YARAify API
YARAify offers the following API endpoint.
Obtain an Auth-Key (Required)
In order to interact with the MalwareBazaar API, you need to obtain an Auth-Key
first. If you don't have one you can get one for free here:
Whenever you interact with the YARAify API, you must include the HTTP header Auth-Key
with your Auth-Key. Example curl
command:
curl -H "Auth-Key: YOUR-AUTH-KEY" -X POST -d '{ "query": "get_results", "task_id": "fb2763e9-7b84-11ec-9f01-42010aa4000b" '} https://yaraify-api.abuse.ch/api/v1/
Scan a file
You can scan a file against public and non-public YARA and ClamAV signatures as documented below. In addition, this API enpoint also supports optional malware sample unpacking (PE executables only).
A few important notes before you scan a file using the API:
- You can use an
identifier
to keep track of your submissions. Please have a look at the documentation of the corresponding API endpoint - Malware sample unpacking (
unpack
) is disabled by default. If you would like to use this feature, set the parameterunpack
to1
- Files submitted for scanning are shared by default. If you do not wish to share your submitted files, set parameter
share_file
to0
Parameter | Required? | Default | Comment | Possible values |
---|---|---|---|---|
file | Yes | None | The file you want to scan | n/a |
identifier | No | None | Optional identifier to associate this submission with | n/a |
clamav_scan | No | 1 | Defines whether to scan the file with ClamAV | 0 or 1 |
unpack | No | 0 | Defines whether to unpack the file | 0 or 1 |
share_file | No | 1 | Defines whether the file is public and may be shared with 3rd parties | 0 or 1 |
skip_known | No | 0 | If 1 , YARAify will not process the file if the file is already known | 0 or 1 |
skip_noisy | No | 0 | If 1 , YARAify skips the file if it already has been scanned at least 10 times within the past 24 hours. It will return the latest task_id instead | 0 or 1 |
Here's a very basic sample python3 script for submitting a file to the scan engine:
#!/usr/bin/env python3 import requests import json files = { 'file': (open('sample.exe','rb')) } response = requests.post('https://yaraify-api.abuse.ch/api/v1/', files=files, verify=True) print(response.content.decode("utf-8", "ignore"))
Here's a bit a more advanced sample python3 script for submitting a file to the scan engine with custom parameters set:
#!/usr/bin/env python3 import requests import json data = { 'clamav_scan': 1, 'unpack': 1 } files = { 'json_data': (None, json.dumps(data), 'application/json'), 'file': (open('sample.exe','rb')) } response = requests.post('https://yaraify-api.abuse.ch/api/v1/', files=files, verify=True) print(response.content.decode("utf-8", "ignore"))
More example scripts for interaction with the API are available on Gitlab:
Query a task ID
This API endpoint is used to fetch the current status (task_status
) of a task_id
along with, if the task has already been procsssed by the scanning engine, the scan results.
Parameter | Required? | Default | Comment | Possible values |
---|---|---|---|---|
query | Yes | None | Must be get_results to query to this enpoint | n/a |
task_id | Yes | None | The task_id you want to query the API for | n/a |
malpedia-token | No | None | Optional: your Malpedia Token | n/a |
Malpedia maintains a set of public and non-public YARA rules. If you provide your malpedia-token
, you will not only receive results from their public YARA rules (TLP:WHITE) but also matches on their non-public rulesets (TLP:GREEN, TLP:AMBER and TLP:RED). Please note that your token will temporarily be stored for verification against the Malpedia API.
Here's a sample curl command that shows how to query the API for a task_id
:
curl -H "Auth-Key: YOUR-AUTH-KEY" -X POST -d '{ "query": "get_results", "task_id": "fb2763e9-7b84-11ec-9f01-42010aa4000b" '} https://yaraify-api.abuse.ch/api/v1/
A response from this API endpoint looks like this:
{ "query_status": "ok", "data": { "yaraify_parameters": { "clamav_scan": 1, "unpack": 1, "share_file": 1 }, "metadata": { "file_name": "b0bb095dd0ad8b8de1c83b13c38e68dd.exe", "file_size": 792372, "file_type_mime": "application\/x-dosexec", "first_seen": "2022-01-22 19:24:01 UTC", "last_seen": "2022-01-23 14:52:44 UTC", "sightings": 11, "unpacked_files_cnt": 2 }, "static_results": [ { "rule_name": "xxx", "author": "xxx", "description": "xxx", "reference": "xxx", "yarahub_uuid": "xxx", "tlp": "AMBER" }, { "rule_name": "MALW_emotet", "author": "Marc Rivero | McAfee ATR Team", "description": "Rule to detect unpacked Emotet", "reference": null, "yarahub_uuid": null, "tlp": "WHITE" } ], "clamav_results": [ "SecuriteInfo.com.Trojan.GenericKD.47707798.UNOFFICIAL", "TwinWave.EvilDoc.DOCXRSTRGOOD.MSHTA.210816.UNOFFICIAL", "TwinWave.EvilDoc.Excel4DragoTrainingMontage.20210204.UNOFFICIAL", "TwinWave.EvilDoc.DOCXSTRGOODXL4.HTTP", "TwinWave.EvilDoc.Emotet46and2.20220119.UNOFFICIAL" ], "unpack_results": [ { "unpacked_file_name": "10000000.dll", "unpacked_md5": "d87f7e2caa4e48c3f98d352a9e087ab8", "unpacked_sha256": "8c7236d27b8dbaffcd64d9b5155e8c416f33102604ab27076d32c321681ae5c3", "unpacked_yara_matches": [ { "rule_name": "xxx", "author": "xxx", "description": "xxx", "reference": "xxx", "yarahub_uuid": "xxx", "tlp": "GREEN" }, { "rule_name": "win_younglotus_auto", "author": "Detects win.younglotus.", "description": null, "reference": "Felix Bilstein - yara-signator at cocacoding dot com", "yarahub_uuid": null, "tlp": "WHITE" }, { "rule_name": "MALWARE_Win_Zegost", "author": "Detects Zegost", "description": null, "reference": "ditekSHen", "yarahub_uuid": null, "tlp": "WHITE" } ] }, { "unpacked_file_name": "400000.b0bb095dd0ad8b8de1c83b13c38e68dd", "unpacked_md5": "b5c96bab82e2ca1f8b6246f58ce3ffed", "unpacked_sha256": "bd1e271a049045633f995ba1d3a80176b2d2a117543e0972b0a2c5e0519cb9b2", "unpacked_yara_matches": [ { "rule_name": "with_urls", "author": "Rule to detect the presence of an or several urls", "description": "http:\/\/laboratorio.blogs.hispasec.com\/", "reference": "Antonio Sanchez", "yarahub_uuid": null, "tlp": "WHITE" }, { "rule_name": "without_attachments", "author": "Rule to detect the no presence of any attachment", "description": "http:\/\/laboratorio.blogs.hispasec.com\/", "reference": "Antonio Sanchez ", "yarahub_uuid": null, "tlp": "WHITE" }, { "rule_name": "win_mbrlock_auto", "author": "Detects win.mbrlock.", "description": null, "reference": "Felix Bilstein - yara-signator at cocacoding dot com", "yarahub_uuid": null, "tlp": "WHITE" } ] } ] } }
As you can see, matches on non-public YARA rules (e.g. such from Malpedia) are being replaced with "xxx".
The value for yarahub_uuid
is empty (null
) if the matching YARA rule does not originate from YARAhub.
A example script for querying the YARAify API for a task id is available on our github:
Using identifiers
You can keep track of a file that you have submitted using the task_id
you got back from the API after your submission. However, you can use identifiers to keep track of your submissions. The documentation below shows you how to create identifiers and how you can use them to keep track of your submissions.
Create an identifier
In order to create an identifier
, you must send a HTTP POST request to the API as documented below. The API will create and return an identifier
to you.
curl -H "Auth-Key: YOUR-AUTH-KEY" -X POST https://yaraify-api.abuse.ch/api/v1/ -d '{ "query": "generate_identifier" }'
Of course, you can identify as many identifiers as you want (e.g. for different systems that submit files to the API for scanning). However, a submission can only be associated with one identifier.
Note
Make sure that you keep any identifier you generate private. Do not share it with anyone. 3rd parties who gain access to your identifier will be able to view your submissions!
Keeping track of your submissions
The following endpoint lets you query the API for an identifier
, which will then return a list of corresponding submissions from the past 24 hours. In you can use an additional filter
to filter for processed
or queued
submissions from the past 24 hours. Please note that the output is limited to max 250 entries.
Here's a sample curl command that shows how to query the API for an identifier
while filtering for processed
submissions (while xxxxxxxx
is a placeholder for your identifier
):
curl -H "Auth-Key: YOUR-AUTH-KEY" -X POST https://yaraify-api.abuse.ch/api/v1/ -d '{ "query": "list_tasks", "identifier": "xxxxxxxx", "task_status": "processed"}'
A response from this API endpoint looks like this:
{ "query_status": "ok", "data": [ { "task_id": "9b91e5d3-7b7e-11ec-9f01-42010aa1000b", "task_status": "processed", "md5_hash": "83fdeaf19ae60e26dd0b53ab74a66f55", "sha256_hash": "65104ef88eb6e5e0416a33fe16709450ff79b3698266b9ce96af3d848cf44c48", "file_name": "dropped.dll" }, { "task_id": "3b895428-7b7e-11ec-9f01-62010aa4000b", "task_status": "processed", "md5_hash": "3677819a63a436c7d90d01e8fab38eb6", "sha256_hash": "2c4591542b85eb8601213322454ba4aabc683ae03b70a8244436895575732be8", "file_name": "evil.dll" }, { "task_id": "7b817a16-7b7e-12ec-9f01-02010aa4000b", "task_status": "processed", "md5_hash": "fd5c9eaf79bb0abe8372364553933215", "sha256_hash": "09a7c4f3878793169f3a1c2467a1c160534255b5d0ca13db6b4c5c4178ef3379", "file_name": "emotet_sample.exe" } }
A example script for querying the YARAify API for an identifier is available on our github:
Query a file hash
You can query YARAify for a file hash (SHA256 hash
, MD5 hash
, SHA1 hash
or SHA3-384 hash
) by query the API as follow:
Parameter | Example | Comment |
---|---|---|
query | lookup_hash | |
search_term | a638404ab71199981be143591853b[...] | File hash of the file you want to download |
malpedia-token | Dummy | Optional: your Malpedia Token |
Malpedia maintains a set of public and non-public YARA rules. If you provide your malpedia-token
, you will not only receive results from their public YARA rules (TLP:WHITE) but also matches on their non-public rulesets (TLP:GREEN, TLP:AMBER and TLP:RED). Please note that your token will temporarily be stored for verification against the Malpedia API.
Here's a sample curl command that shows how to query the API for a SHA256 hash
:
curl -H "Auth-Key: YOUR-AUTH-KEY" -X POST -d '{ "query": "lookup_hash", "search_term": "b0bb095dd0ad8b8de1c83b13c38e68dd" '} https://yaraify-api.abuse.ch/api/v1/
A response from this API endpoint looks like this:
{ "query_status": "ok", "data": { "metadata": { "file_size": 792372, "file_type_mime": "application\/x-dosexec", "first_seen": "2022-01-22 19:24:01 UTC", "last_seen": "2022-01-23 14:52:44 UTC", "sightings": 11, "sha256_hash": "de7fa65d5cd5314ba0ce6ab19a7dcd9853639a1152447457de7efb39a9ba1f46", "md5_hash": "b0bb095dd0ad8b8de1c83b13c38e68dd", "sha1_hash": "cc597480e2f833f48e67ec75cd2c41547ceeb04c", "sha3_384": "21527985085b570a8c429df8f3e8cfc0da5664b605c641d05a1f09692539a1d51deac5d60622290ee86fdd9b250dcf4e", "imphash": null, "ssdeep": null, "tlsh": null, "telfhash": null, "gimphash": null, "dhash_icon": null }, "tasks": [ { "task_id": "1f3da23c-7c5c-11ec-9f01-42010aa4000b", "time_stamp": "2022-01-23 14:52:44 UTC", "file_name": "b0bb095dd0ad8b8de1c83b13c38e68dd.exe", "task_parameters": { "clamav_scan": 1, "unpack": 1, "share_file": 1 }, "unpacked_files_cnt": "2", "clamav_results": [ "PUA.Win.Packer.Upx-4", "Win.Dropper.Gh0stRAT-9789289-0", "Win.Dropper.Gh0stRAT-9789290-0", "Win.Malware.FlyAgent-9850229-1", "Win.Malware.Zusy-5710245-0" ], "static_results": [ { "rule_name": "pe_imphash", "author": null, "description": null, "reference": null, "yarahub_uuid": null, "tlp": "WHITE" }, { "rule_name": "Skystars_Malware_Imphash", "author": "Skystars LightDefender", "description": "imphash", "reference": null, "yarahub_uuid": null, "tlp": "WHITE" } ], "unpack_results": [ { "unpacked_file_name": "10000000.dll", "unpacked_md5": "d87f7e2caa4e48c3f98d352a9e087ab8", "unpacked_sha256": "8c7236d27b8dbaffcd64d9b5155e8c416f33102604ab27076d32c321681ae5c3", "unpacked_yara_matches": [ { "rule_name": "xxx", "author": "xxx", "description": "xxx", "reference": "xxx", "yarahub_uuid": "xxx", "tlp": "GREEN" }, { "rule_name": "win_younglotus_auto", "author": "Detects win.younglotus.", "description": null, "reference": "Felix Bilstein - yara-signator at cocacoding dot com", "yarahub_uuid": null, "tlp": "WHITE" }, { "rule_name": "MALWARE_Win_Zegost", "author": "Detects Zegost", "description": null, "reference": "ditekSHen", "yarahub_uuid": null, "tlp": "WHITE" } ] }, { "unpacked_file_name": "400000.b0bb095dd0ad8b8de1c83b13c38e68dd", "unpacked_md5": "b5c96bab82e2ca1f8b6246f58ce3ffed", "unpacked_sha256": "bd1e271a049045633f995ba1d3a80176b2d2a117543e0972b0a2c5e0519cb9b2", "unpacked_yara_matches": [ { "rule_name": "with_urls", "author": "Rule to detect the presence of an or several urls", "description": "http:\/\/laboratorio.blogs.hispasec.com\/", "reference": "Antonio Sanchez", "yarahub_uuid": null, "tlp": "WHITE" }, { "rule_name": "without_attachments", "author": "Rule to detect the no presence of any attachment", "description": "http:\/\/laboratorio.blogs.hispasec.com\/", "reference": "Antonio Sanchez ", "yarahub_uuid": null, "tlp": "WHITE" }, { "rule_name": "win_mbrlock_auto", "author": "Detects win.mbrlock.", "description": null, "reference": "Felix Bilstein - yara-signator at cocacoding dot com", "yarahub_uuid": null, "tlp": "WHITE" } ] } ] }, { "task_id": "e7cdd149-7c5b-11ec-9f01-42010aa4000b", "time_stamp": "2022-01-23 14:51:11 UTC", "file_name": "b0bb095dd0ad8b8de1c83b13c38e68dd.exe", "task_parameters": { "clamav_scan": 1, "unpack": 0, "share_file": 1 }, "unpacked_files_cnt": "0", "clamav_results": [ "PUA.Win.Packer.Upx-4", "Win.Dropper.Gh0stRAT-9789289-0", "Win.Dropper.Gh0stRAT-9789290-0", "Win.Malware.FlyAgent-9850229-1", "Win.Malware.Zusy-5710245-0" ], "static_results": [ { "rule_name": "pe_imphash", "author": null, "description": null, "reference": null, "tlp": "WHITE" }, { "rule_name": "Skystars_Malware_Imphash", "author": "Skystars LightDefender", "description": "imphash", "reference": null, "tlp": "WHITE" } ], "unpack_results": [] }, [...] ] } }
As you can see, matches on non-public YARA rules (e.g. such from Malpedia) are being replaced with "xxx".
The value for yarahub_uuid
is empty (null
) if the matching YARA rule does not originate from YARAhub.
Query YARA rule
You can get a list of recent files matching a specific YARA rule
by query the API as follow:
Parameter | Example | Comment |
---|---|---|
query | get_yara | |
search_term | MALWARE_Win_Neshta | YARA Rule you want to get results for |
result_max | 100 | Optional: Max number of results you want to display (default: 25, max: 1'000) |
Here's a sample curl command:
curl -H "Auth-Key: YOUR-AUTH-KEY" -X POST -d '{ "query": "get_yara", "search_term": "MALWARE_Win_Neshta" '} https://yaraify-api.abuse.ch/api/v1/
A response from this API endpoint looks like this:
{ "query_status": "ok", "query_info": { "search_scope": "all time", "result_count": 13, "result_max": 500 }, "data": [ { "sha256_hash": "5e3834ebbd42dbdbe6251efbf12869b3a70880f3535765ad8109b458543c8b2e", "file_size": 792412, "mime_type": "application\/x-dosexec", "md5_hash": "37fe12185eceac065501e65ba3851463", "sha1_hash": "d29f33a7d26b7d7253e07bc7517779076a5b021f", "sha3_384_hash": "24f01256c2587cced649065378fd982298152ab5685d9f4c741c2cecd77a35ed3f878d69f65ef801640fb85aee071474", "first_seen": "2022-04-15 08:24:20 UTC", "last_seen": null, "sightings": 1, "imphash": "43fd39eb6df6bf3a9a3edd1f646cd16e", "ssdeep": "12288:PGXqG\/H1k6hUvoNUrIE33T5zTTlL9O3ZO6epkflNaGD0u74tt+3hJLGgFqLM:PZwk6hUv\/sEnnL6zLaGD46LLGng", "tlsh": "T138F423C1EB53E7E1C8EF4D38920FFB6546642102AE00095779E68E58BDFC3B2335568A", "telfhash": null, "gimphash": null, "dhash_icon": null }, { "sha256_hash": "b9807ee941907647ce285fab2687e4796f7f3c76afc5c8c9c141ca3568fcf87a", "file_size": 1576960, "mime_type": "application\/x-dosexec", "md5_hash": "9161ee3cf96fda13ca70d450705b9002", "sha1_hash": "3f97d7d2fe39c0f0cddfa89a3f4066bf0d3bdb4b", "sha3_384_hash": "3734b149a09675adcb26c8775083dcd5ca037797c6e6262d6c89d19de6eeff8f731e6e71e80b20e515b4af35f5f7c39e", "first_seen": "2022-04-14 20:54:31 UTC", "last_seen": "2022-04-14 20:54:31 UTC", "sightings": 2, "imphash": null, "ssdeep": "24576:JB4gDb100oLvVt8LfdCIGCYNoMJcsfU4uat4fo\/lG4HfOvN8zOkik9eZ:TjnJMnU4u8lG42KzOkikw", "tlsh": "T18B75AE23E54280FDD65820316CBB7F3ABDB497595A24CA83A7E8DE791F32251932730D", "telfhash": null, "gimphash": null, "dhash_icon": "7171717169e8e8e8" }, { "sha256_hash": "1d580d9f99a387f0735bde436955d7595dfb4f7c41fc9968cc1aa78734fa4d2a", "file_size": 1578496, "mime_type": "application\/x-dosexec", "md5_hash": "ea3f7b921ceca64d2100850cbef4aa55", "sha1_hash": "9b09dc4da34863ab96cad9ed4cf53e0d7b87ffef", "sha3_384_hash": "bcd24af5bd6a1b2602ca5916e0453f2f4a2f8543281051fd3bc3cd227d4cd8fb10b5c7cc1daa8cbd36162f7b13671bf2", "first_seen": "2022-04-12 16:15:34 UTC", "last_seen": null, "sightings": 1, "imphash": null, "ssdeep": "24576:T4gDb100oLvVt8LfdCIGCYNoMJcsfU4uat4fo\/lG4HfOvN8QOkik9eZ:TjnJMnU4u8lG42KQOkikw", "tlsh": "T1AE75AE23E54280FDD65820316CBB7F3ABDB497595A24CA83A7E8DE791F32251932730D", "telfhash": null, "gimphash": null, "dhash_icon": "7171717169e8e8e8" }, [...] }
Query ClamAV Signature
You can get a list of recent files associated with a specific ClamAV signature
by query the API as follow:
Parameter | Example | Comment |
---|---|---|
query | get_clamav | |
search_term | Win.Dropper.Gh0stRAT-9789290-0 | ClamAV signature you want to get results for |
result_max | 100 | Optional: Max number of results you want to display (default: 25, max: 1'000) |
Here's a sample curl command:
curl -H "Auth-Key: YOUR-AUTH-KEY" -X POST -d '{ "query": "get_clamav", "search_term": "Win.Dropper.Gh0stRAT-9789290-0" '} https://yaraify-api.abuse.ch/api/v1/
A response from this API endpoint looks like this:
{ "query_status": "ok", "query_info": { "search_scope": "all time", "result_count": 13, "result_max": 500 }, "data": [ { "sha256_hash": "5e3834ebbd42dbdbe6251efbf12869b3a70880f3535765ad8109b458543c8b2e", "file_size": 792412, "mime_type": "application\/x-dosexec", "md5_hash": "37fe12185eceac065501e65ba3851463", "sha1_hash": "d29f33a7d26b7d7253e07bc7517779076a5b021f", "sha3_384_hash": "24f01256c2587cced649065378fd982298152ab5685d9f4c741c2cecd77a35ed3f878d69f65ef801640fb85aee071474", "first_seen": "2022-04-15 08:24:20 UTC", "last_seen": null, "sightings": 1, "imphash": "43fd39eb6df6bf3a9a3edd1f646cd16e", "ssdeep": "12288:PGXqG\/H1k6hUvoNUrIE33T5zTTlL9O3ZO6epkflNaGD0u74tt+3hJLGgFqLM:PZwk6hUv\/sEnnL6zLaGD46LLGng", "tlsh": "T138F423C1EB53E7E1C8EF4D38920FFB6546642102AE00095779E68E58BDFC3B2335568A", "telfhash": null, "gimphash": null, "dhash_icon": null }, { "sha256_hash": "b9807ee941907647ce285fab2687e4796f7f3c76afc5c8c9c141ca3568fcf87a", "file_size": 1576960, "mime_type": "application\/x-dosexec", "md5_hash": "9161ee3cf96fda13ca70d450705b9002", "sha1_hash": "3f97d7d2fe39c0f0cddfa89a3f4066bf0d3bdb4b", "sha3_384_hash": "3734b149a09675adcb26c8775083dcd5ca037797c6e6262d6c89d19de6eeff8f731e6e71e80b20e515b4af35f5f7c39e", "first_seen": "2022-04-14 20:54:31 UTC", "last_seen": "2022-04-14 20:54:31 UTC", "sightings": 2, "imphash": null, "ssdeep": "24576:JB4gDb100oLvVt8LfdCIGCYNoMJcsfU4uat4fo\/lG4HfOvN8zOkik9eZ:TjnJMnU4u8lG42KzOkikw", "tlsh": "T18B75AE23E54280FDD65820316CBB7F3ABDB497595A24CA83A7E8DE791F32251932730D", "telfhash": null, "gimphash": null, "dhash_icon": "7171717169e8e8e8" }, { "sha256_hash": "1d580d9f99a387f0735bde436955d7595dfb4f7c41fc9968cc1aa78734fa4d2a", "file_size": 1578496, "mime_type": "application\/x-dosexec", "md5_hash": "ea3f7b921ceca64d2100850cbef4aa55", "sha1_hash": "9b09dc4da34863ab96cad9ed4cf53e0d7b87ffef", "sha3_384_hash": "bcd24af5bd6a1b2602ca5916e0453f2f4a2f8543281051fd3bc3cd227d4cd8fb10b5c7cc1daa8cbd36162f7b13671bf2", "first_seen": "2022-04-12 16:15:34 UTC", "last_seen": null, "sightings": 1, "imphash": null, "ssdeep": "24576:T4gDb100oLvVt8LfdCIGCYNoMJcsfU4uat4fo\/lG4HfOvN8QOkik9eZ:TjnJMnU4u8lG42KQOkikw", "tlsh": "T1AE75AE23E54280FDD65820316CBB7F3ABDB497595A24CA83A7E8DE791F32251932730D", "telfhash": null, "gimphash": null, "dhash_icon": "7171717169e8e8e8" }, [...] }
Query imphash
You can get a list of recent files associated with a specific imphash
by query the API as follow:
Parameter | Example | Comment |
---|---|---|
query | get_imphash | |
search_term | 680b9682922177224183342c299d809f | imphash you want to get results for |
result_max | 100 | Optional: Max number of results you want to display (default: 25, max: 1'000) |
Here's a sample curl command:
curl -H "Auth-Key: YOUR-AUTH-KEY" -X POST -d '{ "query": "get_imphash", "search_term": "680b9682922177224183342c299d809f" '} https://yaraify-api.abuse.ch/api/v1/
A response from this API endpoint looks like this:
{ "query_status": "ok", "query_info": { "search_scope": "all time", "result_count": 64, "result_max": 250 }, "data": [ { "sha256_hash": "0278236466b0915e5b5fb228033a46c7ed1d9f29ce07f5784b3746e8ea64fadb", "file_size": 1750234, "mime_type": "application\/x-dosexec", "md5_hash": "77bfdf73e32b496bb9f111c304b8fb95", "sha1_hash": "8a88235b7bc5a8e4cc233532e4011b2fae4ac257", "sha3_384_hash": "f9826bdc674c19a3867a3b1d78c0ba1897303d70eb7ed5eaa6755bed3f368caaaea9543bd84ea66b086b653b1e23b2dd", "first_seen": "2022-04-14 10:23:53 UTC", "last_seen": null, "sightings": 1, "imphash": "680b9682922177224183342c299d809f", "ssdeep": "24576:nKtpZm23yqec9S5hZqT5\/ZMoK3EHBCTFvfrr+E+OLzO9AO4k17vvoA+rXBxQHKbC:nC3LoqNG0HBi1X+5OmmPA7Hj+hb", "tlsh": "T193859E62AE9D4876C076363C8C1F6259A8297E103D289C5E67E80D0DCF3A7917F2539F", "telfhash": null, "gimphash": null, "dhash_icon": "399998ecd4d46c0e" }, { "sha256_hash": "72011546699b21166467da8d7bd37ff0d96717288519f3fad8c19750e39aca42", "file_size": 1771258, "mime_type": "application\/x-dosexec", "md5_hash": "59f2c99f52c368a923c74621d8b4e6fd", "sha1_hash": "fe5e0f5cf0ebd90e17034483eb9a902dd5cdd7bc", "sha3_384_hash": "8038039ec77602fbfe8ac922a7e1509c42dcbf6f07713af294df84c780b438e9b85181eab199ed8bcc70bba259bb18be", "first_seen": "2022-04-14 10:17:43 UTC", "last_seen": null, "sightings": 1, "imphash": "680b9682922177224183342c299d809f", "ssdeep": "24576:nKtpZm23yqec9S5hZqT5\/ZMoK3EHBCTFvfrr+E+OLzO9AO4k17vvoA+rXBxQHKbC:nC3LoqNG0HBi1X+5OmmPA7Hj+hb", "tlsh": "T1AE859E62AE9D4876C076363C8C1F6259A8297E103D289C5E67E80D0DCF3A7917F2539F", "telfhash": null, "gimphash": null, "dhash_icon": "399998ecd4d46c0e" }, { "sha256_hash": "cb36a871888de7f8de75a2e0204526e07429390e9a15a7031406c9d3c2ee2207", "file_size": 1747228, "mime_type": "application\/x-dosexec", "md5_hash": "825b058531390b5c602b02353a5fa550", "sha1_hash": "09b9844ff84985cba76060b8f982060287b77fde", "sha3_384_hash": "7e376e7c47642c0729d87337696e3b1940c91b0cd410668d642f37a8a492e7502d0daeda56529a710fa0f81a09aecf38", "first_seen": "2022-04-13 19:52:33 UTC", "last_seen": null, "sightings": 1, "imphash": "680b9682922177224183342c299d809f", "ssdeep": "24576:nKtpZm23yqec9S5hZqT5\/ZMoK3EHBCTFvfrr+E+OLzO9AO4k17vvoA+rXBxQHKbC:nC3LoqNG0HBi1X+5OmmPA7Hj+hb", "tlsh": "T1F3859E62AE9D4876C076363C8C1F6259A8297E103D289C5E67E80D0DCF3A7917F2539F", "telfhash": null, "gimphash": null, "dhash_icon": "399998ecd4d46c0e" } [...] }
Query tlsh
You can get a list of recent files associated with a specific tlsh
by query the API as follow:
Parameter | Example | Comment |
---|---|---|
query | get_tlsh | |
search_term | T140551236C8E05951CAEFD73315186AF[...] | tlsh you want to get results for |
result_max | 100 | Optional: Max number of results you want to display (default: 25, max: 1'000) |
Here's a sample curl command:
curl -H "Auth-Key: YOUR-AUTH-KEY" -X POST -d '{ "query": "get_tlsh", "search_term": "T140551236C8E05951CAEFD73315186AF983182477CCC9E5BB0E6B36D62CB6431A36B06D" '} https://yaraify-api.abuse.ch/api/v1/
A response from this API endpoint looks like this:
{ "query_status": "ok", "query_info": { "search_scope": "all time", "result_count": 64, "result_max": 250 }, "data": [ { "sha256_hash": "0278236466b0915e5b5fb228033a46c7ed1d9f29ce07f5784b3746e8ea64fadb", "file_size": 1750234, "mime_type": "application\/x-dosexec", "md5_hash": "77bfdf73e32b496bb9f111c304b8fb95", "sha1_hash": "8a88235b7bc5a8e4cc233532e4011b2fae4ac257", "sha3_384_hash": "f9826bdc674c19a3867a3b1d78c0ba1897303d70eb7ed5eaa6755bed3f368caaaea9543bd84ea66b086b653b1e23b2dd", "first_seen": "2022-04-14 10:23:53 UTC", "last_seen": null, "sightings": 1, "imphash": "680b9682922177224183342c299d809f", "ssdeep": "24576:nKtpZm23yqec9S5hZqT5\/ZMoK3EHBCTFvfrr+E+OLzO9AO4k17vvoA+rXBxQHKbC:nC3LoqNG0HBi1X+5OmmPA7Hj+hb", "tlsh": "T193859E62AE9D4876C076363C8C1F6259A8297E103D289C5E67E80D0DCF3A7917F2539F", "telfhash": null, "gimphash": null, "dhash_icon": "399998ecd4d46c0e" }, { "sha256_hash": "72011546699b21166467da8d7bd37ff0d96717288519f3fad8c19750e39aca42", "file_size": 1771258, "mime_type": "application\/x-dosexec", "md5_hash": "59f2c99f52c368a923c74621d8b4e6fd", "sha1_hash": "fe5e0f5cf0ebd90e17034483eb9a902dd5cdd7bc", "sha3_384_hash": "8038039ec77602fbfe8ac922a7e1509c42dcbf6f07713af294df84c780b438e9b85181eab199ed8bcc70bba259bb18be", "first_seen": "2022-04-14 10:17:43 UTC", "last_seen": null, "sightings": 1, "imphash": "680b9682922177224183342c299d809f", "ssdeep": "24576:nKtpZm23yqec9S5hZqT5\/ZMoK3EHBCTFvfrr+E+OLzO9AO4k17vvoA+rXBxQHKbC:nC3LoqNG0HBi1X+5OmmPA7Hj+hb", "tlsh": "T1AE859E62AE9D4876C076363C8C1F6259A8297E103D289C5E67E80D0DCF3A7917F2539F", "telfhash": null, "gimphash": null, "dhash_icon": "399998ecd4d46c0e" }, { "sha256_hash": "cb36a871888de7f8de75a2e0204526e07429390e9a15a7031406c9d3c2ee2207", "file_size": 1747228, "mime_type": "application\/x-dosexec", "md5_hash": "825b058531390b5c602b02353a5fa550", "sha1_hash": "09b9844ff84985cba76060b8f982060287b77fde", "sha3_384_hash": "7e376e7c47642c0729d87337696e3b1940c91b0cd410668d642f37a8a492e7502d0daeda56529a710fa0f81a09aecf38", "first_seen": "2022-04-13 19:52:33 UTC", "last_seen": null, "sightings": 1, "imphash": "680b9682922177224183342c299d809f", "ssdeep": "24576:nKtpZm23yqec9S5hZqT5\/ZMoK3EHBCTFvfrr+E+OLzO9AO4k17vvoA+rXBxQHKbC:nC3LoqNG0HBi1X+5OmmPA7Hj+hb", "tlsh": "T1F3859E62AE9D4876C076363C8C1F6259A8297E103D289C5E67E80D0DCF3A7917F2539F", "telfhash": null, "gimphash": null, "dhash_icon": "399998ecd4d46c0e" } [...] }
Query telfhash
You can get a list of recent files associated with a specific telfhash
by query the API as follow:
Parameter | Example | Comment |
---|---|---|
query | get_telfhash | |
search_term | t1dd211d716b2195266ea0cd9088eca7[...] | telfhash you want to get results for |
result_max | 100 | Optional: Max number of results you want to display (default: 25, max: 1'000) |
Here's a sample curl command:
curl -H "Auth-Key: YOUR-AUTH-KEY" -X POST -d '{ "query": "get_telfhash", "search_term": "t1dd211d716b2195266ea0cd9088eca7b2512c97072349df33cf31849c24140aeea3ac4f" '} https://yaraify-api.abuse.ch/api/v1/
A response from this API endpoint looks like this:
{ "query_status": "ok", "query_info": { "search_scope": "all time", "result_count": 9, "result_max": 250 }, "data": [ { "sha256_hash": "56c438f5a581a639f3f3853f2a01d850f51faf0fdd50f4f07bbc0826a0aabe55", "file_size": 134572, "mime_type": "application\/x-executable", "md5_hash": "e259d954ad3f1b037c3ba0fbcf109a3c", "sha1_hash": "71d11d2e8dd7256136108752303f06746dd91a56", "sha3_384_hash": "9a1d4e5ab8c336d8d6c332716c317255c1eeec9de16c3896e258e71470d65408f86e9a5ddb84c780550e1020fdf5c39e", "first_seen": "2022-04-14 11:51:01 UTC", "last_seen": null, "sightings": 1, "imphash": null, "ssdeep": "3072:TDvifpXS+5mdlV7fqEJ\/itr6xQds\/HQq5QEbOmyM\/9Ybfrr:TDvifpXS+5mdfbAp6xQds\/wqXbO3M\/9I", "tlsh": "T1A9D35C06FB418F13C4D617BAF9AF424933229B94E3EB730659285FB43F8665E0E53905", "telfhash": "t1dd211d716b2195266ea0cd9088eca7b2512c97072349df33cf31849c24140aeea3ac4f", "gimphash": null, "dhash_icon": null }, { "sha256_hash": "27e74f5f1ffd22b209362964acc0de74b9ca4b2476766cd49764b6b245eb370c", "file_size": 134556, "mime_type": "application\/x-executable", "md5_hash": "a9fab86dbdffd6b239f8ce9dfd2dcf33", "sha1_hash": "19f5cde32036e688244ebfdf6b63efacc45cc989", "sha3_384_hash": "4e01ea80eeecc957c990f186e2e05351990bc8f31a27dd6d70da7997848bc3c704b2f4eefc36f49aaf17ee864c109bb7", "first_seen": "2022-04-13 20:51:03 UTC", "last_seen": null, "sightings": 1, "imphash": null, "ssdeep": "3072:PEDfiXp7SnrDqtVcxBjRqBg9M\/m+RG6Ob2mKM\/9Yfkurr:PEDfiXp7SnrDectqBg9M\/xRSb2vM\/9YD", "tlsh": "T115D34C06FB418F13C4D617BAFAAF424933229B94E3EB730659185FB43F8665E0E53A05", "telfhash": "t1dd211d716b2195266ea0cd9088eca7b2512c97072349df33cf31849c24140aeea3ac4f", "gimphash": null, "dhash_icon": null }, { "sha256_hash": "0023f54ea7e345d6791921be8c8636a22c7ef8edcfe9d64971d3cbec0c3b1a91", "file_size": 134572, "mime_type": "application\/x-executable", "md5_hash": "e399cfbb622bdf06872a146fd05655cd", "sha1_hash": "a1c988a49cf44053f7ad6db046eb89032cb4e16f", "sha3_384_hash": "41b5bf490dd895ed8711eeadcd5744255623230e4f6f897e4084269150e38ea5dd7db5890d3da393fbd7169d80f31fba", "first_seen": "2022-04-12 23:51:02 UTC", "last_seen": null, "sightings": 1, "imphash": null, "ssdeep": "3072:f0DvinprSHrDqtVGDB3RJxQds\/neqfasb2mKM\/9M\/zrr:f0DvinprSHrDeGDJxQds\/eqfb2vM\/9Mz", "tlsh": "T1DBD34B46FB418F13C4D617BAF9AF424933229B94E3EB730649285FB43F8666E0E53905", "telfhash": "t1dd211d716b2195266ea0cd9088eca7b2512c97072349df33cf31849c24140aeea3ac4f", "gimphash": null, "dhash_icon": null }, [...] }
Query gimphash
You can get a list of recent files associated with a specific gimphash
by query the API as follow:
Parameter | Example | Comment |
---|---|---|
query | get_gimphash | |
search_term | a081e2fab5999d99ed6be718af55[...] | gimphash you want to get results for |
result_max | 100 | Optional: Max number of results you want to display (default: 25, max: 1'000) |
Here's a sample curl command:
curl -H "Auth-Key: YOUR-AUTH-KEY" -X POST -d '{ "query": "get_gimphash", "search_term": "a081e2fab5999d99ed6be718af55e93df171d14bc83c7ca5fdc0907edba0d338c" '} https://yaraify-api.abuse.ch/api/v1/
A response from this API endpoint looks like this:
{ "query_status": "ok", "query_info": { "search_scope": "all time", "result_count": 1, "result_max": 25 }, "data": [ { "sha256_hash": "631fc8da17bc3eb84718969a48b679237165887baede146faba6df842c80ab5c", "file_size": 7053280, "mime_type": "application\/x-dosexec", "md5_hash": "132a961afc5b7846f72c5944798535f6", "sha1_hash": "5ff9a26cba1baa65d34dd53cd9b7913b8e524570", "sha3_384_hash": "9404fba96909631807b2821f17a21d6315ec5f068b0c146a5cb7c58b073d7462374f44080f4ba5e255d130e0de981a72", "first_seen": "2022-07-02 09:24:03 UTC", "last_seen": "2022-07-02 12:26:15 UTC", "sightings": 2, "imphash": "c7269d59926fa4252270f407e4dab043", "ssdeep": "98304:lcjs3aEh2qJechqerH0KCYXidWPpTuEVtTZtWAI4AmnXTj+q+c6q1:28dqcp0KC8iMBLvTZkAI\/m\/+cF1", "tlsh": "T12C668D43F89560E9C6EAD130CA75C2527B307888073027D36F65AABA6B73BD05FB9750", "telfhash": null, "gimphash": "a081e2fab5999d99ed6be718af55e93df171d14bc83c7ca5fdc0907edba0d338", "dhash_icon": null } ] }
Query icon dhash
You can get a list of recent files associated with a specific icon dhash
by query the API as follow:
Parameter | Example | Comment |
---|---|---|
query | get_dhash_icon | |
search_term | 92264e9e361ccdee | telfhash you want to get results for |
result_max | 100 | Optional: Max number of results you want to display (default: 25, max: 1'000) |
Here's a sample curl command:
curl -H "Auth-Key: YOUR-AUTH-KEY" -X POST -d '{ "query": "get_dhash_icon", "search_term": "92264e9e361ccdee" '} https://yaraify-api.abuse.ch/api/v1/
A response from this API endpoint looks like this:
{ "query_status": "ok", "query_info": { "search_scope": "all time", "result_count": 6, "result_max": 250 }, "data": [ { "sha256_hash": "3d30ec7012f3477319137f7637f9879772e5ba3dcfc06dc341e8a4c14ea9598a", "file_size": 5427200, "mime_type": "application\/x-dosexec", "md5_hash": "6ca7e57dad6a21d1f7aaf1aa030281a1", "sha1_hash": "66f37a918854e4ded2a335a085a9ea87374deef2", "sha3_384_hash": "2fce52c1c52383d4bebc5182f68431c81b241936193a318762bfa3bb8cbce9b9e7ebe8b00b66396c9d0cb61fbb5d7140", "first_seen": "2022-04-02 15:12:27 UTC", "last_seen": null, "sightings": 1, "imphash": null, "ssdeep": "49152:eMdViVljGTvvC4cgeCcjoTkr3VNTqAFikjhpBn36DwkuxG+GgeGVQGouGU0:eKVijz3gXSoTol9vpBWwdRCaG", "tlsh": "T137469D12A6624877C37A0730DC6BA274B7F83D1C17FB5763B384B9DAAAB72407464346", "telfhash": null, "gimphash": null, "dhash_icon": "92264e9e361ccdee" }, { "sha256_hash": "4990abcda7532f88a7ae4b8731c14423260620276cc054b495a2d76c390747f8", "file_size": 1808896, "mime_type": "application\/x-dosexec", "md5_hash": "0d0287c298c1e9cf54a0d92b0d75f21a", "sha1_hash": "fd309ba565157011973275d9cd11841119debb3a", "sha3_384_hash": "b0bdf049cccd822baec05f2f74c8ac128eec8a1b8ccef991fbe4537428b667f0ca1055f84f36cb5a0f38fcc4f7b62cb1", "first_seen": "2022-04-02 15:05:27 UTC", "last_seen": null, "sightings": 1, "imphash": "4a99d91e1b68c500bb1244eb377c47a1", "ssdeep": "49152:2EPusxhC77OgLE2JqBc+MwlcF4SVJK91t23fPvVD7fZ:SYy73K2UL3tO1fZ", "tlsh": "T14E85226344B237EADBB3B1B692389D16F59A6C34C64A8319C381F9762FFDC5641B40E0", "telfhash": null, "gimphash": null, "dhash_icon": "92264e9e361ccdee" }, { "sha256_hash": "84368982d6f2253dcc10371cf1f7079199e0e1df21bb9608b0f73103b53283a8", "file_size": 5427200, "mime_type": "application\/x-dosexec", "md5_hash": "44f2ea6379dd28895c62792dbf19713d", "sha1_hash": "0b667870d8daf13825f4ae8fbf9467f6f39a4e1b", "sha3_384_hash": "4056f3bd6fd0d9150f7c1edd5f9aa591e3df9146a0761eaa6677aabca15d6b485a4bdf44ea80267824df1b6b6b86ff44", "first_seen": "2022-03-30 12:16:05 UTC", "last_seen": null, "sightings": 1, "imphash": null, "ssdeep": "49152:tnYVqVljGTvvCpcCewc2Lyw9XTsTqFF2T36Yq6CHiiFCzoxv4YN:tYVqjzOCdrLyCjH2T7LCHigC8xv4", "tlsh": "T17D46AD12A6514C77C2790330DC6BA678B7F83D0C27FB5763B384B9DAAAB72907464346", "telfhash": null, "gimphash": null, "dhash_icon": "92264e9e361ccdee" }, [...] }
Download a file
You can download a file from YARAify by query the API as follow:
Parameter | Example | Comment |
---|---|---|
query | get_file | |
sha256_hash | a638404ab71199981be143591853b[...] | sha256 hash of the file you want to download |
Here's a sample curl command:
curl -H "Auth-Key: YOUR-AUTH-KEY" -X POST -d '{ "query": "get_file", "sha256_hash": "a638404ab71199981be143591853b713b8826a82904a1cf72675de6bb026c8f9" '} https://yaraify-api.abuse.ch/api/v1/
Please note that files for which the reporter has chosen the no sharing option are not available for download.
Problems with unzipping?
Files are zipped using AES128 encryption and password "infected". Should you receive an error like NotImplementedError: compression type 99
when trying to unzip, it means that your library is not supporting AES encryption (yet). Please switch to a different library (e.g. when you are using python: pyzipper)
Download an unpacked file
You can download an unpacked file from YARAify by query the API as follow:
Parameter | Example | Comment |
---|---|---|
query | get_unpacked | |
sha256_hash | a638404ab71199981be143591853b[...] | sha256 hash of the file you want to download |
Here's a sample curl command:
curl -H "Auth-Key: YOUR-AUTH-KEY" -X POST -d '{ "query": "get_unpacked", "sha256_hash": "de7fa65d5cd5314ba0ce6ab19a7dcd9853639a1152447457de7efb39a9ba1f46" '} https://yaraify-api.abuse.ch/api/v1/
Please note that files for which the reporter has chosen the no sharing option are not available for download.
Problems with unzipping?
Files are zipped using AES128 encryption and password "infected". Should you receive an error like NotImplementedError: compression type 99
when trying to unzip, it means that your library is not supporting AES encryption (yet). Please switch to a different library (e.g. when you are using python: pyzipper)
List recently deployed YARA rules
You can get a list of the most recent deployed YARA rules on YARAify as follow. Please take note that the author of the YARA rule must have set the YARA rule's meta field yarahub_rule_matching_tlp
to TLP:WHITE.
Parameter | Example | Comment |
---|---|---|
query | recent_yararules |
Here's a sample curl command:
curl -H "Auth-Key: YOUR-AUTH-KEY" -X POST -d '{ "query": "recent_yararules" '} https://yaraify-api.abuse.ch/api/v1/
A response from this API endpoint looks like this:
{ "query_status": "ok", "data": [ { "time_stamp": "2022-05-01 08:10:52 UTC", "yarahub_uuid": "1b95ce79-6034-4740-8e45-5f0840602d1a", "rule_name": "win_danabot", "author": "Johannes Bader", "description": "detects DanaBot", "date": "2022-04-19", "yarahub_license": "CC BY-SA 4.0", "yarahub_author_twitter": "@viql", "yarahub_reference_link": "https:\/\/test.ch\/bla", "yarahub_reference_md5": "8195d9c7b7193e9c63137d156df7b6f3", "yarahub_rule_matching_tlp": "TLP:WHITE", "yarahub_rule_sharing_tlp": "TLP:WHITE", "malpedia_family": "win.danabot" }, [...] ] }
Deploy a YARA rule
You can deploy your own YARA rule for live hunting on YARAify, either by uploading your rule to your your account or by using the API. A sample script for deploying your own YARA rule to YARAify is available on our GitHub repository.
If you want to update one of your existing rules, simply upload the corresponding YARA rule with the same yarahub_uuid
and rule name
.
In order to deploy your YARA rule to YARAify, the following fields must be present in the YARA rule meta
section:
date
: Human readable date inYYYY-MM-DD
formatyarahub_uuid
: Unique ID in UUID 4 format. If you don't know how to generate one, we have just generated one for you:
bb3a48e3-140c-4298-a3fb-0843b7c0d039
yarahub_license
: Creative Commons license under which you want to share your YARA rule. Suggestion: CC0 1.0
yarahub_rule_matching_tlp
: This TLP defines whether YARA matches of this rule and it's meta
data should be publicly visible or not. Suggestion: TLP:WHITE
yarahub_rule_sharing_tlp
: This TLP defines whether the YARA rule itself should be shared or not. Suggestion: TLP:WHITE
yarahub_reference_md5
: MD5 hash of a sample (file) that would match this YARA ruleFor further information we encourage you to have a look at the YARAhub Rule Guidelines.
YARAify is currently using YARA version 4.2.1
Show your active YARA rules
You can get a list of active YARA rules you have deployed on YARAify for live hunting.
Parameter | Example | Comment |
---|---|---|
query | show_deployed_yara_rules |
Here's a sample curl command:
curl -H "Auth-Key: YOUR-AUTH-KEY" -X POST -d '{ "query": "show_deployed_yara_rules" }' https://yaraify-api.abuse.ch/api/v1/
A response from this API endpoint looks like this:
{ "query_status": "ok", "data": [ { "time_stamp": "2024-12-20 10:51:20 UTC", "yarahub_uuid": "12b31ce2-eeae-480f-8ad3-efe93f4e8785", "rule_name": "ach_202407_html_form_post2php", "author": "abuse.ch", "description": "Detects potential HTML phishing by looking for form HTTP post to PHP URL", "date": "2024-07-12", "yarahub_license": "CC0 1.0", "yarahub_author_twitter": "@abuse_ch", "yarahub_reference_link": null, "yarahub_reference_md5": "a4b1c0a74e3d77ed2145687ebc436abc", "yarahub_rule_matching_tlp": "TLP:WHITE", "yarahub_rule_sharing_tlp": "TLP:RED", "malpedia_family": null }, { "time_stamp": "2024-12-18 13:11:17 UTC", "yarahub_uuid": "250fa07d-9e5f-48b0-b490-d63e9261dc7e", "rule_name": "ach_202412_js_mintstealer", "author": "abuse.ch", "description": "Detects potential MintStealer delivered through malicious JavaScript files", "date": "2024-12-18", "yarahub_license": "CC0 1.0", "yarahub_author_twitter": "@abuse_ch", "yarahub_reference_link": null, "yarahub_reference_md5": "b30d0e1b25fe6672ca48f8d1d2af7800", "yarahub_rule_matching_tlp": "TLP:WHITE", "yarahub_rule_sharing_tlp": "TLP:RED", "malpedia_family": null }, [...] }
Delete a YARA rule
You can delete your own YARA rule from YARAify by leveraging this API endpoint.
Parameter | Example | Comment |
---|---|---|
query | delete_yara_rule | |
yarahub_uuid | bcbf6764-19.... | The UUID of your YARA rule you want to delete |
Here's a sample curl command:
curl -H "Auth-Key: YOUR-AUTH-KEY" -X POST -d '{ "query": "delete_yara_rule" , "yarahub_uuid": "bcbf6764-19ae-44f1-adb1-db0d23c100fb"}' https://yaraify-api.abuse.ch/api/v1/
Download a specific YARA rule
You can download a specific YARA rule present on YARAhub. Please take note that the author of the YARA rule must have set the YARA rule's meta field yarahub_rule_sharing_tlp
to TLP:WHITE to allow sharing of the YARA rule in public.
Parameter | Example | Comment |
---|---|---|
query | get_yara_rule | |
uuid | 1b95ce79-6034-4740-8e45-5f0840602d1a | UUID of the YARA rule you want to download |
Here's a sample curl command:
curl -H "Auth-Key: YOUR-AUTH-KEY" -X POST -d '{ "query": "get_yara_rule", "uuid": "1b95ce79-6034-4740-8e45-5f0840602d1a" '} https://yaraify-api.abuse.ch/api/v1/
Download all available YARA rule
You can download all available YARA rules that are currently present in YARAhub. Please take note that the author of the YARA rule must have set the YARA rule's meta field yarahub_rule_sharing_tlp
to TLP:WHITE to allow sharing of the YARA rule in public.
Here's a sample curl command:
curl https://yaraify-api.abuse.ch/download/yaraify-rules.zip --output yaraify-rules.zip
Or simply click on the following download link:
Download all YARA rulesNote that the file gets generated every 5 minutes. Please do not fetch it more often than that.
Example scripts
You can find a handful example scripts for how to interacting with the YARAify API on our github repository: