • vertical
    • The vertical of the IoC. Supported values: financial, ransomware, apt, exploit, retail, bots, healthcare. Applicable only for samples.
  • malware_family
    • The family of the malware associated with the IoC.
  • malware_type
    • The type of the malware associated with the IoC. Supported values: Infostealer, Dropper, Spyware, Trojan, Backdoor, Dialer, Worm, Downloader, Keylogger, Adware, Malware, Rogue, PUA, Packed, Exploit, Virus, Hacktool, Browser, Network, Rootkit, Phishing, Ransomware, Coinminer, Spam. Applies only when the type is sample. If the type is url, any string value is accepted (e.g., hyperlink).
  • threat_actor
    • The threat actor associated with the IoC. Applicable only for samples.
  • sample_type
    • The type of the sample associated with the IoC. Applicable only for samples.
  • platform
  • The platform of the IoC. Supported values: ABAP, Android, AOL, Archive, Audio, Binary, Blackberry, Boot, ByteCode, Console, Document, DOS, Email, EPOC, Firmware, FreeBSD, Image, iOS, Linux, MacOS, Menuet, Novell, OS2, Package, Palm, Script, Shortcut, Solaris, SunOS, Symbian, Text, Unix, Video, WebAssembly, Win32, Win64, WinCE. Applicable only for samples.

Response

The response is a JSON object containing the query parameters and the entries that match the requested query.

{
  "rl": {
    "query": {
      "time_range": {
        "to": "string",
        "from": "string"
      }
    },
    "entries": [
      {
        "URL": "string",
        "threat_level": 1,
        "malware_type": "string",
        "classification": "string",
        "first_seen": "string",
        "reason": "string"
      }
    ],
    "next_page": "string"
  }
}

rl.query

  • Contains the query parameters used in the request.

rl.entries

  • sha1
    • The SHA1 hash of the IoC. Hexadecimal hash value of the sample. Applicable only for samples.
  • sha256
    • The SHA256 hash of the IoC. Hexadecimal hash value of the sample. Applicable only for samples.
  • md5
    • The MD5 hash of the IoC. Hexadecimal hash value of the sample. Applicable only for samples.
  • URL
    • The URL of the IoC. Applicable only for URLs.
  • threat_level
    • The threat level of the IoC. Malware severity indicator for suspicious and malicious samples, expressed as an integer between 1 and 5, where 5 indicates the most dangerous threats (highest severity).
  • malware_family
    • The family of the malware associated with the IoC.
  • malware_type
    • The type of the malware associated with the IoC. Supported values: Infostealer, Dropper, Spyware, Trojan, Backdoor, Dialer, Worm, Downloader, Keylogger, Adware, Malware, Rogue, PUA, Packed, Exploit, Virus, Hacktool, Browser, Network, Rootkit, Phishing, Ransomware, Coinminer, Spam. Applies only when the type is sample. If the type is url, any string value is accepted (e.g., hyperlink).
  • platform
    • The platform of the IoC. Applicable only for samples.
  • threat_name
  • classification
    • The classification of the IoC.
  • sample_type
    • The type of the sample associated with the IoC. Applicable only for samples.
  • first_seen
    • The first time the IoC was seen.
  • threat_actors
    • A list of threat actors associated with the IoC. Applicable only for samples.
  • verticals
    • A list of verticals associated with the IoC. Applicable only for samples.
  • reason
    • The reason for the classification of the IoC.

rl.next_page

  • Specifies the page of results to retrieve. Provides a value to get the next page of results.

Examples

Fetch 100 latest samples entries.

GET /api/ioc/v1/query/sample/latest?limit=100

Indicators of Compromise Summary Query

This query returns a summary of IoC data based on the specified parameters.

Request

GET /api/ioc/v1/query/{type}/{time_format}/{time_value}/summary

Path parameters:

  • type
    • The type of the IoC to query. Supported values: sample or url.
    • Required
  • time_format
    • The format of the time value. Supported values: timestamp or utc.
    • Required
  • time_value
    • The time value to query. The format depends on the time_format parameter.
    • Required

Query parameters:

  • classification
    • The classification of the IoC. Supported values: malicious or suspicious.
  • threat_level
    • The threat level of the IoC. Supported values: 1 - 5.
  • vertical
    • The vertical of the IoC. Supported values: financial, ransomware, apt, exploit, retail, bots, and healthcare. Applicable only for samples.
  • malware_family
    • The family of the malware associated with the IoC.
  • malware_type
    • The type of the malware associated with the IoC. Supported values: Infostealer, Dropper, Spyware, Trojan, Backdoor, Dialer, Worm, Downloader, Keylogger, Adware, Malware, Rogue, PUA, Packed, Exploit, Virus, Hacktool, Browser, Network, Rootkit, Phishing, Ransomware, Coinminer, and Spam. Applies only when the type is sample. If the type is url, any string value is accepted (e.g., hyperlink).
  • threat_actor
    • The threat actor associated with the IoC. Applicable only for samples.
  • vertical
    • The vertical of the IoC. Supported values: financial, ransomware, apt, exploit, retail, bots, healthcare. Applicable only for samples.
  • sample_type
    • The type of the sample associated with the IoC. Applicable only for samples.
  • platform
  • The platform of the IoC. Supported values: ABAP, Android, AOL, Archive, Audio, Binary, Blackberry, Boot, ByteCode, Console, Document, DOS, Email, EPOC, Firmware, FreeBSD, Image, iOS, Linux, MacOS, Menuet, Novell, OS2, Package, Palm, Script, Shortcut, Solaris, SunOS, Symbian, Text, Unix, Video, WebAssembly, Win32, Win64, WinCE. Applicable only for samples.

Response

The response is a JSON object containing the query parameters and the entries that match the requested query.

{
  "rl": {
    "query": {
      "time_range": {
        "to": "string",
        "from": "string"
      }
    },
    "entries_count": 12345
  }
}

rl.query

  • Contains the query parameters used in the request.

rl.entries_count

  • The total number of entries that match the requested query parameters in the last 90 days.

Examples

Fetch a number of samples from start time 2025-01-01T10:00:00 with sample_type PE/EXE.

GET /api/ioc/v1/query/sample/utc/2025-01-01T10:00:00/summary?sample_type=pe/exe