YARAify API
YARAify offers the following API endpoint.
Auth-Key (Required)
Scan a file
Query a task ID
Using identifiers
Query a file hash
Query YARA rule
Query ClamAV signature
Query imphash
Query tlsh
Query telfhash
Query gimphash
Query icon dhash
Download a file
Download an unpacked file
List recently deployed YARA rules
Download a specific YARA rule
Download all available YARA rules
Example scripts
Obtain an Auth-Key (Required)
In order to interact with the MalwareBazaar API, you need to obtain an Auth-Key first. If you don't have one you can get one for free here:
Whenever you interact with the YARAify API, you must include the HTTP header Auth-Key with your Auth-Key. Example curl command:
curl -H "Auth-Key: YOUR-AUTH-KEY" -X POST -d '{ "query": "get_results", "task_id": "fb2763e9-7b84-11ec-9f01-42010aa4000b" '} https://yaraify-api.abuse.ch/api/v1/
Scan a file
You can scan a file against public and non-public YARA and ClamAV signatures as documented below. In addition, this API enpoint also supports optional malware sample unpacking (PE executables only).
A few important notes before you scan a file using the API:
- You can use an
identifierto keep track of your submissions. Please have a look at the documentation of the corresponding API endpoint - Malware sample unpacking (
unpack) is disabled by default. If you would like to use this feature, set the parameterunpackto1 - Files submitted for scanning are shared by default. If you do not wish to share your submitted files, set parameter
share_fileto0
| Parameter | Required? | Default | Comment | Possible values |
|---|---|---|---|---|
file | Yes | None | The file you want to scan | n/a |
identifier | No | None | Optional identifier to associate this submission with | n/a |
clamav_scan | No | 1 | Defines whether to scan the file with ClamAV | 0 or 1 |
unpack | No | 0 | Defines whether to unpack the file | 0 or 1 |
share_file | No | 1 | Defines whether the file is public and may be shared with 3rd parties | 0 or 1 |
skip_known | No | 0 | If 1, YARAify will not process the file if the file is already known | 0 or 1 |
skip_noisy | No | 0 | If 1, YARAify skips the file if it already has been scanned at least 10 times within the past 24 hours. It will return the latest task_id instead | 0 or 1 |
Here's a very basic sample python3 script for submitting a file to the scan engine:
#!/usr/bin/env python3
import requests
import json
files = {
'file': (open('sample.exe','rb'))
}
response = requests.post('https://yaraify-api.abuse.ch/api/v1/', files=files, verify=True)
print(response.content.decode("utf-8", "ignore"))
Here's a bit a more advanced sample python3 script for submitting a file to the scan engine with custom parameters set:
#!/usr/bin/env python3
import requests
import json
data = {
'clamav_scan': 1,
'unpack': 1
}
files = {
'json_data': (None, json.dumps(data), 'application/json'),
'file': (open('sample.exe','rb'))
}
response = requests.post('https://yaraify-api.abuse.ch/api/v1/', files=files, verify=True)
print(response.content.decode("utf-8", "ignore"))
More example scripts for interaction with the API are available on Gitlab:
Query a task ID
This API endpoint is used to fetch the current status (task_status) of a task_id along with, if the task has already been procsssed by the scanning engine, the scan results.
| Parameter | Required? | Default | Comment | Possible values |
|---|---|---|---|---|
query | Yes | None | Must be get_results to query to this enpoint | n/a |
task_id | Yes | None | The task_id you want to query the API for | n/a |
malpedia-token | No | None | Optional: your Malpedia Token | n/a |
Malpedia maintains a set of public and non-public YARA rules. If you provide your malpedia-token, you will not only receive results from their public YARA rules (TLP:WHITE) but also matches on their non-public rulesets (TLP:GREEN, TLP:AMBER and TLP:RED). Please note that your token will temporarily be stored for verification against the Malpedia API.
Here's a sample curl command that shows how to query the API for a task_id:
curl -H "Auth-Key: YOUR-AUTH-KEY" -X POST -d '{ "query": "get_results", "task_id": "fb2763e9-7b84-11ec-9f01-42010aa4000b" '} https://yaraify-api.abuse.ch/api/v1/
A response from this API endpoint looks like this:
{
"query_status": "ok",
"data": {
"yaraify_parameters": {
"clamav_scan": 1,
"unpack": 1,
"share_file": 1
},
"metadata": {
"file_name": "b0bb095dd0ad8b8de1c83b13c38e68dd.exe",
"file_size": 792372,
"file_type_mime": "application\/x-dosexec",
"first_seen": "2022-01-22 19:24:01 UTC",
"last_seen": "2022-01-23 14:52:44 UTC",
"sightings": 11,
"unpacked_files_cnt": 2
},
"static_results": [
{
"rule_name": "xxx",
"author": "xxx",
"description": "xxx",
"reference": "xxx",
"yarahub_uuid": "xxx",
"tlp": "AMBER"
},
{
"rule_name": "MALW_emotet",
"author": "Marc Rivero | McAfee ATR Team",
"description": "Rule to detect unpacked Emotet",
"reference": null,
"yarahub_uuid": null,
"tlp": "WHITE"
}
],
"clamav_results": [
"SecuriteInfo.com.Trojan.GenericKD.47707798.UNOFFICIAL",
"TwinWave.EvilDoc.DOCXRSTRGOOD.MSHTA.210816.UNOFFICIAL",
"TwinWave.EvilDoc.Excel4DragoTrainingMontage.20210204.UNOFFICIAL",
"TwinWave.EvilDoc.DOCXSTRGOODXL4.HTTP",
"TwinWave.EvilDoc.Emotet46and2.20220119.UNOFFICIAL"
],
"unpack_results": [
{
"unpacked_file_name": "10000000.dll",
"unpacked_md5": "d87f7e2caa4e48c3f98d352a9e087ab8",
"unpacked_sha256": "8c7236d27b8dbaffcd64d9b5155e8c416f33102604ab27076d32c321681ae5c3",
"unpacked_yara_matches": [
{
"rule_name": "xxx",
"author": "xxx",
"description": "xxx",
"reference": "xxx",
"yarahub_uuid": "xxx",
"tlp": "GREEN"
},
{
"rule_name": "win_younglotus_auto",
"author": "Detects win.younglotus.",
"description": null,
"reference": "Felix Bilstein - yara-signator at cocacoding dot com",
"yarahub_uuid": null,
"tlp": "WHITE"
},
{
"rule_name": "MALWARE_Win_Zegost",
"author": "Detects Zegost",
"description": null,
"reference": "ditekSHen",
"yarahub_uuid": null,
"tlp": "WHITE"
}
]
},
{
"unpacked_file_name": "400000.b0bb095dd0ad8b8de1c83b13c38e68dd",
"unpacked_md5": "b5c96bab82e2ca1f8b6246f58ce3ffed",
"unpacked_sha256": "bd1e271a049045633f995ba1d3a80176b2d2a117543e0972b0a2c5e0519cb9b2",
"unpacked_yara_matches": [
{
"rule_name": "with_urls",
"author": "Rule to detect the presence of an or several urls",
"description": "http:\/\/laboratorio.blogs.hispasec.com\/",
"reference": "Antonio Sanchez ",
"yarahub_uuid": null,
"tlp": "WHITE"
},
{
"rule_name": "without_attachments",
"author": "Rule to detect the no presence of any attachment",
"description": "http:\/\/laboratorio.blogs.hispasec.com\/",
"reference": "Antonio Sanchez ",
"yarahub_uuid": null,
"tlp": "WHITE"
},
{
"rule_name": "win_mbrlock_auto",
"author": "Detects win.mbrlock.",
"description": null,
"reference": "Felix Bilstein - yara-signator at cocacoding dot com",
"yarahub_uuid": null,
"tlp": "WHITE"
}
]
}
]
}
}
As you can see, matches on non-public YARA rules (e.g. such from Malpedia) are being replaced with "xxx".
The value for yarahub_uuid is empty (null) if the matching YARA rule does not originate from YARAhub.
A example script for querying the YARAify API for a task id is available on our github:
Using identifiers
You can keep track of a file that you have submitted using the task_id you got back from the API after your submission. However, you can use identifiers to keep track of your submissions. The documentation below shows you how to create identifiers and how you can use them to keep track of your submissions.
Create an identifier
In order to create an identifier, you must send a HTTP POST request to the API as documented below. The API will create and return an identifier to you.
curl -H "Auth-Key: YOUR-AUTH-KEY" -X POST https://yaraify-api.abuse.ch/api/v1/ -d '{ "query": "generate_identifier" }'
Of course, you can identify as many identifiers as you want (e.g. for different systems that submit files to the API for scanning). However, a submission can only be associated with one identifier.
Note
Make sure that you keep any identifier you generate private. Do not share it with anyone. 3rd parties who gain access to your identifier will be able to view your submissions!
Keeping track of your submissions
The following endpoint lets you query the API for an identifier, which will then return a list of corresponding submissions from the past 24 hours. In you can use an additional filter to filter for processed or queued submissions from the past 24 hours. Please note that the output is limited to max 250 entries.
Here's a sample curl command that shows how to query the API for an identifier while filtering for processed submissions (while xxxxxxxx is a placeholder for your identifier):
curl -H "Auth-Key: YOUR-AUTH-KEY" -X POST https://yaraify-api.abuse.ch/api/v1/ -d '{ "query": "list_tasks", "identifier": "xxxxxxxx", "task_status": "processed"}'
A response from this API endpoint looks like this:
{
"query_status": "ok",
"data": [
{
"task_id": "9b91e5d3-7b7e-11ec-9f01-42010aa1000b",
"task_status": "processed",
"md5_hash": "83fdeaf19ae60e26dd0b53ab74a66f55",
"sha256_hash": "65104ef88eb6e5e0416a33fe16709450ff79b3698266b9ce96af3d848cf44c48",
"file_name": "dropped.dll"
},
{
"task_id": "3b895428-7b7e-11ec-9f01-62010aa4000b",
"task_status": "processed",
"md5_hash": "3677819a63a436c7d90d01e8fab38eb6",
"sha256_hash": "2c4591542b85eb8601213322454ba4aabc683ae03b70a8244436895575732be8",
"file_name": "evil.dll"
},
{
"task_id": "7b817a16-7b7e-12ec-9f01-02010aa4000b",
"task_status": "processed",
"md5_hash": "fd5c9eaf79bb0abe8372364553933215",
"sha256_hash": "09a7c4f3878793169f3a1c2467a1c160534255b5d0ca13db6b4c5c4178ef3379",
"file_name": "emotet_sample.exe"
}
}
A example script for querying the YARAify API for an identifier is available on our github:
Query a file hash
You can query YARAify for a file hash (SHA256 hash, MD5 hash, SHA1 hash or SHA3-384 hash) by query the API as follow:
| Parameter | Example | Comment |
|---|---|---|
query | lookup_hash | |
search_term | a638404ab71199981be143591853b[...] | File hash of the file you want to download |
malpedia-token | Dummy | Optional: your Malpedia Token |
Malpedia maintains a set of public and non-public YARA rules. If you provide your malpedia-token, you will not only receive results from their public YARA rules (TLP:WHITE) but also matches on their non-public rulesets (TLP:GREEN, TLP:AMBER and TLP:RED). Please note that your token will temporarily be stored for verification against the Malpedia API.
Here's a sample curl command that shows how to query the API for a SHA256 hash:
curl -H "Auth-Key: YOUR-AUTH-KEY" -X POST -d '{ "query": "lookup_hash", "search_term": "b0bb095dd0ad8b8de1c83b13c38e68dd" '} https://yaraify-api.abuse.ch/api/v1/
A response from this API endpoint looks like this:
{
"query_status": "ok",
"data": {
"metadata": {
"file_size": 792372,
"file_type_mime": "application\/x-dosexec",
"first_seen": "2022-01-22 19:24:01 UTC",
"last_seen": "2022-01-23 14:52:44 UTC",
"sightings": 11,
"sha256_hash": "de7fa65d5cd5314ba0ce6ab19a7dcd9853639a1152447457de7efb39a9ba1f46",
"md5_hash": "b0bb095dd0ad8b8de1c83b13c38e68dd",
"sha1_hash": "cc597480e2f833f48e67ec75cd2c41547ceeb04c",
"sha3_384": "21527985085b570a8c429df8f3e8cfc0da5664b605c641d05a1f09692539a1d51deac5d60622290ee86fdd9b250dcf4e",
"imphash": null,
"ssdeep": null,
"tlsh": null,
"telfhash": null,
"gimphash": null,
"dhash_icon": null
},
"tasks": [
{
"task_id": "1f3da23c-7c5c-11ec-9f01-42010aa4000b",
"time_stamp": "2022-01-23 14:52:44 UTC",
"file_name": "b0bb095dd0ad8b8de1c83b13c38e68dd.exe",
"task_parameters": {
"clamav_scan": 1,
"unpack": 1,
"share_file": 1
},
"unpacked_files_cnt": "2",
"clamav_results": [
"PUA.Win.Packer.Upx-4",
"Win.Dropper.Gh0stRAT-9789289-0",
"Win.Dropper.Gh0stRAT-9789290-0",
"Win.Malware.FlyAgent-9850229-1",
"Win.Malware.Zusy-5710245-0"
],
"static_results": [
{
"rule_name": "pe_imphash",
"author": null,
"description": null,
"reference": null,
"yarahub_uuid": null,
"tlp": "WHITE"
},
{
"rule_name": "Skystars_Malware_Imphash",
"author": "Skystars LightDefender",
"description": "imphash",
"reference": null,
"yarahub_uuid": null,
"tlp": "WHITE"
}
],
"unpack_results": [
{
"unpacked_file_name": "10000000.dll",
"unpacked_md5": "d87f7e2caa4e48c3f98d352a9e087ab8",
"unpacked_sha256": "8c7236d27b8dbaffcd64d9b5155e8c416f33102604ab27076d32c321681ae5c3",
"unpacked_yara_matches": [
{
"rule_name": "xxx",
"author": "xxx",
"description": "xxx",
"reference": "xxx",
"yarahub_uuid": "xxx",
"tlp": "GREEN"
},
{
"rule_name": "win_younglotus_auto",
"author": "Detects win.younglotus.",
"description": null,
"reference": "Felix Bilstein - yara-signator at cocacoding dot com",
"yarahub_uuid": null,
"tlp": "WHITE"
},
{
"rule_name": "MALWARE_Win_Zegost",
"author": "Detects Zegost",
"description": null,
"reference": "ditekSHen",
"yarahub_uuid": null,
"tlp": "WHITE"
}
]
},
{
"unpacked_file_name": "400000.b0bb095dd0ad8b8de1c83b13c38e68dd",
"unpacked_md5": "b5c96bab82e2ca1f8b6246f58ce3ffed",
"unpacked_sha256": "bd1e271a049045633f995ba1d3a80176b2d2a117543e0972b0a2c5e0519cb9b2",
"unpacked_yara_matches": [
{
"rule_name": "with_urls",
"author": "Rule to detect the presence of an or several urls",
"description": "http:\/\/laboratorio.blogs.hispasec.com\/",
"reference": "Antonio Sanchez ",
"yarahub_uuid": null,
"tlp": "WHITE"
},
{
"rule_name": "without_attachments",
"author": "Rule to detect the no presence of any attachment",
"description": "http:\/\/laboratorio.blogs.hispasec.com\/",
"reference": "Antonio Sanchez ",
"yarahub_uuid": null,
"tlp": "WHITE"
},
{
"rule_name": "win_mbrlock_auto",
"author": "Detects win.mbrlock.",
"description": null,
"reference": "Felix Bilstein - yara-signator at cocacoding dot com",
"yarahub_uuid": null,
"tlp": "WHITE"
}
]
}
]
},
{
"task_id": "e7cdd149-7c5b-11ec-9f01-42010aa4000b",
"time_stamp": "2022-01-23 14:51:11 UTC",
"file_name": "b0bb095dd0ad8b8de1c83b13c38e68dd.exe",
"task_parameters": {
"clamav_scan": 1,
"unpack": 0,
"share_file": 1
},
"unpacked_files_cnt": "0",
"clamav_results": [
"PUA.Win.Packer.Upx-4",
"Win.Dropper.Gh0stRAT-9789289-0",
"Win.Dropper.Gh0stRAT-9789290-0",
"Win.Malware.FlyAgent-9850229-1",
"Win.Malware.Zusy-5710245-0"
],
"static_results": [
{
"rule_name": "pe_imphash",
"author": null,
"description": null,
"reference": null,
"tlp": "WHITE"
},
{
"rule_name": "Skystars_Malware_Imphash",
"author": "Skystars LightDefender",
"description": "imphash",
"reference": null,
"tlp": "WHITE"
}
],
"unpack_results": []
},
[...]
]
}
}
As you can see, matches on non-public YARA rules (e.g. such from Malpedia) are being replaced with "xxx".
The value for yarahub_uuid is empty (null) if the matching YARA rule does not originate from YARAhub.
Query YARA rule
You can get a list of recent files matching a specific YARA rule by query the API as follow:
| Parameter | Example | Comment |
|---|---|---|
query | get_yara | |
search_term | MALWARE_Win_Neshta | YARA Rule you want to get results for |
result_max | 100 | Optional: Max number of results you want to display (default: 25, max: 1'000) |
Here's a sample curl command:
curl -H "Auth-Key: YOUR-AUTH-KEY" -X POST -d '{ "query": "get_yara", "search_term": "MALWARE_Win_Neshta" '} https://yaraify-api.abuse.ch/api/v1/
A response from this API endpoint looks like this:
{
"query_status": "ok",
"query_info": {
"search_scope": "all time",
"result_count": 13,
"result_max": 500
},
"data": [
{
"sha256_hash": "5e3834ebbd42dbdbe6251efbf12869b3a70880f3535765ad8109b458543c8b2e",
"file_size": 792412,
"mime_type": "application\/x-dosexec",
"md5_hash": "37fe12185eceac065501e65ba3851463",
"sha1_hash": "d29f33a7d26b7d7253e07bc7517779076a5b021f",
"sha3_384_hash": "24f01256c2587cced649065378fd982298152ab5685d9f4c741c2cecd77a35ed3f878d69f65ef801640fb85aee071474",
"first_seen": "2022-04-15 08:24:20 UTC",
"last_seen": null,
"sightings": 1,
"imphash": "43fd39eb6df6bf3a9a3edd1f646cd16e",
"ssdeep": "12288:PGXqG\/H1k6hUvoNUrIE33T5zTTlL9O3ZO6epkflNaGD0u74tt+3hJLGgFqLM:PZwk6hUv\/sEnnL6zLaGD46LLGng",
"tlsh": "T138F423C1EB53E7E1C8EF4D38920FFB6546642102AE00095779E68E58BDFC3B2335568A",
"telfhash": null,
"gimphash": null,
"dhash_icon": null
},
{
"sha256_hash": "b9807ee941907647ce285fab2687e4796f7f3c76afc5c8c9c141ca3568fcf87a",
"file_size": 1576960,
"mime_type": "application\/x-dosexec",
"md5_hash": "9161ee3cf96fda13ca70d450705b9002",
"sha1_hash": "3f97d7d2fe39c0f0cddfa89a3f4066bf0d3bdb4b",
"sha3_384_hash": "3734b149a09675adcb26c8775083dcd5ca037797c6e6262d6c89d19de6eeff8f731e6e71e80b20e515b4af35f5f7c39e",
"first_seen": "2022-04-14 20:54:31 UTC",
"last_seen": "2022-04-14 20:54:31 UTC",
"sightings": 2,
"imphash": null,
"ssdeep": "24576:JB4gDb100oLvVt8LfdCIGCYNoMJcsfU4uat4fo\/lG4HfOvN8zOkik9eZ:TjnJMnU4u8lG42KzOkikw",
"tlsh": "T18B75AE23E54280FDD65820316CBB7F3ABDB497595A24CA83A7E8DE791F32251932730D",
"telfhash": null,
"gimphash": null,
"dhash_icon": "7171717169e8e8e8"
},
{
"sha256_hash": "1d580d9f99a387f0735bde436955d7595dfb4f7c41fc9968cc1aa78734fa4d2a",
"file_size": 1578496,
"mime_type": "application\/x-dosexec",
"md5_hash": "ea3f7b921ceca64d2100850cbef4aa55",
"sha1_hash": "9b09dc4da34863ab96cad9ed4cf53e0d7b87ffef",
"sha3_384_hash": "bcd24af5bd6a1b2602ca5916e0453f2f4a2f8543281051fd3bc3cd227d4cd8fb10b5c7cc1daa8cbd36162f7b13671bf2",
"first_seen": "2022-04-12 16:15:34 UTC",
"last_seen": null,
"sightings": 1,
"imphash": null,
"ssdeep": "24576:T4gDb100oLvVt8LfdCIGCYNoMJcsfU4uat4fo\/lG4HfOvN8QOkik9eZ:TjnJMnU4u8lG42KQOkikw",
"tlsh": "T1AE75AE23E54280FDD65820316CBB7F3ABDB497595A24CA83A7E8DE791F32251932730D",
"telfhash": null,
"gimphash": null,
"dhash_icon": "7171717169e8e8e8"
},
[...]
}
Query ClamAV Signature
You can get a list of recent files associated with a specific ClamAV signature by query the API as follow:
| Parameter | Example | Comment |
|---|---|---|
query | get_clamav | |
search_term | Win.Dropper.Gh0stRAT-9789290-0 | ClamAV signature you want to get results for |
result_max | 100 | Optional: Max number of results you want to display (default: 25, max: 1'000) |
Here's a sample curl command:
curl -H "Auth-Key: YOUR-AUTH-KEY" -X POST -d '{ "query": "get_clamav", "search_term": "Win.Dropper.Gh0stRAT-9789290-0" '} https://yaraify-api.abuse.ch/api/v1/
A response from this API endpoint looks like this:
{
"query_status": "ok",
"query_info": {
"search_scope": "all time",
"result_count": 13,
"result_max": 500
},
"data": [
{
"sha256_hash": "5e3834ebbd42dbdbe6251efbf12869b3a70880f3535765ad8109b458543c8b2e",
"file_size": 792412,
"mime_type": "application\/x-dosexec",
"md5_hash": "37fe12185eceac065501e65ba3851463",
"sha1_hash": "d29f33a7d26b7d7253e07bc7517779076a5b021f",
"sha3_384_hash": "24f01256c2587cced649065378fd982298152ab5685d9f4c741c2cecd77a35ed3f878d69f65ef801640fb85aee071474",
"first_seen": "2022-04-15 08:24:20 UTC",
"last_seen": null,
"sightings": 1,
"imphash": "43fd39eb6df6bf3a9a3edd1f646cd16e",
"ssdeep": "12288:PGXqG\/H1k6hUvoNUrIE33T5zTTlL9O3ZO6epkflNaGD0u74tt+3hJLGgFqLM:PZwk6hUv\/sEnnL6zLaGD46LLGng",
"tlsh": "T138F423C1EB53E7E1C8EF4D38920FFB6546642102AE00095779E68E58BDFC3B2335568A",
"telfhash": null,
"gimphash": null,
"dhash_icon": null
},
{
"sha256_hash": "b9807ee941907647ce285fab2687e4796f7f3c76afc5c8c9c141ca3568fcf87a",
"file_size": 1576960,
"mime_type": "application\/x-dosexec",
"md5_hash": "9161ee3cf96fda13ca70d450705b9002",
"sha1_hash": "3f97d7d2fe39c0f0cddfa89a3f4066bf0d3bdb4b",
"sha3_384_hash": "3734b149a09675adcb26c8775083dcd5ca037797c6e6262d6c89d19de6eeff8f731e6e71e80b20e515b4af35f5f7c39e",
"first_seen": "2022-04-14 20:54:31 UTC",
"last_seen": "2022-04-14 20:54:31 UTC",
"sightings": 2,
"imphash": null,
"ssdeep": "24576:JB4gDb100oLvVt8LfdCIGCYNoMJcsfU4uat4fo\/lG4HfOvN8zOkik9eZ:TjnJMnU4u8lG42KzOkikw",
"tlsh": "T18B75AE23E54280FDD65820316CBB7F3ABDB497595A24CA83A7E8DE791F32251932730D",
"telfhash": null,
"gimphash": null,
"dhash_icon": "7171717169e8e8e8"
},
{
"sha256_hash": "1d580d9f99a387f0735bde436955d7595dfb4f7c41fc9968cc1aa78734fa4d2a",
"file_size": 1578496,
"mime_type": "application\/x-dosexec",
"md5_hash": "ea3f7b921ceca64d2100850cbef4aa55",
"sha1_hash": "9b09dc4da34863ab96cad9ed4cf53e0d7b87ffef",
"sha3_384_hash": "bcd24af5bd6a1b2602ca5916e0453f2f4a2f8543281051fd3bc3cd227d4cd8fb10b5c7cc1daa8cbd36162f7b13671bf2",
"first_seen": "2022-04-12 16:15:34 UTC",
"last_seen": null,
"sightings": 1,
"imphash": null,
"ssdeep": "24576:T4gDb100oLvVt8LfdCIGCYNoMJcsfU4uat4fo\/lG4HfOvN8QOkik9eZ:TjnJMnU4u8lG42KQOkikw",
"tlsh": "T1AE75AE23E54280FDD65820316CBB7F3ABDB497595A24CA83A7E8DE791F32251932730D",
"telfhash": null,
"gimphash": null,
"dhash_icon": "7171717169e8e8e8"
},
[...]
}
Query imphash
You can get a list of recent files associated with a specific imphash by query the API as follow:
| Parameter | Example | Comment |
|---|---|---|
query | get_imphash | |
search_term | 680b9682922177224183342c299d809f | imphash you want to get results for |
result_max | 100 | Optional: Max number of results you want to display (default: 25, max: 1'000) |
Here's a sample curl command:
curl -H "Auth-Key: YOUR-AUTH-KEY" -X POST -d '{ "query": "get_imphash", "search_term": "680b9682922177224183342c299d809f" '} https://yaraify-api.abuse.ch/api/v1/
A response from this API endpoint looks like this:
{
"query_status": "ok",
"query_info": {
"search_scope": "all time",
"result_count": 64,
"result_max": 250
},
"data": [
{
"sha256_hash": "0278236466b0915e5b5fb228033a46c7ed1d9f29ce07f5784b3746e8ea64fadb",
"file_size": 1750234,
"mime_type": "application\/x-dosexec",
"md5_hash": "77bfdf73e32b496bb9f111c304b8fb95",
"sha1_hash": "8a88235b7bc5a8e4cc233532e4011b2fae4ac257",
"sha3_384_hash": "f9826bdc674c19a3867a3b1d78c0ba1897303d70eb7ed5eaa6755bed3f368caaaea9543bd84ea66b086b653b1e23b2dd",
"first_seen": "2022-04-14 10:23:53 UTC",
"last_seen": null,
"sightings": 1,
"imphash": "680b9682922177224183342c299d809f",
"ssdeep": "24576:nKtpZm23yqec9S5hZqT5\/ZMoK3EHBCTFvfrr+E+OLzO9AO4k17vvoA+rXBxQHKbC:nC3LoqNG0HBi1X+5OmmPA7Hj+hb",
"tlsh": "T193859E62AE9D4876C076363C8C1F6259A8297E103D289C5E67E80D0DCF3A7917F2539F",
"telfhash": null,
"gimphash": null,
"dhash_icon": "399998ecd4d46c0e"
},
{
"sha256_hash": "72011546699b21166467da8d7bd37ff0d96717288519f3fad8c19750e39aca42",
"file_size": 1771258,
"mime_type": "application\/x-dosexec",
"md5_hash": "59f2c99f52c368a923c74621d8b4e6fd",
"sha1_hash": "fe5e0f5cf0ebd90e17034483eb9a902dd5cdd7bc",
"sha3_384_hash": "8038039ec77602fbfe8ac922a7e1509c42dcbf6f07713af294df84c780b438e9b85181eab199ed8bcc70bba259bb18be",
"first_seen": "2022-04-14 10:17:43 UTC",
"last_seen": null,
"sightings": 1,
"imphash": "680b9682922177224183342c299d809f",
"ssdeep": "24576:nKtpZm23yqec9S5hZqT5\/ZMoK3EHBCTFvfrr+E+OLzO9AO4k17vvoA+rXBxQHKbC:nC3LoqNG0HBi1X+5OmmPA7Hj+hb",
"tlsh": "T1AE859E62AE9D4876C076363C8C1F6259A8297E103D289C5E67E80D0DCF3A7917F2539F",
"telfhash": null,
"gimphash": null,
"dhash_icon": "399998ecd4d46c0e"
},
{
"sha256_hash": "cb36a871888de7f8de75a2e0204526e07429390e9a15a7031406c9d3c2ee2207",
"file_size": 1747228,
"mime_type": "application\/x-dosexec",
"md5_hash": "825b058531390b5c602b02353a5fa550",
"sha1_hash": "09b9844ff84985cba76060b8f982060287b77fde",
"sha3_384_hash": "7e376e7c47642c0729d87337696e3b1940c91b0cd410668d642f37a8a492e7502d0daeda56529a710fa0f81a09aecf38",
"first_seen": "2022-04-13 19:52:33 UTC",
"last_seen": null,
"sightings": 1,
"imphash": "680b9682922177224183342c299d809f",
"ssdeep": "24576:nKtpZm23yqec9S5hZqT5\/ZMoK3EHBCTFvfrr+E+OLzO9AO4k17vvoA+rXBxQHKbC:nC3LoqNG0HBi1X+5OmmPA7Hj+hb",
"tlsh": "T1F3859E62AE9D4876C076363C8C1F6259A8297E103D289C5E67E80D0DCF3A7917F2539F",
"telfhash": null,
"gimphash": null,
"dhash_icon": "399998ecd4d46c0e"
}
[...]
}
Query tlsh
You can get a list of recent files associated with a specific tlsh by query the API as follow:
| Parameter | Example | Comment |
|---|---|---|
query | get_tlsh | |
search_term | T140551236C8E05951CAEFD73315186AF[...] | tlsh you want to get results for |
result_max | 100 | Optional: Max number of results you want to display (default: 25, max: 1'000) |
Here's a sample curl command:
curl -H "Auth-Key: YOUR-AUTH-KEY" -X POST -d '{ "query": "get_tlsh", "search_term": "T140551236C8E05951CAEFD73315186AF983182477CCC9E5BB0E6B36D62CB6431A36B06D" '} https://yaraify-api.abuse.ch/api/v1/
A response from this API endpoint looks like this:
{
"query_status": "ok",
"query_info": {
"search_scope": "all time",
"result_count": 64,
"result_max": 250
},
"data": [
{
"sha256_hash": "0278236466b0915e5b5fb228033a46c7ed1d9f29ce07f5784b3746e8ea64fadb",
"file_size": 1750234,
"mime_type": "application\/x-dosexec",
"md5_hash": "77bfdf73e32b496bb9f111c304b8fb95",
"sha1_hash": "8a88235b7bc5a8e4cc233532e4011b2fae4ac257",
"sha3_384_hash": "f9826bdc674c19a3867a3b1d78c0ba1897303d70eb7ed5eaa6755bed3f368caaaea9543bd84ea66b086b653b1e23b2dd",
"first_seen": "2022-04-14 10:23:53 UTC",
"last_seen": null,
"sightings": 1,
"imphash": "680b9682922177224183342c299d809f",
"ssdeep": "24576:nKtpZm23yqec9S5hZqT5\/ZMoK3EHBCTFvfrr+E+OLzO9AO4k17vvoA+rXBxQHKbC:nC3LoqNG0HBi1X+5OmmPA7Hj+hb",
"tlsh": "T193859E62AE9D4876C076363C8C1F6259A8297E103D289C5E67E80D0DCF3A7917F2539F",
"telfhash": null,
"gimphash": null,
"dhash_icon": "399998ecd4d46c0e"
},
{
"sha256_hash": "72011546699b21166467da8d7bd37ff0d96717288519f3fad8c19750e39aca42",
"file_size": 1771258,
"mime_type": "application\/x-dosexec",
"md5_hash": "59f2c99f52c368a923c74621d8b4e6fd",
"sha1_hash": "fe5e0f5cf0ebd90e17034483eb9a902dd5cdd7bc",
"sha3_384_hash": "8038039ec77602fbfe8ac922a7e1509c42dcbf6f07713af294df84c780b438e9b85181eab199ed8bcc70bba259bb18be",
"first_seen": "2022-04-14 10:17:43 UTC",
"last_seen": null,
"sightings": 1,
"imphash": "680b9682922177224183342c299d809f",
"ssdeep": "24576:nKtpZm23yqec9S5hZqT5\/ZMoK3EHBCTFvfrr+E+OLzO9AO4k17vvoA+rXBxQHKbC:nC3LoqNG0HBi1X+5OmmPA7Hj+hb",
"tlsh": "T1AE859E62AE9D4876C076363C8C1F6259A8297E103D289C5E67E80D0DCF3A7917F2539F",
"telfhash": null,
"gimphash": null,
"dhash_icon": "399998ecd4d46c0e"
},
{
"sha256_hash": "cb36a871888de7f8de75a2e0204526e07429390e9a15a7031406c9d3c2ee2207",
"file_size": 1747228,
"mime_type": "application\/x-dosexec",
"md5_hash": "825b058531390b5c602b02353a5fa550",
"sha1_hash": "09b9844ff84985cba76060b8f982060287b77fde",
"sha3_384_hash": "7e376e7c47642c0729d87337696e3b1940c91b0cd410668d642f37a8a492e7502d0daeda56529a710fa0f81a09aecf38",
"first_seen": "2022-04-13 19:52:33 UTC",
"last_seen": null,
"sightings": 1,
"imphash": "680b9682922177224183342c299d809f",
"ssdeep": "24576:nKtpZm23yqec9S5hZqT5\/ZMoK3EHBCTFvfrr+E+OLzO9AO4k17vvoA+rXBxQHKbC:nC3LoqNG0HBi1X+5OmmPA7Hj+hb",
"tlsh": "T1F3859E62AE9D4876C076363C8C1F6259A8297E103D289C5E67E80D0DCF3A7917F2539F",
"telfhash": null,
"gimphash": null,
"dhash_icon": "399998ecd4d46c0e"
}
[...]
}
Query telfhash
You can get a list of recent files associated with a specific telfhash by query the API as follow:
| Parameter | Example | Comment |
|---|---|---|
query | get_telfhash | |
search_term | t1dd211d716b2195266ea0cd9088eca7[...] | telfhash you want to get results for |
result_max | 100 | Optional: Max number of results you want to display (default: 25, max: 1'000) |
Here's a sample curl command:
curl -H "Auth-Key: YOUR-AUTH-KEY" -X POST -d '{ "query": "get_telfhash", "search_term": "t1dd211d716b2195266ea0cd9088eca7b2512c97072349df33cf31849c24140aeea3ac4f" '} https://yaraify-api.abuse.ch/api/v1/
A response from this API endpoint looks like this:
{
"query_status": "ok",
"query_info": {
"search_scope": "all time",
"result_count": 9,
"result_max": 250
},
"data": [
{
"sha256_hash": "56c438f5a581a639f3f3853f2a01d850f51faf0fdd50f4f07bbc0826a0aabe55",
"file_size": 134572,
"mime_type": "application\/x-executable",
"md5_hash": "e259d954ad3f1b037c3ba0fbcf109a3c",
"sha1_hash": "71d11d2e8dd7256136108752303f06746dd91a56",
"sha3_384_hash": "9a1d4e5ab8c336d8d6c332716c317255c1eeec9de16c3896e258e71470d65408f86e9a5ddb84c780550e1020fdf5c39e",
"first_seen": "2022-04-14 11:51:01 UTC",
"last_seen": null,
"sightings": 1,
"imphash": null,
"ssdeep": "3072:TDvifpXS+5mdlV7fqEJ\/itr6xQds\/HQq5QEbOmyM\/9Ybfrr:TDvifpXS+5mdfbAp6xQds\/wqXbO3M\/9I",
"tlsh": "T1A9D35C06FB418F13C4D617BAF9AF424933229B94E3EB730659285FB43F8665E0E53905",
"telfhash": "t1dd211d716b2195266ea0cd9088eca7b2512c97072349df33cf31849c24140aeea3ac4f",
"gimphash": null,
"dhash_icon": null
},
{
"sha256_hash": "27e74f5f1ffd22b209362964acc0de74b9ca4b2476766cd49764b6b245eb370c",
"file_size": 134556,
"mime_type": "application\/x-executable",
"md5_hash": "a9fab86dbdffd6b239f8ce9dfd2dcf33",
"sha1_hash": "19f5cde32036e688244ebfdf6b63efacc45cc989",
"sha3_384_hash": "4e01ea80eeecc957c990f186e2e05351990bc8f31a27dd6d70da7997848bc3c704b2f4eefc36f49aaf17ee864c109bb7",
"first_seen": "2022-04-13 20:51:03 UTC",
"last_seen": null,
"sightings": 1,
"imphash": null,
"ssdeep": "3072:PEDfiXp7SnrDqtVcxBjRqBg9M\/m+RG6Ob2mKM\/9Yfkurr:PEDfiXp7SnrDectqBg9M\/xRSb2vM\/9YD",
"tlsh": "T115D34C06FB418F13C4D617BAFAAF424933229B94E3EB730659185FB43F8665E0E53A05",
"telfhash": "t1dd211d716b2195266ea0cd9088eca7b2512c97072349df33cf31849c24140aeea3ac4f",
"gimphash": null,
"dhash_icon": null
},
{
"sha256_hash": "0023f54ea7e345d6791921be8c8636a22c7ef8edcfe9d64971d3cbec0c3b1a91",
"file_size": 134572,
"mime_type": "application\/x-executable",
"md5_hash": "e399cfbb622bdf06872a146fd05655cd",
"sha1_hash": "a1c988a49cf44053f7ad6db046eb89032cb4e16f",
"sha3_384_hash": "41b5bf490dd895ed8711eeadcd5744255623230e4f6f897e4084269150e38ea5dd7db5890d3da393fbd7169d80f31fba",
"first_seen": "2022-04-12 23:51:02 UTC",
"last_seen": null,
"sightings": 1,
"imphash": null,
"ssdeep": "3072:f0DvinprSHrDqtVGDB3RJxQds\/neqfasb2mKM\/9M\/zrr:f0DvinprSHrDeGDJxQds\/eqfb2vM\/9Mz",
"tlsh": "T1DBD34B46FB418F13C4D617BAF9AF424933229B94E3EB730649285FB43F8666E0E53905",
"telfhash": "t1dd211d716b2195266ea0cd9088eca7b2512c97072349df33cf31849c24140aeea3ac4f",
"gimphash": null,
"dhash_icon": null
},
[...]
}
Query gimphash
You can get a list of recent files associated with a specific gimphash by query the API as follow:
| Parameter | Example | Comment |
|---|---|---|
query | get_gimphash | |
search_term | a081e2fab5999d99ed6be718af55[...] | gimphash you want to get results for |
result_max | 100 | Optional: Max number of results you want to display (default: 25, max: 1'000) |
Here's a sample curl command:
curl -H "Auth-Key: YOUR-AUTH-KEY" -X POST -d '{ "query": "get_gimphash", "search_term": "a081e2fab5999d99ed6be718af55e93df171d14bc83c7ca5fdc0907edba0d338c" '} https://yaraify-api.abuse.ch/api/v1/
A response from this API endpoint looks like this:
{
"query_status": "ok",
"query_info": {
"search_scope": "all time",
"result_count": 1,
"result_max": 25
},
"data": [
{
"sha256_hash": "631fc8da17bc3eb84718969a48b679237165887baede146faba6df842c80ab5c",
"file_size": 7053280,
"mime_type": "application\/x-dosexec",
"md5_hash": "132a961afc5b7846f72c5944798535f6",
"sha1_hash": "5ff9a26cba1baa65d34dd53cd9b7913b8e524570",
"sha3_384_hash": "9404fba96909631807b2821f17a21d6315ec5f068b0c146a5cb7c58b073d7462374f44080f4ba5e255d130e0de981a72",
"first_seen": "2022-07-02 09:24:03 UTC",
"last_seen": "2022-07-02 12:26:15 UTC",
"sightings": 2,
"imphash": "c7269d59926fa4252270f407e4dab043",
"ssdeep": "98304:lcjs3aEh2qJechqerH0KCYXidWPpTuEVtTZtWAI4AmnXTj+q+c6q1:28dqcp0KC8iMBLvTZkAI\/m\/+cF1",
"tlsh": "T12C668D43F89560E9C6EAD130CA75C2527B307888073027D36F65AABA6B73BD05FB9750",
"telfhash": null,
"gimphash": "a081e2fab5999d99ed6be718af55e93df171d14bc83c7ca5fdc0907edba0d338",
"dhash_icon": null
}
]
}
Query icon dhash
You can get a list of recent files associated with a specific icon dhash by query the API as follow:
| Parameter | Example | Comment |
|---|---|---|
query | get_dhash_icon | |
search_term | 92264e9e361ccdee | telfhash you want to get results for |
result_max | 100 | Optional: Max number of results you want to display (default: 25, max: 1'000) |
Here's a sample curl command:
curl -H "Auth-Key: YOUR-AUTH-KEY" -X POST -d '{ "query": "get_dhash_icon", "search_term": "92264e9e361ccdee" '} https://yaraify-api.abuse.ch/api/v1/
A response from this API endpoint looks like this:
{
"query_status": "ok",
"query_info": {
"search_scope": "all time",
"result_count": 6,
"result_max": 250
},
"data": [
{
"sha256_hash": "3d30ec7012f3477319137f7637f9879772e5ba3dcfc06dc341e8a4c14ea9598a",
"file_size": 5427200,
"mime_type": "application\/x-dosexec",
"md5_hash": "6ca7e57dad6a21d1f7aaf1aa030281a1",
"sha1_hash": "66f37a918854e4ded2a335a085a9ea87374deef2",
"sha3_384_hash": "2fce52c1c52383d4bebc5182f68431c81b241936193a318762bfa3bb8cbce9b9e7ebe8b00b66396c9d0cb61fbb5d7140",
"first_seen": "2022-04-02 15:12:27 UTC",
"last_seen": null,
"sightings": 1,
"imphash": null,
"ssdeep": "49152:eMdViVljGTvvC4cgeCcjoTkr3VNTqAFikjhpBn36DwkuxG+GgeGVQGouGU0:eKVijz3gXSoTol9vpBWwdRCaG",
"tlsh": "T137469D12A6624877C37A0730DC6BA274B7F83D1C17FB5763B384B9DAAAB72407464346",
"telfhash": null,
"gimphash": null,
"dhash_icon": "92264e9e361ccdee"
},
{
"sha256_hash": "4990abcda7532f88a7ae4b8731c14423260620276cc054b495a2d76c390747f8",
"file_size": 1808896,
"mime_type": "application\/x-dosexec",
"md5_hash": "0d0287c298c1e9cf54a0d92b0d75f21a",
"sha1_hash": "fd309ba565157011973275d9cd11841119debb3a",
"sha3_384_hash": "b0bdf049cccd822baec05f2f74c8ac128eec8a1b8ccef991fbe4537428b667f0ca1055f84f36cb5a0f38fcc4f7b62cb1",
"first_seen": "2022-04-02 15:05:27 UTC",
"last_seen": null,
"sightings": 1,
"imphash": "4a99d91e1b68c500bb1244eb377c47a1",
"ssdeep": "49152:2EPusxhC77OgLE2JqBc+MwlcF4SVJK91t23fPvVD7fZ:SYy73K2UL3tO1fZ",
"tlsh": "T14E85226344B237EADBB3B1B692389D16F59A6C34C64A8319C381F9762FFDC5641B40E0",
"telfhash": null,
"gimphash": null,
"dhash_icon": "92264e9e361ccdee"
},
{
"sha256_hash": "84368982d6f2253dcc10371cf1f7079199e0e1df21bb9608b0f73103b53283a8",
"file_size": 5427200,
"mime_type": "application\/x-dosexec",
"md5_hash": "44f2ea6379dd28895c62792dbf19713d",
"sha1_hash": "0b667870d8daf13825f4ae8fbf9467f6f39a4e1b",
"sha3_384_hash": "4056f3bd6fd0d9150f7c1edd5f9aa591e3df9146a0761eaa6677aabca15d6b485a4bdf44ea80267824df1b6b6b86ff44",
"first_seen": "2022-03-30 12:16:05 UTC",
"last_seen": null,
"sightings": 1,
"imphash": null,
"ssdeep": "49152:tnYVqVljGTvvCpcCewc2Lyw9XTsTqFF2T36Yq6CHiiFCzoxv4YN:tYVqjzOCdrLyCjH2T7LCHigC8xv4",
"tlsh": "T17D46AD12A6514C77C2790330DC6BA678B7F83D0C27FB5763B384B9DAAAB72907464346",
"telfhash": null,
"gimphash": null,
"dhash_icon": "92264e9e361ccdee"
},
[...]
}
Download a file
You can download a file from YARAify by query the API as follow:
| Parameter | Example | Comment |
|---|---|---|
query | get_file | |
sha256_hash | a638404ab71199981be143591853b[...] | sha256 hash of the file you want to download |
Here's a sample curl command:
curl -H "Auth-Key: YOUR-AUTH-KEY" -X POST -d '{ "query": "get_file", "sha256_hash": "a638404ab71199981be143591853b713b8826a82904a1cf72675de6bb026c8f9" '} https://yaraify-api.abuse.ch/api/v1/
Please note that files for which the reporter has chosen the no sharing option are not available for download.
Problems with unzipping?
Files are zipped using AES128 encryption and password "infected". Should you receive an error like NotImplementedError: compression type 99 when trying to unzip, it means that your library is not supporting AES encryption (yet). Please switch to a different library (e.g. when you are using python: pyzipper)
Download an unpacked file
You can download an unpacked file from YARAify by query the API as follow:
| Parameter | Example | Comment |
|---|---|---|
query | get_unpacked | |
sha256_hash | a638404ab71199981be143591853b[...] | sha256 hash of the file you want to download |
Here's a sample curl command:
curl -H "Auth-Key: YOUR-AUTH-KEY" -X POST -d '{ "query": "get_unpacked", "sha256_hash": "de7fa65d5cd5314ba0ce6ab19a7dcd9853639a1152447457de7efb39a9ba1f46" '} https://yaraify-api.abuse.ch/api/v1/
Please note that files for which the reporter has chosen the no sharing option are not available for download.
Problems with unzipping?
Files are zipped using AES128 encryption and password "infected". Should you receive an error like NotImplementedError: compression type 99 when trying to unzip, it means that your library is not supporting AES encryption (yet). Please switch to a different library (e.g. when you are using python: pyzipper)
List recently deployed YARA rules
You can get a list of the most recent deployed YARA rules on YARAify as follow. Please take note that the author of the YARA rule must have set the YARA rule's meta field yarahub_rule_matching_tlp to TLP:WHITE.
| Parameter | Example | Comment |
|---|---|---|
query | recent_yararules |
Here's a sample curl command:
curl -H "Auth-Key: YOUR-AUTH-KEY" -X POST -d '{ "query": "recent_yararules" '} https://yaraify-api.abuse.ch/api/v1/
A response from this API endpoint looks like this:
{
"query_status": "ok",
"data": [
{
"time_stamp": "2022-05-01 08:10:52 UTC",
"yarahub_uuid": "1b95ce79-6034-4740-8e45-5f0840602d1a",
"rule_name": "win_danabot",
"author": "Johannes Bader",
"description": "detects DanaBot",
"date": "2022-04-19",
"yarahub_license": "CC BY-SA 4.0",
"yarahub_author_twitter": "@viql",
"yarahub_reference_link": "https:\/\/test.ch\/bla",
"yarahub_reference_md5": "8195d9c7b7193e9c63137d156df7b6f3",
"yarahub_rule_matching_tlp": "TLP:WHITE",
"yarahub_rule_sharing_tlp": "TLP:WHITE",
"malpedia_family": "win.danabot"
},
[...]
]
}
Download a specific YARA rule
You can download a specific YARA rule present on YARAhub. Please take note that the author of the YARA rule must have set the YARA rule's meta field yarahub_rule_sharing_tlp to TLP:WHITE to allow sharing of the YARA rule in public.
| Parameter | Example | Comment |
|---|---|---|
query | get_yara_rule | |
uuid | 1b95ce79-6034-4740-8e45-5f0840602d1a | UUID of the YARA rule you want to download |
Here's a sample curl command:
curl -H "Auth-Key: YOUR-AUTH-KEY" -X POST -d '{ "query": "get_yara_rule", "uuid": "1b95ce79-6034-4740-8e45-5f0840602d1a" '} https://yaraify-api.abuse.ch/api/v1/
Download all available YARA rule
You can download all available YARA rules that are currently present in YARAhub. Please take note that the author of the YARA rule must have set the YARA rule's meta field yarahub_rule_sharing_tlp to TLP:WHITE to allow sharing of the YARA rule in public.
Here's a sample curl command:
curl https://yaraify-api.abuse.ch/download/yaraify-rules.zip --output yaraify-rules.zip
Or simply click on the following download link:
Download all YARA rulesNote that the file gets generated every 5 minutes. Please do not fetch it more often than that.
Example scripts
You can find a handful example scripts for how to interacting with the YARAify API on our github repository: