Download OpenAPI specification:Download
The API adheres to the REST standard using resource-oriented URLs. All responses are JSON-encoded, follow standard HTTP response codes, and require authentication. The current API version is v1
and significant changes will increment the version number. The major version is part of the URL structure.
OAuth2 Bearer tokens authenticate API access. Tokens expire after 5 minutes and clients should retrieve a new token per request. Unauthorized access triggers a '401 Unauthorized' error The API exclusively operates over HTTPS, HTTP requests are rejected.
Standard HTTP response codes indicate API success or failure. Codes in the 2xx range signify success, while 4xx codes denote request-side errors like missing or invalid parameters. Codes in the 5xx range indicate server errors. Certain responses contain a nullable error
field, revealing any issues on the request.
Access the API example kit here for Python examples on file submission, fetching analysis results, executing searches, and more. The accompanying README explains environment setup, dependencies, and authentication.
Threatray relies on fundamental entities across both API and UI: sample
, analysis
, code region
, and function
.
Analyzing a sample
yields one or more analyses
, with each analysis comprising one or more code regions
. Each code regions
may contain function
for binary files with code.
The term code region
generically refers to a potential code-containing section within an analysis, such as memory dumps from dynamic analysis or the static analysis of a submitted file.
These base entities are uniquely identifiable:
sample
: Identified by Hash (MD5, SHA1, SHA256)analysis
: Identified by UUIDcode region
: Identified by analysis identifier, hash (MD5, SHA1, SHA256), PID, base addressfunction
: Identified by code region identifier, effective addressAPI endpoints return adequate information on these entities, enabling subsequent API calls, like fetching an analysis report after searching for analyses.
Certain API actions initiate tasks lasting seconds or minutes, notably file/URL submissions and signature modifications. These actions return a task ID
used to track task status as follows:
queued
: Awaiting processinganalyzing
: Undergoing processingdone
: Successfully completedfailed
: Unsuccessful due to an errorThe submission API allows to submit samples or URLs for analysis. Samples that already exist in the system can also be reanalyzed. Each submission will return a submission ID that uniquely identifies this submission. Each submission can start multiple tasks, for example when submitting an archive or submitting a sample to multiple environments. Each task is then again identified by its IDs. It is then possible to check the status of an entire submission or a single task.
Reanalyze a previously submitted sample by its hash.
Note: The parameters starting with raw_binary are only allowed and considered in combination with the parameter
raw_binary_file_format set to unknown
, raw
or pe
.
hash required | string Hash of the sample to be reanalyzed. Allowed hash types are MD5, SHA1, SHA256. |
analysis_mode | string Default: "dynamic" Mode of the analysis, can be dynamic (execution of in a sandbox) or static analysis. Allowed values: dynamic, static |
enable_network | boolean Default: "true" Enable or disable network access for the dynamic analysis environment. This only applies to dynamic analyses. |
environments | any Default: "['win10_latest_x64']" type: List[string] The dynamic analysis operating systems to be used for the analysis. This only applies to dynamic analyses. Allowed array values: win10_latest_x64, win7_sp1_x64, win7_sp1_x86 |
label | string Update the label of the sample to be reanalyzed. |
priority | integer Default: "5" Priority of the analysis. Higher values indicate a higher priority for this submission in regards to other scheduled analyses. Allowed values: 0-9 |
raw_binary_cpu_architecture | string The raw_binary_cpu_architecture tells Threatray which CPU architecture it should use to search for function entry points and to disassemble the sample. The value can be empty, x86-32 and x86-64 |
raw_binary_file_format | string The raw binary file format indicates that the sender wants to send a custom binary file which potentially is not supported by default, the supported values here are: unknown, raw, pe |
raw_binary_function_entry_point_detection_needed | boolean If the flag is true, Threatray will try to find function entry points automatically. If it is false, the program expects the request to contain a function entry point |
raw_binary_function_file_offset | string type: int/string This option only allowed in combination with raw_binary_function_entry_point_detection_needed=false. Threatray expects a file offset beginning from the image base address. The parameter accepts decimal or hexadecimal numbers as integer or string e.g 1234 or "0x1234" |
raw_binary_image_base_address | string type: int/string The parameter allows to define the image base address as decimal or hexadecimal number as integer or string e.g 1234 or "0x1234" |
timeout | integer Default: "180" Timeout of the dynamic analysis in seconds. This only applies to dynamic analyses. Allowed values: 15-1500 |
{- "analysis_mode": "dynamic",
- "enable_network": "true",
- "environments": "['win10_latest_x64']",
- "label": "string",
- "priority": "5",
- "raw_binary_cpu_architecture": "string",
- "raw_binary_file_format": "string",
- "raw_binary_function_entry_point_detection_needed": true,
- "raw_binary_function_file_offset": "string",
- "raw_binary_image_base_address": "string",
- "timeout": "180"
}
{- "error": [
- { }
], - "submissions": [
- {
- "analysis": {
- "analysis_mode": "string",
- "enable_network": true,
- "environment": "string",
- "id": "string",
- "threats": [
- { }
], - "timeout": 0,
- "verdict": "string"
}, - "created_at": 0,
- "execution_report": [
- { }
], - "extracted_from": "string",
- "modified_at": 0,
- "priority": 0,
- "sample": {
- "file_name": "string",
- "file_type": "string",
- "first_seen": 0,
- "hash_md5": "string",
- "hash_sha1": "string",
- "hash_sha256": "string",
- "id": 0,
- "label": "string"
}, - "status": "queued",
- "submission_id": "string",
- "task_id": 0,
- "username": "string"
}
]
}
Get the latest file submissions to the system.
user_submissions | number Default: "0" Only return my submissions if set to 1. |
status_filter | string Enum: "queued" "analyzing" "failed" "done" "unsupported" Only return submissions in this status. This must be a comma-separated list. |
{- "submissions": [
- {
- "analysis": {
- "analysis_mode": "string",
- "enable_network": true,
- "environment": "string",
- "id": "string",
- "threats": [
- {
- "confidence": "string",
- "label": "string",
- "signature_released": true
}
], - "timeout": 0,
- "verdict": "string"
}, - "created_at": 0,
- "execution_report": [
- { }
], - "extracted_from": "string",
- "modified_at": 0,
- "priority": 0,
- "sample": {
- "file_name": "string",
- "file_type": "string",
- "first_seen": 0,
- "hash_md5": "string",
- "hash_sha1": "string",
- "hash_sha256": "string",
- "id": 0,
- "label": "string"
}, - "status": "queued",
- "submission_id": "string",
- "task_id": 0,
- "username": "string"
}
]
}
Get the latest endpoint scan submissions to the system.
status_filter | string Enum: "queued" "analyzing" "failed" "done" "unsupported" Only return submissions in this status. This must be a comma-separated list. |
{- "submissions": [
- {
- "analysis": {
- "id": "string",
- "label": "string",
- "threats": [
- { }
], - "verdict": "string",
- "warnings": [
- { }
]
}, - "created_at": 0,
- "endpoint": {
- "hostname": "string",
- "id": "string"
}, - "priority": 0,
- "status": "queued",
- "submission_id": "string",
- "task_id": 0
}
]
}
Submit an endpoint scan archive for analysis.
archive required | object type: file-object The archive to be submitted for analysis. |
label | string Label of the submitted archive. |
priority | integer Default: "1" Priority of the analysis. Higher values indicate a higher priority for this submission in regards to other scheduled analyses. Allowed values: 0-9 |
send_notification_to | string If notifications are configured, this parameter can be used to trigger a notification via email on a suspicious or malicious hit. Currently supported values are: email. To configure notifications and recipients for email notifications, please contact our customer support at support@threatray.com. |
{- "archive": { },
- "label": "string",
- "priority": "1",
- "send_notification_to": "string"
}
{- "submissions": [
- {
- "analysis": {
- "analysis_mode": "string",
- "enable_network": true,
- "environment": "string",
- "id": "string",
- "multi_threats": [
- { }
], - "threats": [
- { }
], - "timeout": 0,
- "verdict": "string"
}, - "created_at": 0,
- "execution_report": [
- { }
], - "extracted_from": "string",
- "modified_at": 0,
- "priority": 0,
- "sample": {
- "file_name": "string",
- "file_type": "string",
- "first_seen": 0,
- "hash_md5": "string",
- "hash_sha1": "string",
- "hash_sha256": "string",
- "id": 0,
- "label": "string",
- "multi_threats": [
- { }
], - "threats": [
- { }
], - "verdict": "string"
}, - "status": "queued",
- "submission_id": "string",
- "task_id": 0,
- "username": "string"
}
]
}
Submit a Mandiant MANS file for analysis.
file required | object type: file-object The file to be submitted for analysis. |
label | string Label of the submitted archive. |
priority | integer Default: "1" Priority of the analysis. Higher values indicate a higher priority for this submission in regards to other scheduled analyses. Allowed values: 0-9 |
send_notification_to | string If notifications are configured, this parameter can be used to trigger a notification via email on a suspicious or malicious hit. Currently supported values are: email. To configure notifications and recipients for email notifications, please contact our customer support at support@threatray.com. |
{- "file": { },
- "label": "string",
- "priority": "1",
- "send_notification_to": "string"
}
{- "submissions": [
- {
- "analysis": {
- "analysis_mode": "string",
- "enable_network": true,
- "environment": "string",
- "id": "string",
- "multi_threats": [
- { }
], - "threats": [
- { }
], - "timeout": 0,
- "verdict": "string"
}, - "created_at": 0,
- "execution_report": [
- { }
], - "extracted_from": "string",
- "modified_at": 0,
- "priority": 0,
- "sample": {
- "file_name": "string",
- "file_type": "string",
- "first_seen": 0,
- "hash_md5": "string",
- "hash_sha1": "string",
- "hash_sha256": "string",
- "id": 0,
- "label": "string",
- "multi_threats": [
- { }
], - "threats": [
- { }
], - "verdict": "string"
}, - "status": "queued",
- "submission_id": "string",
- "task_id": 0,
- "username": "string"
}
]
}
Submit a minidump file for analysis.
file required | object type: file-object The minidump file to be submitted for analysis. |
label | string Label of the submitted archive. |
priority | integer Default: "1" Priority of the analysis. Higher values indicate a higher priority for this submission in regards to other scheduled analyses. Allowed values: 0-9 |
{- "file": { },
- "label": "string",
- "priority": "1"
}
{- "submissions": [
- {
- "analysis": {
- "analysis_mode": "string",
- "enable_network": true,
- "environment": "string",
- "id": "string",
- "multi_threats": [
- { }
], - "threats": [
- { }
], - "timeout": 0,
- "verdict": "string"
}, - "created_at": 0,
- "execution_report": [
- { }
], - "extracted_from": "string",
- "modified_at": 0,
- "priority": 0,
- "sample": {
- "file_name": "string",
- "file_type": "string",
- "first_seen": 0,
- "hash_md5": "string",
- "hash_sha1": "string",
- "hash_sha256": "string",
- "id": 0,
- "label": "string",
- "multi_threats": [
- { }
], - "threats": [
- { }
], - "verdict": "string"
}, - "status": "queued",
- "submission_id": "string",
- "task_id": 0,
- "username": "string"
}
]
}
Submit a file or a ZIP file for analysis. A set of parameters can be given to specify how the file should be analyzed.
Note: The parameters starting with raw_binary are only allowed and considered in combination with the parameter
raw_binary_file_format set to unknown
, raw
or pe
.
analysis_mode | string Default: "dynamic" Mode of the analysis, can be dynamic (execution in a sandbox) or static analysis. Allowed values: dynamic, static |
enable_network | boolean Default: "true" Enable or disable network access to the internet (unfiltered) for the dynamic analysis environment. This only applies to dynamic analyses. |
environments | any Default: "['win10_latest_x64']" type: List[string] The dynamic analysis operating systems to be used for the analysis. This only applies to dynamic analyses. Allowed array values: win10_latest_x64, win7_sp1_x64, win7_sp1_x86 |
file required | object type: file-object File to be submitted for analysis. |
first_seen | integer Default: "now" First seen timestamp in UNIX-epoch format of the submitted sample. |
label | string Label of the submitted file. |
priority | integer Default: "1" Priority of the analysis. Higher values indicate a higher priority for this submission in regards to other scheduled analyses. Allowed values: 0-9 |
raw_binary_cpu_architecture | string The raw_binary_cpu_architecture tells Threatray which CPU architecture it should use to search for function entry points and to disassemble the sample. The value can be empty, x86-32 and x86-64 |
raw_binary_file_format | string The raw binary file format indicates that the sender wants to send a custom binary file which potentially is not supported by default, the supported values here are: unknown, raw, pe |
raw_binary_function_entry_point_detection_needed | boolean If the flag is true, Threatray will try to find function entry points automatically. If it is false, the program expects the request to contain a function entry point |
raw_binary_function_file_offset | string type: int/string This option only allowed in combination with raw_binary_function_entry_point_detection_needed=false. Threatray expects a file offset beginning from the image base address. The parameter accepts decimal or hexadecimal numbers as integer or string e.g 1234 or "0x1234" |
raw_binary_image_base_address | string type: int/string The parameter allows to define the image base address as decimal or hexadecimal number as integer or string e.g 1234 or "0x1234" |
source | string Source of the file. |
timeout | integer Default: "180" Timeout of the dynamic analysis in seconds. This only applies to dynamic analyses. Allowed values: 15-1500 |
dll_exports | Array of strings A list of DLL exports that shall be called during execution. For each export, an argument needs to be specified, the argument can be an empty string. |
dll_arguments | Array of strings A list of DLL arguments passed to the DLL exports during execution. For each argument, an export needs to be specified. |
{- "analysis_mode": "dynamic",
- "enable_network": "true",
- "environments": "['win10_latest_x64']",
- "file": { },
- "first_seen": "now",
- "label": "string",
- "priority": "1",
- "raw_binary_cpu_architecture": "string",
- "raw_binary_file_format": "string",
- "raw_binary_function_entry_point_detection_needed": true,
- "raw_binary_function_file_offset": "string",
- "raw_binary_image_base_address": "string",
- "source": "string",
- "timeout": "180",
- "dll_exports": [
- "string"
], - "dll_arguments": [
- "string"
]
}
{- "error": "string",
- "submissions": [
- {
- "analysis": {
- "analysis_mode": "string",
- "enable_network": true,
- "environment": "string",
- "id": "string",
- "threats": [
- { }
], - "timeout": 0,
- "verdict": "string"
}, - "created_at": 0,
- "execution_report": [
- { }
], - "extracted_from": "string",
- "modified_at": 0,
- "priority": 0,
- "sample": {
- "file_name": "string",
- "file_type": "string",
- "first_seen": 0,
- "hash_md5": "string",
- "hash_sha1": "string",
- "hash_sha256": "string",
- "id": 0,
- "label": "string"
}, - "status": "queued",
- "submission_id": "string",
- "task_id": 0,
- "username": "string"
}
]
}
Submit a URL for analysis. All files downloaded from the URL are dynamically analyzed based on the parameters given.
enable_network | boolean Default: "true" Enable or disable network access for the dynamic analysis environment. This only applies to dynamic analyses. |
environments | any Default: "['win10_latest_x64']" type: List[string] The dynamic analysis operating systems to be used for the analysis. This only applies to dynamic analyses. Allowed array values: win10_latest_x64, win7_sp1_x64, win7_sp1_x86 |
first_seen | integer Default: "now" First seen timestamp in UNIX-epoch format of the submitted URL. |
label | string Label of the URL and its downloaded files. |
priority | integer Default: "5" Priority of the analysis. Higher values indicate a higher priority for this submission in regards to other scheduled analyses. Allowed values: 0-9 |
source | string Source of the URL and its downloaded files. |
timeout | integer Default: "180" Timeout of the dynamic analysis in seconds. This only applies to dynamic analyses. Allowed values: 15-1500 |
url required | string URL to be submitted for analysis. |
{- "enable_network": "true",
- "environments": "['win10_latest_x64']",
- "first_seen": "now",
- "label": "string",
- "priority": "5",
- "source": "string",
- "timeout": "180",
- "url": "string"
}
{- "error": "string",
- "submissions": [
- {
- "created_at": 0,
- "execution_report": [
- { }
], - "extracted_from": "string",
- "modified_at": 0,
- "priority": 0,
- "status": "queued",
- "submission_id": "string",
- "task_id": 0,
- "url": {
- "downloaded_files": [
- { }
], - "label": "string",
- "threats": [
- { }
], - "url": "string",
- "verdict": "string"
}, - "username": "string"
}
]
}
Get a list of tasks, optionally filtered by parameters.
file_hash | string Only return tasks matching this file hash (MD5, SHA1, SHA256). |
submission_id | string type: uuid Only return tasks from this submission ID. |
limit | integer Default: "1000" Limit the number of tasks to return. |
{- "tasks": [
- {
- "analysis": {
- "analysis_mode": "string",
- "enable_network": true,
- "environment": "string",
- "id": "string",
- "threats": [
- {
- "confidence": "string",
- "label": "string",
- "signature_released": true
}
], - "timeout": 0,
- "verdict": "string"
}, - "created_at": 0,
- "execution_report": [
- { }
], - "extracted_from": "string",
- "modified_at": 0,
- "priority": 0,
- "sample": {
- "file_name": "string",
- "file_type": "string",
- "first_seen": 0,
- "hash_md5": "string",
- "hash_sha1": "string",
- "hash_sha256": "string",
- "id": 0,
- "label": "string"
}, - "status": "queued",
- "submission_id": "string",
- "task_id": 0,
- "username": "string"
}
]
}
Get a task by Analysis ID.
analysis_id required | string <UUID> ID of the analysis for which the task should be returned. |
{- "analysis": {
- "analysis_mode": "string",
- "enable_network": true,
- "environment": "string",
- "id": "string",
- "threats": [
- {
- "confidence": "string",
- "label": "string",
- "signature_released": true
}
], - "timeout": 0,
- "verdict": "string"
}, - "created_at": 0,
- "execution_report": [
- { }
], - "extracted_from": "string",
- "modified_at": 0,
- "priority": 0,
- "sample": {
- "file_name": "string",
- "file_type": "string",
- "first_seen": 0,
- "hash_md5": "string",
- "hash_sha1": "string",
- "hash_sha256": "string",
- "id": 0,
- "label": "string"
}, - "status": "queued",
- "submission_id": "string",
- "task_id": 0,
- "username": "string"
}
Get a task by its ID.
task_id required | integer ID of the task to return. |
{- "analysis": {
- "analysis_mode": "string",
- "enable_network": true,
- "environment": "string",
- "id": "string",
- "threats": [
- {
- "confidence": "string",
- "label": "string",
- "signature_released": true
}
], - "timeout": 0,
- "verdict": "string"
}, - "created_at": 0,
- "execution_report": [
- { }
], - "extracted_from": "string",
- "modified_at": 0,
- "priority": 0,
- "sample": {
- "file_name": "string",
- "file_type": "string",
- "first_seen": 0,
- "hash_md5": "string",
- "hash_sha1": "string",
- "hash_sha256": "string",
- "id": 0,
- "label": "string"
}, - "status": "queued",
- "submission_id": "string",
- "task_id": 0,
- "username": "string"
}
The analysis report of a sample contains the following parts:
['General metadata on the sample and analysis.', 'Detection and identification verdicts, with a list of threats found.', 'On dynamic analyses: A list of processes and dumped memory regions from the execution.', 'On dynamic analyses: A set of behavioral artifacts collected during execution.']
Compared to the UI, the report does not include prevalence or OSINT information. You can use the /v1/search
API to
fetch prevalence information.
Get an analysis of a sample identified by its analysis ID.
analysis_id required | string <UUID> ID of the analysis to return. |
{- "analysis": {
- "analysis_time": 0,
- "analysis_timeout": 0,
- "creation_time": 0,
- "environment": "string",
- "execution_report": [
- { }
], - "id": "string",
- "scope": "string",
- "threats": [
- {
- "confidence": "string",
- "label": "string"
}
], - "type": "string",
- "verdict": "string"
}, - "ioc": {
- "domains": [
- {
- "domain": "string"
}
], - "files": [
- {
- "filename": "string",
- "hashes": [
- {
- "hash_imphash": "string",
- "hash_md5": "string",
- "hash_sha1": "string",
- "hash_sha256": "string",
- "hash_ssdeep": "string"
}
], - "operations": [
- "string"
]
}
], - "ips": [
- {
- "ip": "string"
}
], - "mutexes": [
- {
- "mutex": "string"
}
], - "registry": [
- {
- "operations": [
- "string"
], - "registry_key": "string",
- "type": "string",
- "value": "string"
}
], - "urls": [
- {
- "http_methods": [
- "string"
], - "url": "string"
}
]
}, - "processes": [
- {
- "boot_cycle": 0,
- "command_line": "string",
- "end_time": 0,
- "max_time": 0,
- "memory_regions": [
- {
- "base": 0,
- "end_time": 0,
- "file_type": "string",
- "function_count": 0,
- "hash_md5": "string",
- "hash_sha1": "string",
- "hash_sha256": "string",
- "is_pe": true,
- "magic": "string",
- "max_time": 0,
- "signature_id": "string",
- "signatures": [
- {
- "confidence": 0,
- "function_count": 0,
- "id": 0,
- "label": "string",
- "score": 0
}
], - "size": 0,
- "start_time": 0,
- "threats": [
- {
- "confidence": "string",
- "label": "string"
}
], - "type": "string"
}
], - "name": "string",
- "parent_process_id": 0,
- "pid": 0,
- "ppid": 0,
- "process_id": 0,
- "start_time": 0,
- "status": "string",
- "threats": [
- {
- "confidence": "string",
- "label": "string"
}
], - "verdict": "string"
}
], - "sample": {
- "downloaded_from": [
- { }
], - "file_name": "string",
- "file_size": 0,
- "file_type": "string",
- "first_seen": 0,
- "hash_md5": "string",
- "hash_sha1": "string",
- "hash_sha256": "string",
- "is_pe": true,
- "label": "string",
- "magic": "string",
- "osint": [
- { }
], - "static_analysis": {
- "function_count": 0,
- "signature_id": "string",
- "signatures": [
- {
- "confidence": 0,
- "function_count": 0,
- "id": 0,
- "label": "string",
- "score": 0
}
], - "threats": [
- {
- "confidence": "string",
- "label": "string"
}
]
}
}
}
Get a list of endpoint scan analyzes with the option to apply a filter to the query.
verdicts | Array of strings non-empty Default: "unknown&verdicts=suspicious&verdicts=malicious" Items Enum: "malicious" "suspicious" "unknown" Only select analyses with the specified verdicts. |
from_finished_at | string or null <date-time> Only select analyses that were finished on or after the specified date. |
to_finished_at | string or null <date-time> Only select analyses that were finished before or on the specified date. |
limit | integer [ 1 .. 1000 ] Default: 1000 Limit the number of selected analyses. |
cursor | integer or null Default: null Represents a position within the dataset. Include this cursor token in subsequent requests to retrieve the next page of data. If the data is exhausted, the cursor returned by the server is null. |
{- "analyses": [
- {
- "id": "string",
- "analysis_created": "2019-08-24T14:15:22Z",
- "analysis_finished": "2019-08-24T14:15:22Z",
- "scope": "private",
- "threats": [
- {
- "label": "string",
- "confidence": "high",
- "scope": "private"
}
], - "verdict": "malicious",
- "label": "string",
- "endpoint": {
- "id": "string",
- "host_name": "string"
}, - "cursor": 0
}
]
}
Download the binary data of a code region (a memory dump or sample) identified by its hash (MD5, SHA1, SHA256).
hash required | string Hash of the sample/memory dump. |
zipped | boolean Default: "false" Download the file as a password protected ZIP file. The password is 'infected'. |
Get PE metadata (if its a PE file) and strings on a code region identified by hash (MD5, SHA1, SHA256).
hash required | string Hash of a sample/memory dump. |
{- "exports": [
- { }
], - "first_seen": 0,
- "hash_md5": "string",
- "hash_sha1": "string",
- "hash_sha256": "string",
- "header": {
- "FileHeader": {
- "Characteristics": 0,
- "Flags": [
- "string"
], - "Machine": 0,
- "NumberOfSections": 0,
- "NumberOfSymbols": 0,
- "PointerToSymbolTable": 0,
- "SizeOfOptionalHeader": 0,
- "TimeDateStamp": "string"
}, - "OptionalHeader": {
- "AddressOfEntryPoint": 0,
- "BaseOfCode": 0,
- "BaseOfData": 0,
- "CheckSum": 0,
- "DllCharacteristics": [
- "string"
], - "FileAlignment": 0,
- "ImageBase": 0,
- "LoaderFlags": 0,
- "Magic": 0,
- "MajorImageVersion": 0,
- "MajorLinkerVersion": 0,
- "MajorOperatingSystemVersion": 0,
- "MajorSubsystemVersion": 0,
- "MinorImageVersion": 0,
- "MinorLinkerVersion": 0,
- "MinorOperatingSystemVersion": 0,
- "MinorSubsystemVersion": 0,
- "NumberOfRvaAndSizes": 0,
- "Reserved1": 0,
- "SectionAlignment": 0,
- "SizeOfCode": 0,
- "SizeOfHeaders": 0,
- "SizeOfHeapCommit": 0,
- "SizeOfHeapReserve": 0,
- "SizeOfImage": 0,
- "SizeOfInitializedData": 0,
- "SizeOfStackCommit": 0,
- "SizeOfStackReserve": 0,
- "SizeOfUninitializedData": 0,
- "Subsystem": 0
}
}, - "imports": [
- {
- "DLL": "string"
}
], - "magic": "string",
- "resources": [
- {
- "magic": "string",
- "name": "string"
}
], - "rich_header": {
- "checksum": 0,
- "checksum_valid": true
}, - "scope": "string",
- "sections": [
- {
- "Name": "string",
- "SizeOfRawData": 0,
- "VirtualAddress": 0,
- "VirtualSize": 0
}
], - "size": 0,
- "strings": [
- "string"
], - "version_info": [
- [
- {
- "CompanyName": "string",
- "LangID": 0
}
]
]
}
Get OSINT results for an analysis.
analysis_id required | string <UUID> ID of the analysis. |
{- "osint": [
- {
- "url": "string",
- "samples": [
- {
- "hash_md5": "string",
- "hash_sha1": "string",
- "hash_sha256": "string",
- "first_seen": "string",
- "verdict": "string",
- "threats": [
- {
- "label": "string",
- "confidence": "string"
}
]
}
], - "relevance": "string"
}
]
}
Get an analysis of a sample identified by hash (MD5, SHA1, SHA256). Always returns the latest analysis of the sample. The contents of the response depends on the type of the analysis, which can be dynamic or static. For static analyses, the keys 'processes' and 'ioc' are set to 'null'.
hash required | string Hash of a sample to return. |
{- "analysis": {
- "analysis_time": 0,
- "analysis_timeout": 0,
- "creation_time": 0,
- "environment": "string",
- "execution_report": [
- { }
], - "id": "string",
- "scope": "string",
- "threats": [
- {
- "confidence": "string",
- "label": "string"
}
], - "type": "string",
- "verdict": "string"
}, - "ioc": {
- "domains": [
- {
- "domain": "string"
}
], - "files": [
- {
- "filename": "string",
- "hashes": [
- {
- "hash_imphash": "string",
- "hash_md5": "string",
- "hash_sha1": "string",
- "hash_sha256": "string",
- "hash_ssdeep": "string"
}
], - "operations": [
- "string"
]
}
], - "ips": [
- {
- "ip": "string"
}
], - "mutexes": [
- {
- "mutex": "string"
}
], - "registry": [
- {
- "operations": [
- "string"
], - "registry_key": "string",
- "type": "string",
- "value": "string"
}
], - "urls": [
- {
- "http_methods": [
- "string"
], - "url": "string"
}
]
}, - "processes": [
- {
- "boot_cycle": 0,
- "command_line": "string",
- "end_time": 0,
- "max_time": 0,
- "memory_regions": [
- {
- "base": 0,
- "end_time": 0,
- "file_type": "string",
- "function_count": 0,
- "hash_md5": "string",
- "hash_sha1": "string",
- "hash_sha256": "string",
- "is_pe": true,
- "magic": "string",
- "max_time": 0,
- "signature_id": "string",
- "signatures": [
- {
- "confidence": 0,
- "function_count": 0,
- "id": 0,
- "label": "string",
- "score": 0
}
], - "size": 0,
- "start_time": 0,
- "threats": [
- {
- "confidence": "string",
- "label": "string"
}
], - "type": "string"
}
], - "name": "string",
- "parent_process_id": 0,
- "pid": 0,
- "ppid": 0,
- "process_id": 0,
- "start_time": 0,
- "status": "string",
- "threats": [
- {
- "confidence": "string",
- "label": "string"
}
], - "verdict": "string"
}
], - "sample": {
- "downloaded_from": [
- { }
], - "file_name": "string",
- "file_size": 0,
- "file_type": "string",
- "first_seen": 0,
- "hash_md5": "string",
- "hash_sha1": "string",
- "hash_sha256": "string",
- "is_pe": true,
- "label": "string",
- "magic": "string",
- "osint": [
- { }
], - "static_analysis": {
- "function_count": 0,
- "signature_id": "string",
- "signatures": [
- {
- "confidence": 0,
- "function_count": 0,
- "id": 0,
- "label": "string",
- "score": 0
}
], - "threats": [
- {
- "confidence": "string",
- "label": "string"
}
]
}
}
}
Get an analysis of a sample identified by hash (MD5, SHA1, SHA256). Returns the analysis indicated by the analysis ID. parameter.
hash required | string Hash of the sample of interest. |
analysis_id required | string <UUID> ID of the analysis to return. |
{- "analysis": {
- "analysis_time": 0,
- "analysis_timeout": 0,
- "creation_time": 0,
- "environment": "string",
- "execution_report": [
- { }
], - "id": "string",
- "scope": "string",
- "threats": [
- {
- "confidence": "string",
- "label": "string"
}
], - "type": "string",
- "verdict": "string"
}, - "ioc": {
- "domains": [
- {
- "domain": "string"
}
], - "files": [
- {
- "filename": "string",
- "hashes": [
- {
- "hash_imphash": "string",
- "hash_md5": "string",
- "hash_sha1": "string",
- "hash_sha256": "string",
- "hash_ssdeep": "string"
}
], - "operations": [
- "string"
]
}
], - "ips": [
- {
- "ip": "string"
}
], - "mutexes": [
- {
- "mutex": "string"
}
], - "registry": [
- {
- "operations": [
- "string"
], - "registry_key": "string",
- "type": "string",
- "value": "string"
}
], - "urls": [
- {
- "http_methods": [
- "string"
], - "url": "string"
}
]
}, - "processes": [
- {
- "boot_cycle": 0,
- "command_line": "string",
- "end_time": 0,
- "max_time": 0,
- "memory_regions": [
- {
- "base": 0,
- "end_time": 0,
- "file_type": "string",
- "function_count": 0,
- "hash_md5": "string",
- "hash_sha1": "string",
- "hash_sha256": "string",
- "is_pe": true,
- "magic": "string",
- "max_time": 0,
- "signature_id": "string",
- "signatures": [
- {
- "confidence": 0,
- "function_count": 0,
- "id": 0,
- "label": "string",
- "score": 0
}
], - "size": 0,
- "start_time": 0,
- "threats": [
- {
- "confidence": "string",
- "label": "string"
}
], - "type": "string"
}
], - "name": "string",
- "parent_process_id": 0,
- "pid": 0,
- "ppid": 0,
- "process_id": 0,
- "start_time": 0,
- "status": "string",
- "threats": [
- {
- "confidence": "string",
- "label": "string"
}
], - "verdict": "string"
}
], - "sample": {
- "downloaded_from": [
- { }
], - "file_name": "string",
- "file_size": 0,
- "file_type": "string",
- "first_seen": 0,
- "hash_md5": "string",
- "hash_sha1": "string",
- "hash_sha256": "string",
- "is_pe": true,
- "label": "string",
- "magic": "string",
- "osint": [
- { }
], - "static_analysis": {
- "function_count": 0,
- "signature_id": "string",
- "signatures": [
- {
- "confidence": 0,
- "function_count": 0,
- "id": 0,
- "label": "string",
- "score": 0
}
], - "threats": [
- {
- "confidence": "string",
- "label": "string"
}
]
}
}
}
Get a list of functions of the binary file with their respective threats.
analysis_id | string <UUID> The analysis ID containing the binary file. |
base | integer If the binary file is a memory dump, then this specifies its base address in memory. |
hash required | string The hash (MD5, SHA1, SHA256) of the binary file. |
pid | integer If the binary file is a memory dump, then this specifies the PID of the process. |
{- "analysis_id": "string",
- "base": 0,
- "hash": "string",
- "pid": 0
}
{- "functions": [
- {
- "analysis_id": "string",
- "sample": "string",
- "code_region": "string",
- "pid": 0,
- "base": 0,
- "uid": "string",
- "address": 0,
- "size": 0,
- "threats": {
- "analysis_id": "string",
- "sample": "string",
- "code_region": "string",
- "pid": 0,
- "base": 0,
- "uid": "string",
- "address": 0,
- "size": 0,
- "label": "string",
- "scope": "string",
- "confidence": "string",
- "type": "string"
}
}
]
}
Threatray provides a powerful search engine running over all private and public analyses. Refer to the user guide for the search syntax.
Submit a search query, e.g. 'ip:"10.11.12.13".
query required | string Search query to submit. The query is validated and invalid queries will return an error. |
date | number Default: "0" Only return samples from the last x days, based on first_seen dates. Options: Xd, e.g. |
max_results | number Default: "1000" Maximum number of resulting samples to return. |
scope | string Default: "both" Limit the search query to a certain search scope. By default it is both, which means it looks up for samples in your private and in the public repository. Accepted values: |
{- "aggregations": {
- "domain": [
- {
- "count": 0,
- "is_query": true,
- "key": "string",
- "private": 0,
- "public": 0
}
], - "file": [
- {
- "count": 0,
- "is_query": true,
- "key": "string",
- "private": 0,
- "public": 0
}
], - "ip": [
- {
- "count": 0,
- "is_query": true,
- "key": "string",
- "private": 0,
- "public": 0
}
], - "mutex": [
- { }
], - "process": [
- {
- "count": 0,
- "is_query": true,
- "key": "string",
- "private": 0,
- "public": 0
}
], - "registry": [
- {
- "count": 0,
- "is_query": true,
- "key": "string",
- "private": 0,
- "public": 0
}
], - "threats": [
- {
- "count": 0,
- "is_query": true,
- "key": "string",
- "private": 0,
- "public": 0,
- "scope": "string"
}
], - "url": [
- {
- "count": 0,
- "is_query": true,
- "key": "string",
- "private": 0,
- "public": 0
}
]
}, - "analyses": [
- {
- "analysis_created": "string",
- "analysis_timestamp": 0,
- "environment": "string",
- "id": "string",
- "sample": {
- "file_size": 0,
- "file_type": "string",
- "filename": "string",
- "first_seen": 0,
- "hash_md5": "string",
- "hash_sha1": "string",
- "hash_sha256": "string",
- "label": "string",
- "osint": true
}, - "scope": "string",
- "similarity": 0,
- "threats": [
- {
- "confidence": "string",
- "label": "string",
- "scope": "string"
}
], - "verdict": "string"
}
]
}