Skip to main content

Targeted and industry-specific file indicators (TCF-0401-0406)

ReversingLabs Targeted and Industry-Specific File Indicator Feeds are early-warning feeds that provide information about new malware samples detected in the Spectra Intelligence system. The samples are filtered by category. Every category corresponds to one feed.

The feeds are specialized collections of malware families that are known to have significant impact within specific industries (Retail, Financial), as well as of malware families that share a common trait (exploits, ransomware). ReversingLabs carefully selects malware families for each feed based on public and internal research.

The feed stores records for the last 365 days.

  • TCF-0401
    • Advanced Persistent Threats (APT)
  • TCF-0402
    • Financial Services Malware
  • TCF-0403
    • Ransomware
  • TCF-0404
    • Retail Sector Malware
  • TCF-0405
    • CVE Exploits
  • TCF-0406
    • Malware Configuration

Category Definitions

Malware sample categories are defined by and consist of a set of malware families.

Financial

The Financial malware feed refers to the most common malware threats targeting the Financial Services industry. It currently tracks in excess of 70 malware families that are periodically updated.

Retail

The Retail malware feed refers to the most common malware threats targeting Retail organizations.

Ransomware

The Ransomware malware feed refers to the most common malware threats targeting almost all computer users. The most common method is by encrypting user files and demanding payment for the decryption key.

APT

The APT (Advanced Persistent Threat) malware feed refers to the most common malware threats which are government-sponsored or are precisely tailored for specific actions and/or targets.

Exploit

The Exploit feed refers to the most common malware threats which target and exploit known vulnerabilities, indexed by CVE number. An exploit is an application that uses a vulnerability or a flaw in another component (be it software or hardware) to impact the target's behavior in some way. In other words, it uses or communicates with its target in an unexpected or improperly handled way, usually resulting in a behavior change in the targeted program. Exploits can be remote or local, and the payload can range from allowing remote access or gaining elevated privileges, to downloading or dropping other malware. All known exploits are described in the Common Vulnerabilities and Exposures (CVE) system. The best way to deal with exploits is to prevent attacks by regularly updating software, but there is no efficient way to cope with the threats coming from the exploits that have not yet been patched, also known as zero-day exploits.

Malware Configuration

The Malware Configuration feed provides different kinds of malware samples, such as Keyloggers, RAT(s) or Ransomware that contain embedded configuration data. This data may include a list of servers that a given sample may contact; the ID of the malware campaign; passwords; malware installation location; mutexes; file names and more. Network information extracted from malware samples is unfiltered and presented as it was found.

Malware Detection Family Feed Query

Fetch detections since specified time

This query returns a recordset of malware detections in the specified time range for a particular category. The categories correspond to ReversingLabs Targeted and Industry-Specific File Indicator Feeds, which are described in the Category Definitions section <categories>.

Detections are included in the response based on the time when they were added to a particular feed. The time value provided in the query defines the starting point of the time range. If a detection has been added to one of the feeds in that time range, it is included in the response.

GET /api/feed/malware/detection/family/v2/query/{category}/{time_format}/{time_value}/?[format=xml|json]

Request format

The time range is defined as the period between the time specified by the time_value parameter and the time when the request is made.

The earliest time value that the user can specify is 365 days before the current time. The latest time value is 60 seconds before the current time. Specifying a time value outside of these limits will return the status code 400 Bad Request.

The response can contain up to 1000 results. If the number of samples with the last timestamp included in the response goes above this limit, the results will be cut off. To get the next page of results, provide the to field value from the previous request as the timestamp value of the next request. This will cause some result duplication (specifically, records whose record_on value matches the to timestamp will reappear on the second page), but it will also return any remaining records with the matching timestamp that didn't fit on the first page.

All time values are in UTC, independent of the input format.

  • category
    • Allows selecting a category to filter the results by a specific industry. Supported values: apt, configuration, exploit, financial, ransomware, retail. If the user doesn't have access to the requested category, or if the category doesn't exist, the query will return a 403 Forbidden response
    • Required
  • time_format
    • Time format in which the date and time should be requested. It is possible to choose between utc and timestamp
    • Required
  • time_value
    • Accepts values in the format set by time_format. If the format is set to utc, the value should be expressed in the format YYYY-MM-DDThh:mm:ss. If the format is set to timestamp, the value should be expressed as the number of seconds since 1970-01-01 00:00:00.
    • Required
  • count
    • Allows specifying how many of the latest hashes in the selected category should be returned in the response. Accepts an integer in the range between 1 and 1000 ( 1 <= count <= 1000 ). The default value of the parameter is 100. Setting the count value too low may result in from and to timestamps being the same, which will cause a response loop.
    • Optional
  • format
    • An optional parameter that defines the response format. Supported values are xml and json. The default is xml and it is returned if this parameter is not provided in the request.
    • Optional

Fetch the latest detections

This query returns a recordset containing the latest Malware Family Feed detections for a particular category.

GET /api/feed/malware/detection/family/v2/query/{category}/latest?[format=xml|json]&[count=(1-1000)]

Request format

Submitting a GET request without any optional request arguments will return the latest 100 detections in the requested category.

The count request parameter supports all integers between 1 and 1000, with 1 and 1000 included. Submitting the count parameter with anything other than integers in the supported range will result in a "400 Bad Request" response.

The feed will return 100 records if the count parameter is not provided. Otherwise it will return the requested amount of records, starting from the most recent record in the data store.

The most recent returned value can be 60 seconds before the current time.

  • category
    • Allows selecting a category to filter the results by a specific industry. Supported values: apt, configuration, exploit, financial, ransomware, retail. If the user doesn't have access to the requested category, or if the category doesn't exist, the query will return a 403 Forbidden response
    • Required
  • format
    • An optional parameter that defines the response format. Supported values are xml and json. The default is xml and it is returned if this parameter is not provided in the request.
    • Optional
  • count
    • Allows specifying how many of the latest hashes in the selected category should be returned in the response. Accepts an integer in the range between 1 and 1000 ( 1 <= count <= 1000 ). The default value of the parameter is 100.
    • Optional

Response format

Fields that do not appear in the response are considered empty.

Response fields

  • sha1

    • Sample SHA1 hash
  • record_on

    • Time when the hash was added to a particular category
  • sha256

    • Sample SHA256 hash, if that information exists
  • md5

    • Sample MD5 hash, if that information exists
  • container_hash

    • SHA1 hash of the sample container; if the sample is not extracted from a container, then this value is identical to the sha1 field
  • priority

    • Integer value (1-5) describing the importance of the entry for a particular industry (category). The value of 1 indicates the lowest priority, and 5 the highest. Lower values mean that the particular malware family is connected to some actor or other malware families related to the industry; not directly affecting the industry, but relevant to it
  • family_name

    • Malware family name
  • first_seen_on

    • Indicates when the hash was seen for the first time in the system (UTC)
  • last_seen_on

    • Indicates when the hash was last seen in the system (UTC)
  • sample_available

    • Boolean value indicating whether the sample is physically available for download. Note that even if this value is returned as true, it does not always mean the file is shareable (available for public download). To verify download availability, customers are advised to use the Sample Download API to attempt a file download. If the Sample Download API returns a 403 error, that indicates that the sample is not available for download, or is private
  • sample_size

    • Integer value that indicates the sample size in bytes
  • sample_type

    • String value describing the sample type (e.g., "Binary/Archive" )
  • tags

    • A dictionary that contains tag_types as keys and tag_list as the value for each tag_type that is found in the configuration for a given detection
  • bot_configs

    • Key value list describing the configuration data embedded within the sample. Find more details in the bot_configs table
  • cvssv2

    • Key value list describing the vulnerability metadata found in samples from the Exploit category. Find more details in the cvssv2 table bot_configs
  • botFamily

    • Malware family name
  • botVersion

    • Malware version
  • botServer

    • Command-and-control servers found in the malware configuration
  • botRunMutex

    • Mutex object names
  • botIdentifier

    • Unique malware sample or campaign identifier
  • botInstallationPath

    • The path into which the malware will attempt to install itself on infected systems
  • botStartupKey

    • Registry key(s) used at startup
  • botStartupActiveX

    • ActiveX startup string registry value
  • botFileName

    • Filename used by the malware on the infected system
  • botPassword

    • Password(s) used to establish a connection between the sample and the server cvssv2
  • base_score

    • String that can be converted to decimal in the range between 0.0 and 10.0 (precision is single decimal digit)
  • integrity_impact

    • Impact on integrity expressed as an enum value. Can be one of: "None", "Low", "High"
  • availability_impact

    • Impact on availability expressed as an enum value. Can be one of: "None", "Low", "High"
  • attack_complexity

    • Attack complexity expressed as an enum value. Can be one of the following: "Low", "Medium", "High"
  • attack_vector

    • enum value that can be one or more of the following: "Local", "Physical", "Network", "Adjacent network"
  • confidentiality_impact

    • Impact on confidentiality expressed as an enum value. Can be one of: "None", "Low", "High"
    <?xml version="1.0" encoding="utf-8"?>
<rl>
<feed>
<name>Malware Detection Family Feed</name>
<time_range>
<from>timestamp</from>
<to>timestamp</to>
</time_range>
<category>CATEGORY</category>
<entries>
<item>
<sha1>hash_hex_value</sha1>
<sha256>hash_hex_value</sha256>
<md5>hash_hex_value</md5>
<container_hash>container_sha1_value</container_hash>
<priority>priority_value</priority>
<record_on>timestamp</record_on>
<sample_available>True|False</sample_available>
<family_name>family_name</family_name>
<first_seen_on>timestamp</first_seen_on>
<last_seen_on>timestamp</last_seen_on>
<sample_size>integer</sample_size>
<sample_type>sample_type</sample_type>
<bot_configs>configurations</bot_configs>,
<cvssv2>
<bаse_score>base_score</bаse_score>
<integrity_impact>impact</integrity_impact>
<availability_impact>impact</availability_impact>
<attack_complexity>complexity</attack_complexity>
<attack_vector>attack_vector</attack_vector>
<confidentiality_impact>impact</confidentiality_impact>
</cvssv2>
<tags>
<tag_type1>
<item>tag1</item>
<item>tag2</item>
...
</tag_type1>
...
<tag_type_n>
...
</tag_type_n>
</tags>
</item>

<item>...</item>
</entries>
</feed>
</rl>
    {"rl": 
{"feed": {
"name": "Malware Detection Family",
"time_range": {
"from": "timestamp",
"to": "timestamp"
},
"category": CATEGORY,
"entries": [{
"sha1": "hash_value",
"record_on": "timestamp",
"sha256": "hash_value",
"md5": "hash_value",
"container_hash": "container_hash_value",
"priority": "priority_value",
"sample_available": boolean,
"family_name": "family_name",
"first_seen_on": "timestamp",
"last_seen_on": "timestamp",
"sample_size": integer,
"sample_type": "sample_type",
"bot_configs":{
configurations
},
"cvssv2": {
"base_score": "base_score",
"integrity_impact": "impact",
"availability_impact": "impact",
"attack_complexity": "complexity",
"attack_vector": "attack_vector",
"confidentiality_impact": "impact"
},
"tags": {
"tag_type1": ["tag1","tag2"],
"tag_type2": [...],
...
}
},
...
]}
}
}

Example JSON response with additional fields for CVE exploits

{"rl": 
{"feed": {
"name": "Malware Detection Family Feed",
"time_range": {
"from": "timestamp",
"to": "timestamp"
},
"category": "EXPLOIT",
"entries": [{
"family_name": "CVE-2008-2992",
"first_seen_on": 1471608000,
"sha1": "9f83f1c87d16e73b6fb6cf65093b9ad4b5ca1382",
"record_on": 1489592176,
"cvssv2":{
"base_score": "9.3",
"attack_complexity": "Medium",
"attack_vector": "Network",
"availability_impact": "High",
"integrity_impact": "High",
"confidentiality_impact": "High"
},
"tags": {
"affect": [
"Adobe Acrobat and Reader 8.1.2"
]
},
},
]
}
}
}

Example JSON response with additional configuration settings fields

{"rl": 
{"feed": {
"name": "Malware Detection Family Feed",
"time_range": {
"from": "timestamp",
"to": "timestamp"
},
"category": "CONFIGURATION",
"entries": [{
"family_name": "DarkComet",
"sha1": "1316f23cd80a15a589f493b9155f537b4e8fab28",
"record_on": 1506588587,
"sample_type": "PE/Exe/DarkComet",
"bot_configs":{
"botFamily": "DarkComet",
"botIdentifier": "Vitima",
"botInstallationPath": "MSDCSC\\\\msdcsc.exe",
"botRunMutex": "DC_MUTEX-81883ZC",
"botServer0": "romerinotraderpt.no-ip.org:1604",
"botStartupKey": "MicroUpdate",
"botVersion": "5.2 - 5.3"
}
}]
},
}
}

How to return more results from the feed

The following two examples fetch the first and second page of results for the retail category using the timestamp parameter.

The first request will search for entries newer than the provided timestamp (1477008000) and return 2 entries per page (in practical use, this number should be higher, 2 was only used as an example).

GET /api/feed/malware/detection/family/v2/query/retail/timestamp/1477008000?format=json&count=2

First page response in JSON

    {
"rl": {
"feed": {
"category": "RETAIL",
"entries": [
{
"family_name": "ChewBacca",
"sha1": "5e9dd2f849831355faea86bef2f75918d6b8a025",
"record_on": 1477010349,
"first_seen_on": 1477009751,
"last_seen_on": 1477009800,
"priority": 5,
"sample_available": true,
"container_hash": "5e9dd2f849831355faea86bef2f75918d6b8a025",
"sha256": "2019fc174249565f5349fe203b622ac7d979008e8fc8e452ff3889fd9cb37b4e",
"md5": "065bb3b1341ec2ff0157155bd25f17fb"
},
{
"family_name": "ChewBacca",
"sha1": "0f2f22b7efa5ec9ee2b9c4882f7a5f002219117e",
"record_on": 1477012336,
"first_seen_on": 1476301532,
"last_seen_on": 1476907260,
"priority": 5,
"sample_available": true,
"container_hash": "0f2f22b7efa5ec9ee2b9c4882f7a5f002219117e",
"sha256": "48f636a51ad542d7c189855812943e4260d6f474382d947d9699c7e5c0e620a5",
"md5": "78a66809f89f67c48161c0acb6874997"
}
],
"name": "Malware Detection Family Feed",
"time_range": {
"to": 1477012336,
"from": 1477008000
}
}
}
}

To get the next page of results, provide the to value from the previous request as the timestamp value of the next request.

This will cause some result duplication (specifically, records whose record_on value matches the to timestamp will reappear on the second page), but it will also return any remaining records with the matching timestamp that didn't fit on the first page.

Setting the count value too low may result in from and to timestamps being the same, which will cause a response loop.

GET /api/feed/malware/detection/family/v2/query/retail/timestamp/1477012335?format=json&count=2

Second page response in JSON

    {
"rl": {
"feed": {
"category": "RETAIL",
"entries": [
{
"family_name": "ChewBacca",
"sha1": "0f2f22b7efa5ec9ee2b9c4882f7a5f002219117e",
"record_on": 1477012336,
"first_seen_on": 1476301532,
"last_seen_on": 1476907260,
"priority": 5,
"sample_available": true,
"container_hash": "0f2f22b7efa5ec9ee2b9c4882f7a5f002219117e",
"sha256": "48f636a51ad542d7c189855812943e4260d6f474382d947d9699c7e5c0e620a5",
"md5": "78a66809f89f67c48161c0acb6874997"
},
{
"family_name": "ChewBacca",
"sha1": "8d5406d1af09d783f60585f57abd123b04c5bf47",
"record_on": 1477014315,
"first_seen_on": 1476302394,
"last_seen_on": 1476908100,
"priority": 5,
"sample_available": true,
"container_hash": "8d5406d1af09d783f60585f57abd123b04c5bf47",
"sha256": "ed13c6f95925fb5cd37d6a954744d3250eb33c42367f31be92c32f41e20f24cc",
"md5": "63670a3b40cea38138bb97e75441c611"
}
],
"name": "Malware Detection Family Feed",
"time_range": {
"to": 1477014315,
"from": 1477012335
}
}
}
}

Examples

These examples request the first 100 detections starting from 2016-10-30 00:00:00 GMT for the Financial category. Responses are returned in XML as the default response format, since the optional format parameter is not specified in the request. The first example uses timestamp as the time format in the request, and the second uses UTC.

/api/feed/malware/detection/family/v2/query/financial/timestamp/1477785600
/api/feed/malware/detection/family/v2/query/**financial/utc**/2016-10-30T00:00:00