Skip to main content

Dynamic analysis report

This service allows users to retrieve dynamic analysis reports for files and URLs executed in the ReversingLabs cloud sandbox. It returns two types of reports: merged reports and specific reports.

Merged reports

If you provide only the file or URL identifier, the response will contain a merged report with an overview of all dynamic analyses performed on the file or the URL. Most objects in the merged report include lists of analysis IDs, allowing the users to retrieve specific reports for more information about items of interest.

Specific reports

If the request includes the /latest query parameter, or an analysis_id matching an existing report, the report will contain information specific to that execution. All specific reports will contain download links for the network traffic PCAP file, screenshots, and memory strings dump file captured during that specific analysis. These files have a retention period of 1 year, while their download links are dynamically generated on report request, and are valid for 1 hour.

Files and URLs can be submitted for dynamic analysis using the TCA-0207 Dynamic Analysis service.

Fetching Archive Analysis Reports

While working with archives, different endpoints <archive-endpoints> are used.

Submitting only the SHA1 of the archive to this API returns a list of SHA1 hashes of all files within the archive along with the merged dynamic analysis report for each file. If the /latest is provided, the API returns a list of SHA1 hashes of all files within the archive, as well as the most recent specific dynamic analysis report for each file. Archives do not get an analysis_id, only the samples contained inside. They can be used to query the regular Dynamic Analysis Report Query for getting a specific report on an individual sample.

A user's quota is deducted with the number of files or URLs for which the merged or specific DA report is provided.

Privacy

Whether submitted files, PCAP files, dropped files, screenshots, and memory string dumps will be shared with other ReversingLabs customers depends on the role configured for the Spectra Intelligence account used to upload files.

If the account is configured to upload all files as shareable (not private), other ReversingLabs customers will be able to access analysis results, but also download the uploaded files, dropped files, PCAP files, screenshots, and memory string dumps generated during file execution.

If the account is configured to upload all files as not shareable (private), other ReversingLabs customers will only be able to access analysis results, but not retrieve the actual contents of uploaded files, dropped files, PCAP files, screenshots or memory string dumps.

This API is rate limited to 5 requests per second.

Dynamic Analysis File Report Query

This query returns the dynamic analysis report for the requested sample hash.

GET /api/dynamic/analysis/report/v1/query/{hash_type}/{hash_value}

Path parameters:

  • hash_type
    • Accepts these values: sha1
  • hash_value
    • The hash value of the sample for which to retrieve the report. If neither /latest nor analysis_id are used, the response will contain a merged report of all analyses performed on the sample. Must be a valid hash defined by the hash_type parameter.
  • /latest
    • If added at the end of the endpoint path, the response will contain only the newest dynamic analysis report for the requested file hash. This parameter is incompatible and mutually exclusive with analysis_id.
    • Unlike the merged report, this report will contain download links for the network traffic PCAP file, screenshots, and memory strings dump file captured during file execution.
  • analysis_id
    • If added at the end of the request, the response will contain only the dynamic analysis report matching the provided analysis_id. This parameter is incompatible and mutually exclusive with /latest.
    • Unlike the merged report, this report will contain download links for the PCAP network traffic file, screenshots, and memory strings dump file captured during file execution.

Query parameters:

  • format
    • Specifies the response format. Supported values are json (default), xml
  • artifacts_url
    • Add artifacts_url=True after the path parameters to receive a response containing the artifact links for specific reports in the history part of the merged report. Passing this parameter will slow the response down.

Response Format

{
"rl": {
"report": {},
"requested_hash": "string"
}
}
  • report
    • The object containing the dynamic analysis report (merged or report for a specific dynamic analysis run)
  • requested_hash
    • The SHA1 hash of the analyzed file

rl.report

{
"network": {},
"mitre_attack": {},
"process_tree": [],
"sha1": "string",
"analysis_id": "string",
"classification": "string",
"dropped_files": [],
"snort_alerts": [],
"analysis_duration": 0,
"platform": "string",
"configuration": "string",
"behavioral": [],
"memory_strings": "string",
"sha256": "string",
"pcap": "string",
"md5": "string",
"analysis_time": "string"
}
  • sha1, sha256, md5
    • Hashes of the analyzed sample
  • classification
    • The sandbox classification of the sample. Possible values are MALICIOUS, SUSPICIOUS, CLEAN, NO_THREATS_FOUND. In the merged report, classification is always the worst result out of all performed analyses.
  • risk_score
    • Value representing the trustworthiness or malicious severity of a sample. Risk score is expressed as a number from 0 to 10, with 0 indicating whitelisted samples from a reputable origin, and 10 indicating the most dangerous threats. Goodware samples with risk scores of 2 and 3 are labeled "Likely benign / Public origin", and those with scores of 4 and 5 are labeled as "Not a known threat / Unverified origin". Risk scores from 6 to 10 are reserved for suspicious/malicious samples, and express their severity. The score from the specific report will show the risk score for that specific analysis, whereas the score from analysis with the highest risk score will be propagated to the top level of the merged report.
  • threat_names
    • Name of the threats. Shows a list of unique threat names within the analyzed sample.
  • first_analysis
    • The date and time when this sample was first analyzed
  • last_analysis
    • The date and time when this sample was last analyzed
  • analysis_duration
    • The duration of the analysis (in seconds)
  • platforms
    • A list of platforms used to analyze the sample.
  • browser
    • Browser-specific dynamic analysis detonation. This object is present only in specific reports.
  • configuration
    • A short description of the platform configuration specifics (for example, "Win10 x64, Office 2016, Java 8 Update 191"). This object is present only in specific reports.
  • history_analysis
    • An object containing an overview of all available reports. This object is present only in merged reports.
  • sample_name
    • The name of the sample that was used during analysis. In a merged report, each individual analysis has its own sample_name attribute.
  • sample_path
    • The full file path of the sample. In a merged report, each individual analysis has its own sample_path attribute.
  • optional_parameters
    • An object containing a list of optional parameters used during analysis. Possible values: internet_simulation, sample_name.
      • If internet_simulation is true, dynamic analysis was performed without connecting to the internet and a simulated network was used instead. If this value is false, the report is the same as if the parameter is omitted from the response. HTTPS traffic information is not monitored during analysis when internet_simulation is set to true.
      • The sample_name is a custom file name and/or extension provided on submission. Custom extensions impact which application was used to open and run the file.
  • mitre_attack
    • A list of identified MITRE ATT&CK tactics and techniques.
  • network
    • A list of of network resources the analyzed sample used or contacted during execution
  • behavioral
    • A list of objects containing behavioral information about the executed sample. Every object relates one process spawned during sample execution to specific actions it performed.
  • malware_configurations
    • A list of embedded malware configuration data collected during sample execution.
  • snort_alerts
    • Matched Snort alerts in PCAP network captures.
  • sigma_detections
    • Sysmon events, Windows event logs, and operating system process creation events captured during the detonation of malware in a sandbox.
  • signatures
    • Abstracted behaviors, attributes, and content identified during analysis. Each signature has a signature ID, description and a risk score. Signatures commonly provide the following types of information:
    • Behaviors and capabilities observed during execution of the sample.
    • Attributes extracted via static analysis of the sample or artifacts generated during execution.
    • Data-enrichment results, such as file reputation detections for the sample and any dropped files, Snort signature detections from network traffic, and YARA rule matches in the sample or process memory
  • dropped_files
    • An object containing a list of all files dropped during execution of the analyzed sample. ReversingLabs uses an internal algorithm to filter and store dropped files in order to provide customers with the most interesting and valuable files. Contains a link to download all files dropped during the file execution. This link is generated when the report is requested, and expires in 1 hour.
  • pcap
    • Contains a link to download the PCAP file with all the network traffic generated during sample execution. PCAP files have a retention period of 1 year. This link is generated when the report is requested, and expires in 1 hour. This object is present only in specific reports.
  • memory_strings
    • Contains a link to download a dump of memory strings stored in the memory and captured during file execution. Memory strings have a retention period of 1 year. This link is generated when the report is requested, and expires in 1 hour. This object is present only in specific reports.
  • screenshots
    • Contains a link to screenshots collected during the analysis. Screenshots have a retention period of 1 year. This link is generated when the report is requested, and expires in 1 hour. This object is present only in specific reports.
  • process_tree
    • An entire process tree generated during sample execution, sorted in order. This object is present only in specific reports.
  • warnings
    • Descriptive warning messages regarding the status of the analysis.
  • errors
    • Descriptive error messages regarding the status of the analysis.

rl.report.mitre_attack.matrix_list

{
"matrix_list": [
{
"name": "string",
"tactics": {}
}
]
}
  • name
    • The name of the matrix used during analysis
  • tactics
    • A list of tactics detected during sample execution. Each entry has an id, name, description and a technique_list containing a list of specific techniques that were detected. Technique lists in merged reports will also contain a list of analysis_ids for every technique.

rl.report.network

  • url
    • A list of URLs extracted during sample execution. Every entry contains the destination URL and its source:
      • memory: the URL was extracted from memory.
      • malware_config: the URL was extracted from a malware configuration.
      • file: the URL was extracted from a PDF file.
      • network: the URL was extracted from network traffic.
  • http
    • A list of resources this sample contacted using HTTP. Every entry contains the destination IP address and the request method.
  • udp
    • A list of resources this sample contacted using UDP. Every entry contains the destination IP address, the destination port, and the process ID.
  • tcp
    • A list of resources this sample contacted using TCP. Every entry contains the destination IP address, the destination port, and the process ID.
  • dns
    • A list of DNS requests and resolutions the analyzed sample performed during execution. The address field contains the DNS server response, if available.

rl.report.behavioral

  • process
    • An object containing information about the process that spawned during dynamic analysis. Contains the process ID, process name, the full execution path with parameters, and parent process ID.
  • mutex_actions
    • A list of all mutex actions performed by the process during sample execution. Entries contain the file name, file path, the type of action that was performed, and if the action was successful or not.
  • file_actions
    • A list of all files that were accessed or modified by the process. Entries contain the file name, file path, the type of action that was performed, and if the action was successful or not.
  • registry_actions
    • A list of all registry actions performed by the process. Entries contain the registry key name, the type of action that was performed, and if the action was successful or not.
  • process_actions
    • A list of all actions performed by spawned processes. Entries contain the process name, the type of action that was performed, and if the action was successful or not.
  • modules_loaded
    • A list of all modules loaded by the process.

rl.report.malware_configurations

  • threat_names
    • Name of the threats. Shows a list of unique threat names within the analyzed sample.
  • configuration
    • Embedded malware configuration data extracted during sample execution
  • malware_config_ip
    • C2 IP addresses the malware contacted or attempted to contact during sample execution
  • malware_config_url
    • C2 URLs the malware contacted or attempted to contact during sample execution
  • analysis_ids
    • An object containing a list of analysis IDs of specific analyses during which this configuration was extracted. This object is present only in merged reports.

rl.report.signatures

  • sig_id
    • Signature ID
  • description
    • Signature description in human-readable format.
  • risk_factor
    • Risk factor assigned to this signature. Can have one of the following values: 10 - Malicious behavior. Attributable to specific malware family/actor, 9 - Highly malicious behavior or content, 8 - Malicious behavior, 7 - Suspicious behavior, 6 - Moderately suspicious behavior or content, 5 to 1 - Normal behavior or content, 0 - Behavior indicative of goodware

rl.report.dropped_files

  • dropped_files_url
    • Contains a link to download all files dropped during the file execution. This link is generated when the report is requested, and expires in 1 hour.
  • sha1
    • The SHA1 hash of the dropped file
  • sha256
    • The SHA256 hash of the dropped file
  • md5
    • The MD5 hash of the dropped file
  • classification
    • The classification of the dropped file. Possible values are MALICIOUS, SUSPICIOUS, CLEAN, NO_THREATS_FOUND.
  • file_name
    • The file name of the dropped file
  • sample_type
    • The file type of the dropped file
  • sample_size
    • The file size of the dropped file (in bytes)
  • analysis_ids
    • An object containing a list of analysis IDs and classifications for every occurrence of this dropped file during parent sample execution. This object is present only in merged reports.

The following objects are present only in merged reports:

rl.report.history_analysis

  • analysis_id
    • The analysis ID of the report
  • classification
    • The classification of the sample. Possible values are MALICIOUS, SUSPICIOUS, CLEAN, NO_THREATS_FOUND.
  • risk_score
    • Value representing the trustworthiness or malicious severity of a sample.
  • platform
    • The platform used to analyze the sample
  • browser
    • Browser-specific dynamic analysis detonation. This object is present only in merged reports.
  • configuration
    • A short description of the platform configuration specifics (for example, "Win10 x64, Office 2016, Java 8 Update 191")
  • analysis_time
    • The date and time of the analysis
  • screenshots
    • Contains a link to screenshots collected during the analysis. Screenshots have a retention period of 1 year. This link is generated when the report is requested, and expires in 1 hour.
  • pcap
    • Contains a link to download the PCAP file with all the network traffic generated during sample execution. This link is generated when the report is requested, and expires in 1 hour. The PCAP file has a retention period of 1 year.
  • dropped_files
    • An object containing a list of all files dropped during execution of the analyzed sample. ReversingLabs uses an internal algorithm to filter and store dropped files in order to provide customers with the most interesting and valuable files. Contains a link to download all files dropped during the file execution. This link is generated when the report is requested, and expires in 1 hour.
  • memory_strings
    • Contains a link to download the memory strings captured during the sample execution. This link is generated when the report is requested, and expires in 1 hour. Memory strings have a retention period of 1 year.

The following objects are present only in specific reports.

rl.report.process_tree

  • process_id
    • The ID assigned to the process
  • parent_process_id
    • The ID of the parent process
  • process_name
    • The process name
  • process_parameters
    • Specific parameters used to execute the process

The following objects are present only in specific reports. They will be omitted if the sample belongs to a different Spectra Intelligence account, and was uploaded as private (not shareable).

rl.report.memory_strings

  • memory_strings
    • Contains a link to download the memory strings captured during the sample execution. This link is generated when the report is requested, and expires in 1 hour. Memory strings have a retention period of 1 year.

rl.report.pcap

  • pcap
    • Contains a link to download the PCAP file with all the network traffic generated during sample execution. This link is generated when the report is requested, and expires in 1 hour. The PCAP file has a retention period of 1 year.

rl.report.screenshots

  • screenshots
    • Contains an S3 link to screenshots collected during the analysis. This link is generated when the report is requested, and expires in 1 hour. Screenshots have a retention period of 1 year.

Response Examples

Merged Report

/api/dynamic/analysis/report/v1/query/sha1/cac61424fb5414d589687bfd35452a351604ef11

{
"rl":{
"report":{
"mitre_attack":{
"matrix_list":[
{
"tactics":{
"tactic_list":[
{
"techniques":{
"technique_list":[
{
"analysis_ids":[
"bc093926-e53f-49d9-82d7-1e5481cb22eb"
],
"id":"T1091",
"name":"Replication Through Removable Media"
},
"..."
]
},
"id":"8",
"name":"Lateral Movement"
},
"..."
]
},
"name":"Enterprise"
}
]
},
"sha1":"cac61424fb5414d589687bfd35452a351604ef11",
"last_analysis":"2021-02-09T18:54:58",
"network":{
"udp":[
{
"destination_port":53,
"destination_ip":"8.8.4.4",
"analysis_ids":[
"bc093926-e53f-49d9-82d7-1e5481cb22eb"
]
},
"..."
],
"dns":[
{
"type":"A (IP address)",
"analysis_ids":[
"bc093926-e53f-49d9-82d7-1e5481cb22eb"
],
"value":"services.homedns.org",
"address":"xxx.xxx.xxx.xxx"
},
"..."
]
},
"classification":"MALICIOUS",
"history_analysis":[
{
"analysis_id":"bc093926-e53f-49d9-82d7-1e5481cb22eb",
"classification":"MALICIOUS",
"analysis_duration":217,
"platform":"windows7",
"optional_parameters": "internet_simulation=true"
"configuration":"MS Office 2007;Java 7;Adobe reader 8;Firefox 37;Google Chrome 51;Internet Explorer 8",
"sample_name": "Sample",
"sample_path": "C:\Users\user\Desktop",
"analysis_time":"2021-02-07T23:49:38"
},
"..."
],
"sample_name": "Sample",
"sample_path": "C:\Users\user\Desktop",
"first_analysis":"2021-02-07T23:49:38",
"dropped_files":[
{
"sha1":"BCF7B98F948D2CDDF2ABB74C4673604DDE801E1A",
"classification":"NO_THREATS_FOUND",
"file_name":"Logs",
"sample_type":"ASCII text, with CRLF line terminators",
"sample_size":33,
"analysis_ids":[
{
"analysis_id":"bc093926-e53f-49d9-82d7-1e5481cb22eb",
"classification":"NO_THREATS_FOUND"
}
],
"sha256":"51BE93BCB053F7412C5FFBCA5C947EC0DDA4A52D6D9A12F18BCE35C4E1F216A0",
"file_path":"C:\\Users\\user\\AppData\\Roaming",
"md5":"F07F3A1093767FF0B58C5FB7FC7617C7"
},
"..."
],
"snort_alerts":[
{
"message":"ICMP Destination Unreachable Port Unreachable",
"classification_type":"Misc activity",
"destination_ip":"8.8.4.4",
"rule":402,
"analysis_ids":[
"bc093926-e53f-49d9-82d7-1e5481cb22eb"
]
},
"..."
],
"platforms":[
"windows7",
"windows10"
],
"behavioral":[
{
"process":{
"name":"cmd.exe",
"parameters":"cmd /c REG ADD HKLM\\System\\CurrentControlSet\\Services\\SharedAccess\\Parameters\\FirewallPolicy\\StandardProfile /v 'DoNotAllowExceptions' /t REG_DWORD /d '0' /f",
"analysis_ids":[
"bc093926-e53f-49d9-82d7-1e5481cb22eb"
]
},
"mutex_actions":[
{
"status":"success or wait",
"name":"unknown",
"action_type":"mutex_created",
"analysis_ids":[
"bc093926-e53f-49d9-82d7-1e5481cb22eb"
]
}
],
"process_actions":[
{
"status":"success or wait",
"path":"C:\\Windows\\SysWOW64\\cmd.exe",
"analysis_ids":[
"bc093926-e53f-49d9-82d7-1e5481cb22eb"
],
"action_type":"process_terminated"
},
"..."
],
"file_actions":[
{
"status":"success or wait",
"file_name":"reg.exe",
"file_path":"C:\\Windows\\SysWOW64",
"action_type":"file_opened",
"analysis_ids":[
"bc093926-e53f-49d9-82d7-1e5481cb22eb"
]
},
"..."
],
"modules_loaded":[
{
"module_name":"\\KnownDlls32\\MPR.dll",
"analysis_ids":[
"bc093926-e53f-49d9-82d7-1e5481cb22eb"
]
},
"..."
],
"registry_actions":[
{
"status":"success or wait",
"key_name":"HKEY_LOCAL_MACHINE\\System\\CurrentControlSet\\Services\\SharedAccess\\Parameters\\FirewallPolicy\\StandardProfile",
"analysis_ids":[
"bc093926-e53f-49d9-82d7-1e5481cb22eb"
],
"action_type":"key_opened"
},
"..."
]
},
"..."
],
"sha256":"cc6102694e9d8f8efbd63c687972291369079c0bbd62b5d71cc106e9f64946d6",
"md5":"4f2af32661dc73320acbe5acea29cfba"
},
"requested_hash":"cac61424fb5414d589687bfd35452a351604ef11"
}
}

Specific Report

There are no formatting differences between reports retrieved using the analysis_id and /latest endpoint parameters. The only differences can occur in cases when users request information on a private sample belonging to another Spectra Intelligence account.

If the sample is public, other ReversingLabs customers will be able to access analysis results, but also download the uploaded files, dropped files, PCAP files, screenshots, and memory string dumps generated during file execution.

If the sample is private, other ReversingLabs customers will only be able to access analysis results, but not retrieve the actual contents of uploaded files, dropped files, PCAP files, screenshots or memory string dumps.

/api/dynamic/analysis/report/v1/query/sha1/cac61424fb5414d589687bfd35452a351604ef11/dd39d858-636f-4c76-a0d1-249ef21ff780

{
"rl":{
"report":{
"mitre_attack":{
"matrix_list":[
{
"tactics":{
"tactic_list":[
{
"id":"8",
"name":"Lateral Movement",
"techniques":{
"technique_list":[
{
"id":"T1080",
"name":"Taint Shared Content"
},
"..."
]
}
},
"..."
]
},
"name":"Enterprise"
}
]
},
"process_tree":[
{
"process_id":2096,
"name":"rl_file.exe",
"parameters":"'C:\\Users\\user\\Desktop\\rl_file.exe' ",
"parent_process_id":1712
}
],
"sha1":"cac61424fb5414d589687bfd35452a351604ef11",
"analysis_id":"dd39d858-636f-4c76-a0d1-249ef21ff780",
"classification":"MALICIOUS",
"dropped_files":[
{
"sha1":"E0A8096041DFA6D6E5F9D41E870C892E59438964",
"classification":"NO_THREATS_FOUND",
"file_name":"81608.bpc",
"sample_type":"PE32 executable (GUI) Intel 80386, for MS Windows",
"sample_size":5077073,
"sha256":"6BECD956E49FA786BC2845909BC2C7BB6B8E633DE1633151014B44AF925966C6",
"file_path":"C:\\ProgramData\\Microsoft\\OFFICE\\DATA",
"md5":"60BCE3FACE583205A3247205052FD7A1"
},
"..."
],
"analysis_duration":188,
"platform":"windows7",
"optional_parameters": "internet_simulation=false, sample_name=Sample"
"configuration":"MS Office 2007;Java 7;Adobe reader 8;Firefox 37;Google Chrome 51;Internet Explorer 8",
"sample_name": "Sample",
"sample_path": "C:\Users\user\Desktop",
"behavioral":[
{
"process_actions":[
{
"status":"success or wait",
"path":"C:\\Users\\user\\Desktop\\rl_file.exe",
"action_type":"process_queried"
}
],
"registry_actions":[
{
"status":"object name not found",
"key_name":"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Nls\\Language",
"action_type":"key_value_queried"
},
"..."
],
"file_actions":[
{
"status":"success or wait",
"file_name":"KsecDD",
"file_path":"\\Device",
"action_type":"file_opened"
},
"..."
],
"process":{
"name":"rl_file.exe",
"parameters":"'C:\\Users\\user\\Desktop\\rl_file.exe' "
},
"mutex_actions":[
{
"status":"success or wait",
"name":"unknown",
"action_type":"mutex_created"
},
"..."
],
"modules_loaded":[
{
"module_name":"C:\\Windows\\SysWOW64\\sechost.dll"
},
"..."
]
}
],
"sha256":"cc6102694e9d8f8efbd63c687972291369079c0bbd62b5d71cc106e9f64946d6",
"md5":"4f2af32661dc73320acbe5acea29cfba",
"analysis_time":"2021-02-08T12:51:37"
},
"requested_id":"dd39d858-636f-4c76-a0d1-249ef21ff780",
"requested_hash":"cac61424fb5414d589687bfd35452a351604ef11"
}
}

Or:

/api/dynamic/analysis/report/v1/query/sha1/cac61424fb5414d589687bfd35452a351604ef11/latest

{
"rl":{
"report":{
"mitre_attack":{
"matrix_list":[
{
"tactics":{
"tactic_list":[
{
"id":"8",
"name":"Lateral Movement",
"techniques":{
"technique_list":[

]
}
},
"..."
]
},
"name":"Enterprise"
}
]
},
"sha1":"cac61424fb5414d589687bfd35452a351604ef11",
"analysis_id":"64708859-7739-4c1a-9e64-2de5741882db",
"classification":"NO_THREATS_FOUND",
"analysis_duration":210,
"platform":"windows7",
"configuration":"MS Office 2007;Java 7;Adobe reader 8;Firefox 37;Google Chrome 51;Internet Explorer 8",
"sample_name": "Sample",
"sample_path": "C:\Users\user\Desktop",
"memory_strings":"https://...",
"sha256":"cc6102694e9d8f8efbd63c687972291369079c0bbd62b5d71cc106e9f64946d6",
"pcap":"https://...",
"md5":"4f2af32661dc73320acbe5acea29cfba",
"analysis_time":"2021-02-09T18:54:58"
},
"requested_hash":"cac61424fb5414d589687bfd35452a351604ef11"
}
}

Dynamic Analysis URL Report Query

This query returns dynamic analysis reports for the requested URL.

The requested URL is identified by its Base64 encoding or SHA1 hash. Use the Base64/SHA1 identifier that you get in the response of the Dynamic Analysis service (TCA-0207).

If you calculate this value locally, for example using sha1sum, there is a chance that you won't get results for that URL because the Dynamic Analysis service first performs a normalization process on the URL, and only then calculates the Base64 encoding / SHA1 hash.

GET /api/dynamic/analysis/report/v1/query/url/sha1/{sha1_value}/{analysis_id}
GET /api/dynamic/analysis/report/v1/query/url/base64/{base64_value}/{analysis_id}

Request GET Format

  • sha1_value
    • A valid sha1 value defined by the sha1 parameter.
    • Required
  • base64_value
    • A valid base64 value defined by the base64 parameter.
    • Required
  • analysis_id
    • If added at the end of the request, the response will contain only the dynamic analysis report matching the provided analysis_id. It can be supplied only if the latest parameter is not already supplied. If neither are provided, the response returns a merged report.
    • Optional
  • latest
    • Required if the user wants to retrieve the latest dynamic analysis report for the requested URL. It can be supplied only if the analysis_id parameter is not already supplied. If neither are provided, the response returns a merged report.
    • Optional

Dynamic Analysis Archive Report Query

This query returns dynamic analysis reports for the requested archive sample hash.

Getting a report by SHA1

By submitting the SHA1 of the archive, the query returns the merged dynamic analysis report for each file within the archive.

GET /api/dynamic/analysis/report/v1/archive/query/{hash_type}/{hash_value}
{
"rl": {
"requested_hash": "e662bfd39cf389b0bad5262e6007c09824261ee4",
"files": [
{
"sha1": "zzzf8d4dd290435a978e70adcf7876c0",
"merged_report": {}
},
{
"sha1": "vvvf8d4dd290435a978e70adcf7876c0",
"merged_report": {}
}
]
}
}

Getting a report by SHA1 and the "latest" parameter

By submitting SHA1 of the archive with the 'latest' parameter, the query returns the most recent specific dynamic analysis report for each file within the archive.

GET /api/dynamic/analysis/report/v1/archive/query/{hash_type}/{hash_value}/latest
{
"rl": {
"requested_hash": "e662bfd39cf389b0bad5262e6007c09824261ee4",
"files": [
{
"sha1": "zzzf8d4dd290435a978e70adcf7876c0",
"report": {}
},
{
"sha1": "vvvf8d4dd290435a978e70adcf7876c0",
"report": {}
}
]
}
}