YARAify API

YARAify offers the following API endpoint.

Scan a file Query a task ID Using identifiers Query a file hash Query YARA rule Query ClamAV signature Query imphash Query tlsh Query telfhash Query gimphash Query icon dhash Download a file Download an unpacked file List recently deployed YARA rules Download a specific YARA rule Download all available YARA rules Example scripts

Scan a file


You can scan a file against public and non-public YARA and ClamAV signatures as documented below. In addition, this API enpoint also supports optional malware sample unpacking (PE executables only).

A few important notes before you scan a file using the API:

ParameterRequired?DefaultCommentPossible values
fileYesNoneThe file you want to scann/a
identifierNoNoneOptional identifier to associate this submission withn/a
clamav_scanNo1Defines whether to scan the file with ClamAV0 or 1
unpackNo0Defines whether to unpack the file0 or 1
share_fileNo1Defines whether the file is public and may be shared with 3rd parties0 or 1
skip_knownNo0If 1, YARAify will not process the file if the file is already known0 or 1
skip_noisyNo0If 1, YARAify skips the file if it already has been scanned at least 10 times within the past 24 hours. It will return the latest task_id instead0 or 1

Here's a very basic sample python3 script for submitting a file to the scan engine:

#!/usr/bin/env python3
import requests
import json

files = {
    'file': (open('sample.exe','rb'))
}
response = requests.post('https://yaraify-api.abuse.ch/api/v1/', files=files, verify=True)
print(response.content.decode("utf-8", "ignore"))
        

Here's a bit a more advanced sample python3 script for submitting a file to the scan engine with custom parameters set:

#!/usr/bin/env python3
import requests
import json

data = {
    'clamav_scan':  1,
    'unpack':       1
}
files = {
    'json_data': (None, json.dumps(data), 'application/json'),
    'file': (open('sample.exe','rb'))
}
response = requests.post('https://yaraify-api.abuse.ch/api/v1/', files=files, verify=True)
print(response.content.decode("utf-8", "ignore"))
        

More example scripts for interaction with the API are available on Gitlab:

Query a task ID


This API endpoint is used to fetch the current status (task_status) of a task_id along with, if the task has already been procsssed by the scanning engine, the scan results.

ParameterRequired?DefaultCommentPossible values
queryYesNoneMust be get_results to query to this enpointn/a
task_idYesNoneThe task_id you want to query the API forn/a
malpedia-tokenNoNoneOptional: your Malpedia Tokenn/a

Malpedia maintains a set of public and non-public YARA rules. If you provide your malpedia-token, you will not only receive results from their public YARA rules (TLP:WHITE) but also matches on their non-public rulesets (TLP:GREEN, TLP:AMBER and TLP:RED). Please note that your token will temporarily be stored for verification against the Malpedia API.

Here's a sample curl command that shows how to query the API for a task_id:

curl -X POST -d '{ "query": "get_results", "task_id": "fb2763e9-7b84-11ec-9f01-42010aa4000b" '} https://yaraify-api.abuse.ch/api/v1/
        

A response from this API endpoint looks like this:

{
    "query_status": "ok",
    "data": {
        "yaraify_paremeters": {
            "clamav_scan": 1,
            "unpack": 1,
            "share_file": 1
        },
        "metadata": {
            "file_name": "b0bb095dd0ad8b8de1c83b13c38e68dd.exe",
            "file_size": 792372,
            "file_type_mime": "application\/x-dosexec",
            "first_seen": "2022-01-22 19:24:01 UTC",
            "last_seen": "2022-01-23 14:52:44 UTC",
            "sightings": 11,
            "unpacked_files_cnt": 2
        },
        "static_results": [
          {
              "rule_name": "xxx",
              "author": "xxx",
              "description": "xxx",
              "reference": "xxx",
              "tlp": "AMBER"
          },
          {
              "rule_name": "MALW_emotet",
              "author": "Marc Rivero | McAfee ATR Team",
              "description": "Rule to detect unpacked Emotet",
              "reference": "",
              "tlp": "WHITE"
          }
        ],
        "clamav_results": [
            "SecuriteInfo.com.Trojan.GenericKD.47707798.UNOFFICIAL",
            "TwinWave.EvilDoc.DOCXRSTRGOOD.MSHTA.210816.UNOFFICIAL",
            "TwinWave.EvilDoc.Excel4DragoTrainingMontage.20210204.UNOFFICIAL",
            "TwinWave.EvilDoc.DOCXSTRGOODXL4.HTTP",
            "TwinWave.EvilDoc.Emotet46and2.20220119.UNOFFICIAL"
        ],
        "unpack_results": [
            {
                "unpacked_file_name": "10000000.dll",
                "unpacked_md5": "d87f7e2caa4e48c3f98d352a9e087ab8",
                "unpacked_sha256": "8c7236d27b8dbaffcd64d9b5155e8c416f33102604ab27076d32c321681ae5c3",
                "unpacked_yara_matches": [
                    {
                        "rule_name": "xxx",
                        "author": "xxx",
                        "description": "xxx",
                        "reference": "xxx",
                        "tlp": "GREEN"
                    },
                    {
                        "rule_name": "win_younglotus_auto",
                        "author": "Detects win.younglotus.",
                        "description": "",
                        "reference": "Felix Bilstein - yara-signator at cocacoding dot com",
                        "tlp": "WHITE"
                    },
                    {
                        "rule_name": "MALWARE_Win_Zegost",
                        "author": "Detects Zegost",
                        "description": "",
                        "reference": "ditekSHen",
                        "tlp": "WHITE"
                    }
                ]
            },
            {
                "unpacked_file_name": "400000.b0bb095dd0ad8b8de1c83b13c38e68dd",
                "unpacked_md5": "b5c96bab82e2ca1f8b6246f58ce3ffed",
                "unpacked_sha256": "bd1e271a049045633f995ba1d3a80176b2d2a117543e0972b0a2c5e0519cb9b2",
                "unpacked_yara_matches": [
                    {
                        "rule_name": "with_urls",
                        "author": "Rule to detect the presence of an or several urls",
                        "description": "http:\/\/laboratorio.blogs.hispasec.com\/",
                        "reference": "Antonio Sanchez ",
                        "tlp": "WHITE"
                    },
                    {
                        "rule_name": "without_attachments",
                        "author": "Rule to detect the no presence of any attachment",
                        "description": "http:\/\/laboratorio.blogs.hispasec.com\/",
                        "reference": "Antonio Sanchez ",
                        "tlp": "WHITE"
                    },
                    {
                        "rule_name": "win_mbrlock_auto",
                        "author": "Detects win.mbrlock.",
                        "description": "",
                        "reference": "Felix Bilstein - yara-signator at cocacoding dot com",
                        "tlp": "WHITE"
                    }
                ]
            }
        ]

    }
}

As you can see, matches on non-public YARA rules (e.g. such from Malpedia) are being replaced with "xxx".

A example script for querying the YARAify API for a task id is available on our github:

Using identifiers


You can keep track of a file that you have submitted using the task_id you got back from the API after your submission. However, you can use identifiers to keep track of your submissions. The documentation below shows you how to create identifiers and how you can use them to keep track of your submissions.

Create an identifier

In order to create an identifier, you must send a HTTP POST request to the API as documented below. The API will create and return an identifier to you.

curl -X POST https://yaraify-api.abuse.ch/api/v1/ -d '{ "query": "generate_identifier" }'
        

Of course, you can identify as many identifiers as you want (e.g. for different systems that submit files to the API for scanning). However, a submission can only be associated with one identifier.

Keeping track of your submissions

The following endpoint lets you query the API for an identifier, which will then return a list of corresponding submissions from the past 24 hours. In you can use an additional filter to filter for processed or queued submissions from the past 24 hours. Please note that the output is limited to max 250 entries.

Here's a sample curl command that shows how to query the API for an identifier while filtering for processed submissions (while xxxxxxxx is a placeholder for your identifier):

curl -X POST https://yaraify-api.abuse.ch/api/v1/ -d '{ "query": "list_tasks", "identifier": "xxxxxxxx", "task_status": "proccessed"}'
        

A response from this API endpoint looks like this:

{
"query_status": "ok",
"data": [
  {
      "task_id": "9b91e5d3-7b7e-11ec-9f01-42010aa1000b",
      "task_status": "processed",
      "md5_hash": "83fdeaf19ae60e26dd0b53ab74a66f55",
      "sha256_hash": "65104ef88eb6e5e0416a33fe16709450ff79b3698266b9ce96af3d848cf44c48",
      "file_name": "dropped.dll"
  },
  {
      "task_id": "3b895428-7b7e-11ec-9f01-62010aa4000b",
      "task_status": "processed",
      "md5_hash": "3677819a63a436c7d90d01e8fab38eb6",
      "sha256_hash": "2c4591542b85eb8601213322454ba4aabc683ae03b70a8244436895575732be8",
      "file_name": "evil.dll"
  },
  {
      "task_id": "7b817a16-7b7e-12ec-9f01-02010aa4000b",
      "task_status": "processed",
      "md5_hash": "fd5c9eaf79bb0abe8372364553933215",
      "sha256_hash": "09a7c4f3878793169f3a1c2467a1c160534255b5d0ca13db6b4c5c4178ef3379",
      "file_name": "emotet_sample.exe"
  }
}

A example script for querying the YARAify API for an identifier is available on our github:

Query a file hash


You can query YARAify for a file hash (SHA256 hash, MD5 hash, SHA1 hash or SHA3-384 hash) by query the API as follow:

ParameterExampleComment
querylookup_hash 
search_terma638404ab71199981be143591853b[...]File hash of the file you want to download
malpedia-tokenDummyOptional: your Malpedia Token

Malpedia maintains a set of public and non-public YARA rules. If you provide your malpedia-token, you will not only receive results from their public YARA rules (TLP:WHITE) but also matches on their non-public rulesets (TLP:GREEN, TLP:AMBER and TLP:RED). Please note that your token will temporarily be stored for verification against the Malpedia API.

Here's a sample curl command that shows how to query the API for a SHA256 hash:

curl -X POST -d '{ "query": "lookup_hash", "search_term": "b0bb095dd0ad8b8de1c83b13c38e68dd" '} https://yaraify-api.abuse.ch/api/v1/
        

A response from this API endpoint looks like this:

{
    "query_status": "ok",
    "data": {
        "metadata": {
            "file_size": 792372,
            "file_type_mime": "application\/x-dosexec",
            "first_seen": "2022-01-22 19:24:01 UTC",
            "last_seen": "2022-01-23 14:52:44 UTC",
            "sightings": 11,
            "sha256_hash": "de7fa65d5cd5314ba0ce6ab19a7dcd9853639a1152447457de7efb39a9ba1f46",
            "md5_hash": "b0bb095dd0ad8b8de1c83b13c38e68dd",
            "sha1_hash": "cc597480e2f833f48e67ec75cd2c41547ceeb04c",
            "sha3_384": "21527985085b570a8c429df8f3e8cfc0da5664b605c641d05a1f09692539a1d51deac5d60622290ee86fdd9b250dcf4e",
            "imphash": null,
            "ssdeep": null,
            "tlsh": null,
            "telfhash": null,
            "gimphash": null,
            "dhash_icon": null
        },
        "tasks": [
            {
                "task_id": "1f3da23c-7c5c-11ec-9f01-42010aa4000b",
                "time_stamp": "2022-01-23 14:52:44 UTC",
                "file_name": "b0bb095dd0ad8b8de1c83b13c38e68dd.exe",
                "task_parameters": {
                    "clamav_scan": 1,
                    "unpack": 1,
                    "share_file": 1
                },
                "unpacked_files_cnt": "2",
                "clamav_results": [
                    "PUA.Win.Packer.Upx-4",
                    "Win.Dropper.Gh0stRAT-9789289-0",
                    "Win.Dropper.Gh0stRAT-9789290-0",
                    "Win.Malware.FlyAgent-9850229-1",
                    "Win.Malware.Zusy-5710245-0"
                ],
                "static_results": [
                    {
                        "rule_name": "pe_imphash",
                        "author": "",
                        "description": "",
                        "reference": "",
                        "tlp": "WHITE"
                    },
                    {
                        "rule_name": "Skystars_Malware_Imphash",
                        "author": "Skystars LightDefender",
                        "description": "imphash",
                        "reference": "",
                        "tlp": "WHITE"
                    }
                ],
                "unpacker_results": [
                    {
                        "unpacked_file_name": "10000000.dll",
                        "unpacked_md5": "d87f7e2caa4e48c3f98d352a9e087ab8",
                        "unpacked_sha256": "8c7236d27b8dbaffcd64d9b5155e8c416f33102604ab27076d32c321681ae5c3",
                        "unpacked_yara_matches": [
                            {
                                "rule_name": "xxx",
                                "author": "xxx",
                                "description": "xxx",
                                "reference": "xxx",
                                "tlp": "GREEN"
                            },
                            {
                                "rule_name": "win_younglotus_auto",
                                "author": "Detects win.younglotus.",
                                "description": "",
                                "reference": "Felix Bilstein - yara-signator at cocacoding dot com",
                                "tlp": "WHITE"
                            },
                            {
                                "rule_name": "MALWARE_Win_Zegost",
                                "author": "Detects Zegost",
                                "description": "",
                                "reference": "ditekSHen",
                                "tlp": "WHITE"
                            }
                        ]
                    },
                    {
                        "unpacked_file_name": "400000.b0bb095dd0ad8b8de1c83b13c38e68dd",
                        "unpacked_md5": "b5c96bab82e2ca1f8b6246f58ce3ffed",
                        "unpacked_sha256": "bd1e271a049045633f995ba1d3a80176b2d2a117543e0972b0a2c5e0519cb9b2",
                        "unpacked_yara_matches": [
                            {
                                "rule_name": "with_urls",
                                "author": "Rule to detect the presence of an or several urls",
                                "description": "http:\/\/laboratorio.blogs.hispasec.com\/",
                                "reference": "Antonio Sanchez ",
                                "tlp": "WHITE"
                            },
                            {
                                "rule_name": "without_attachments",
                                "author": "Rule to detect the no presence of any attachment",
                                "description": "http:\/\/laboratorio.blogs.hispasec.com\/",
                                "reference": "Antonio Sanchez ",
                                "tlp": "WHITE"
                            },
                            {
                                "rule_name": "win_mbrlock_auto",
                                "author": "Detects win.mbrlock.",
                                "description": "",
                                "reference": "Felix Bilstein - yara-signator at cocacoding dot com",
                                "tlp": "WHITE"
                            }
                        ]
                    }
                ]
            },
            {
                "task_id": "e7cdd149-7c5b-11ec-9f01-42010aa4000b",
                "time_stamp": "2022-01-23 14:51:11 UTC",
                "file_name": "b0bb095dd0ad8b8de1c83b13c38e68dd.exe",
                "task_parameters": {
                    "clamav_scan": 1,
                    "unpack": 0,
                    "share_file": 1
                },
                "unpacked_files_cnt": "0",
                "clamav_results": [
                    "PUA.Win.Packer.Upx-4",
                    "Win.Dropper.Gh0stRAT-9789289-0",
                    "Win.Dropper.Gh0stRAT-9789290-0",
                    "Win.Malware.FlyAgent-9850229-1",
                    "Win.Malware.Zusy-5710245-0"
                ],
                "static_results": [
                    {
                        "rule_name": "pe_imphash",
                        "author": "",
                        "description": "",
                        "reference": "",
                        "tlp": "WHITE"
                    },
                    {
                        "rule_name": "Skystars_Malware_Imphash",
                        "author": "Skystars LightDefender",
                        "description": "imphash",
                        "reference": "",
                        "tlp": "WHITE"
                    }
                ],
                "unpacker_results": []
            },
            [...]
        ]
    }
}

As you can see, matches on non-public YARA rules (e.g. such from Malpedia) are being replaced with "xxx".

Query YARA rule


You can get a list of recent files matching a specific YARA rule by query the API as follow:

ParameterExampleComment
queryget_yara 
search_termMALWARE_Win_NeshtaYARA Rule you want to get results for
result_max100Optional: Max number of results you want to display (default: 25, max: 1'000)

Here's a sample curl command:

curl -X POST -d '{ "query": "get_yara", "search_term": "MALWARE_Win_Neshta" '} https://yaraify-api.abuse.ch/api/v1/
        

A response from this API endpoint looks like this:

{
    "query_status": "ok",
    "query_info": {
        "search_scope": "all time",
        "result_count": 13,
        "result_max": 500
    },
    "data": [
        {
            "sha256_hash": "5e3834ebbd42dbdbe6251efbf12869b3a70880f3535765ad8109b458543c8b2e",
            "file_size": 792412,
            "mime_type": "application\/x-dosexec",
            "md5_hash": "37fe12185eceac065501e65ba3851463",
            "sha1_hash": "d29f33a7d26b7d7253e07bc7517779076a5b021f",
            "sha3_384_hash": "24f01256c2587cced649065378fd982298152ab5685d9f4c741c2cecd77a35ed3f878d69f65ef801640fb85aee071474",
            "first_seen": "2022-04-15 08:24:20 UTC",
            "last_seen": null,
            "sightings": 1,
            "imphash": "43fd39eb6df6bf3a9a3edd1f646cd16e",
            "ssdeep": "12288:PGXqG\/H1k6hUvoNUrIE33T5zTTlL9O3ZO6epkflNaGD0u74tt+3hJLGgFqLM:PZwk6hUv\/sEnnL6zLaGD46LLGng",
            "tlsh": "T138F423C1EB53E7E1C8EF4D38920FFB6546642102AE00095779E68E58BDFC3B2335568A",
            "telfhash": null,
            "gimphash": null,
            "dhash_icon": null
        },
        {
            "sha256_hash": "b9807ee941907647ce285fab2687e4796f7f3c76afc5c8c9c141ca3568fcf87a",
            "file_size": 1576960,
            "mime_type": "application\/x-dosexec",
            "md5_hash": "9161ee3cf96fda13ca70d450705b9002",
            "sha1_hash": "3f97d7d2fe39c0f0cddfa89a3f4066bf0d3bdb4b",
            "sha3_384_hash": "3734b149a09675adcb26c8775083dcd5ca037797c6e6262d6c89d19de6eeff8f731e6e71e80b20e515b4af35f5f7c39e",
            "first_seen": "2022-04-14 20:54:31 UTC",
            "last_seen": "2022-04-14 20:54:31 UTC",
            "sightings": 2,
            "imphash": null,
            "ssdeep": "24576:JB4gDb100oLvVt8LfdCIGCYNoMJcsfU4uat4fo\/lG4HfOvN8zOkik9eZ:TjnJMnU4u8lG42KzOkikw",
            "tlsh": "T18B75AE23E54280FDD65820316CBB7F3ABDB497595A24CA83A7E8DE791F32251932730D",
            "telfhash": null,
            "gimphash": null,
            "dhash_icon": "7171717169e8e8e8"
        },
        {
            "sha256_hash": "1d580d9f99a387f0735bde436955d7595dfb4f7c41fc9968cc1aa78734fa4d2a",
            "file_size": 1578496,
            "mime_type": "application\/x-dosexec",
            "md5_hash": "ea3f7b921ceca64d2100850cbef4aa55",
            "sha1_hash": "9b09dc4da34863ab96cad9ed4cf53e0d7b87ffef",
            "sha3_384_hash": "bcd24af5bd6a1b2602ca5916e0453f2f4a2f8543281051fd3bc3cd227d4cd8fb10b5c7cc1daa8cbd36162f7b13671bf2",
            "first_seen": "2022-04-12 16:15:34 UTC",
            "last_seen": null,
            "sightings": 1,
            "imphash": null,
            "ssdeep": "24576:T4gDb100oLvVt8LfdCIGCYNoMJcsfU4uat4fo\/lG4HfOvN8QOkik9eZ:TjnJMnU4u8lG42KQOkikw",
            "tlsh": "T1AE75AE23E54280FDD65820316CBB7F3ABDB497595A24CA83A7E8DE791F32251932730D",
            "telfhash": null,
            "gimphash": null,
            "dhash_icon": "7171717169e8e8e8"
        },
        [...]
}

Query ClamAV Signature


You can get a list of recent files associated with a specific ClamAV signature by query the API as follow:

ParameterExampleComment
queryget_clamav 
search_termWin.Dropper.Gh0stRAT-9789290-0ClamAV signature you want to get results for
result_max100Optional: Max number of results you want to display (default: 25, max: 1'000)

Here's a sample curl command:

curl -X POST -d '{ "query": "get_clamav", "search_term": "Win.Dropper.Gh0stRAT-9789290-0" '} https://yaraify-api.abuse.ch/api/v1/
        

A response from this API endpoint looks like this:

{
    "query_status": "ok",
    "query_info": {
        "search_scope": "all time",
        "result_count": 13,
        "result_max": 500
    },
    "data": [
        {
            "sha256_hash": "5e3834ebbd42dbdbe6251efbf12869b3a70880f3535765ad8109b458543c8b2e",
            "file_size": 792412,
            "mime_type": "application\/x-dosexec",
            "md5_hash": "37fe12185eceac065501e65ba3851463",
            "sha1_hash": "d29f33a7d26b7d7253e07bc7517779076a5b021f",
            "sha3_384_hash": "24f01256c2587cced649065378fd982298152ab5685d9f4c741c2cecd77a35ed3f878d69f65ef801640fb85aee071474",
            "first_seen": "2022-04-15 08:24:20 UTC",
            "last_seen": null,
            "sightings": 1,
            "imphash": "43fd39eb6df6bf3a9a3edd1f646cd16e",
            "ssdeep": "12288:PGXqG\/H1k6hUvoNUrIE33T5zTTlL9O3ZO6epkflNaGD0u74tt+3hJLGgFqLM:PZwk6hUv\/sEnnL6zLaGD46LLGng",
            "tlsh": "T138F423C1EB53E7E1C8EF4D38920FFB6546642102AE00095779E68E58BDFC3B2335568A",
            "telfhash": null,
            "gimphash": null,
            "dhash_icon": null
        },
        {
            "sha256_hash": "b9807ee941907647ce285fab2687e4796f7f3c76afc5c8c9c141ca3568fcf87a",
            "file_size": 1576960,
            "mime_type": "application\/x-dosexec",
            "md5_hash": "9161ee3cf96fda13ca70d450705b9002",
            "sha1_hash": "3f97d7d2fe39c0f0cddfa89a3f4066bf0d3bdb4b",
            "sha3_384_hash": "3734b149a09675adcb26c8775083dcd5ca037797c6e6262d6c89d19de6eeff8f731e6e71e80b20e515b4af35f5f7c39e",
            "first_seen": "2022-04-14 20:54:31 UTC",
            "last_seen": "2022-04-14 20:54:31 UTC",
            "sightings": 2,
            "imphash": null,
            "ssdeep": "24576:JB4gDb100oLvVt8LfdCIGCYNoMJcsfU4uat4fo\/lG4HfOvN8zOkik9eZ:TjnJMnU4u8lG42KzOkikw",
            "tlsh": "T18B75AE23E54280FDD65820316CBB7F3ABDB497595A24CA83A7E8DE791F32251932730D",
            "telfhash": null,
            "gimphash": null,
            "dhash_icon": "7171717169e8e8e8"
        },
        {
            "sha256_hash": "1d580d9f99a387f0735bde436955d7595dfb4f7c41fc9968cc1aa78734fa4d2a",
            "file_size": 1578496,
            "mime_type": "application\/x-dosexec",
            "md5_hash": "ea3f7b921ceca64d2100850cbef4aa55",
            "sha1_hash": "9b09dc4da34863ab96cad9ed4cf53e0d7b87ffef",
            "sha3_384_hash": "bcd24af5bd6a1b2602ca5916e0453f2f4a2f8543281051fd3bc3cd227d4cd8fb10b5c7cc1daa8cbd36162f7b13671bf2",
            "first_seen": "2022-04-12 16:15:34 UTC",
            "last_seen": null,
            "sightings": 1,
            "imphash": null,
            "ssdeep": "24576:T4gDb100oLvVt8LfdCIGCYNoMJcsfU4uat4fo\/lG4HfOvN8QOkik9eZ:TjnJMnU4u8lG42KQOkikw",
            "tlsh": "T1AE75AE23E54280FDD65820316CBB7F3ABDB497595A24CA83A7E8DE791F32251932730D",
            "telfhash": null,
            "gimphash": null,
            "dhash_icon": "7171717169e8e8e8"
        },
        [...]
}

Query imphash


You can get a list of recent files associated with a specific imphash by query the API as follow:

ParameterExampleComment
queryget_imphash 
search_term680b9682922177224183342c299d809fimphash you want to get results for
result_max100Optional: Max number of results you want to display (default: 25, max: 1'000)

Here's a sample curl command:

curl -X POST -d '{ "query": "get_imphash", "search_term": "680b9682922177224183342c299d809f" '} https://yaraify-api.abuse.ch/api/v1/
        

A response from this API endpoint looks like this:

{
    "query_status": "ok",
    "query_info": {
        "search_scope": "all time",
        "result_count": 64,
        "result_max": 250
    },
    "data": [
        {
            "sha256_hash": "0278236466b0915e5b5fb228033a46c7ed1d9f29ce07f5784b3746e8ea64fadb",
            "file_size": 1750234,
            "mime_type": "application\/x-dosexec",
            "md5_hash": "77bfdf73e32b496bb9f111c304b8fb95",
            "sha1_hash": "8a88235b7bc5a8e4cc233532e4011b2fae4ac257",
            "sha3_384_hash": "f9826bdc674c19a3867a3b1d78c0ba1897303d70eb7ed5eaa6755bed3f368caaaea9543bd84ea66b086b653b1e23b2dd",
            "first_seen": "2022-04-14 10:23:53 UTC",
            "last_seen": null,
            "sightings": 1,
            "imphash": "680b9682922177224183342c299d809f",
            "ssdeep": "24576:nKtpZm23yqec9S5hZqT5\/ZMoK3EHBCTFvfrr+E+OLzO9AO4k17vvoA+rXBxQHKbC:nC3LoqNG0HBi1X+5OmmPA7Hj+hb",
            "tlsh": "T193859E62AE9D4876C076363C8C1F6259A8297E103D289C5E67E80D0DCF3A7917F2539F",
            "telfhash": null,
            "gimphash": null,
            "dhash_icon": "399998ecd4d46c0e"
        },
        {
            "sha256_hash": "72011546699b21166467da8d7bd37ff0d96717288519f3fad8c19750e39aca42",
            "file_size": 1771258,
            "mime_type": "application\/x-dosexec",
            "md5_hash": "59f2c99f52c368a923c74621d8b4e6fd",
            "sha1_hash": "fe5e0f5cf0ebd90e17034483eb9a902dd5cdd7bc",
            "sha3_384_hash": "8038039ec77602fbfe8ac922a7e1509c42dcbf6f07713af294df84c780b438e9b85181eab199ed8bcc70bba259bb18be",
            "first_seen": "2022-04-14 10:17:43 UTC",
            "last_seen": null,
            "sightings": 1,
            "imphash": "680b9682922177224183342c299d809f",
            "ssdeep": "24576:nKtpZm23yqec9S5hZqT5\/ZMoK3EHBCTFvfrr+E+OLzO9AO4k17vvoA+rXBxQHKbC:nC3LoqNG0HBi1X+5OmmPA7Hj+hb",
            "tlsh": "T1AE859E62AE9D4876C076363C8C1F6259A8297E103D289C5E67E80D0DCF3A7917F2539F",
            "telfhash": null,
            "gimphash": null,
            "dhash_icon": "399998ecd4d46c0e"
        },
        {
            "sha256_hash": "cb36a871888de7f8de75a2e0204526e07429390e9a15a7031406c9d3c2ee2207",
            "file_size": 1747228,
            "mime_type": "application\/x-dosexec",
            "md5_hash": "825b058531390b5c602b02353a5fa550",
            "sha1_hash": "09b9844ff84985cba76060b8f982060287b77fde",
            "sha3_384_hash": "7e376e7c47642c0729d87337696e3b1940c91b0cd410668d642f37a8a492e7502d0daeda56529a710fa0f81a09aecf38",
            "first_seen": "2022-04-13 19:52:33 UTC",
            "last_seen": null,
            "sightings": 1,
            "imphash": "680b9682922177224183342c299d809f",
            "ssdeep": "24576:nKtpZm23yqec9S5hZqT5\/ZMoK3EHBCTFvfrr+E+OLzO9AO4k17vvoA+rXBxQHKbC:nC3LoqNG0HBi1X+5OmmPA7Hj+hb",
            "tlsh": "T1F3859E62AE9D4876C076363C8C1F6259A8297E103D289C5E67E80D0DCF3A7917F2539F",
            "telfhash": null,
            "gimphash": null,
            "dhash_icon": "399998ecd4d46c0e"
        }
        [...]
}

Query tlsh


You can get a list of recent files associated with a specific tlsh by query the API as follow:

ParameterExampleComment
queryget_tlsh 
search_termT140551236C8E05951CAEFD73315186AF[...]tlsh you want to get results for
result_max100Optional: Max number of results you want to display (default: 25, max: 1'000)

Here's a sample curl command:

curl -X POST -d '{ "query": "get_tlsh", "search_term": "T140551236C8E05951CAEFD73315186AF983182477CCC9E5BB0E6B36D62CB6431A36B06D" '} https://yaraify-api.abuse.ch/api/v1/
        

A response from this API endpoint looks like this:

{
    "query_status": "ok",
    "query_info": {
        "search_scope": "all time",
        "result_count": 64,
        "result_max": 250
    },
    "data": [
        {
            "sha256_hash": "0278236466b0915e5b5fb228033a46c7ed1d9f29ce07f5784b3746e8ea64fadb",
            "file_size": 1750234,
            "mime_type": "application\/x-dosexec",
            "md5_hash": "77bfdf73e32b496bb9f111c304b8fb95",
            "sha1_hash": "8a88235b7bc5a8e4cc233532e4011b2fae4ac257",
            "sha3_384_hash": "f9826bdc674c19a3867a3b1d78c0ba1897303d70eb7ed5eaa6755bed3f368caaaea9543bd84ea66b086b653b1e23b2dd",
            "first_seen": "2022-04-14 10:23:53 UTC",
            "last_seen": null,
            "sightings": 1,
            "imphash": "680b9682922177224183342c299d809f",
            "ssdeep": "24576:nKtpZm23yqec9S5hZqT5\/ZMoK3EHBCTFvfrr+E+OLzO9AO4k17vvoA+rXBxQHKbC:nC3LoqNG0HBi1X+5OmmPA7Hj+hb",
            "tlsh": "T193859E62AE9D4876C076363C8C1F6259A8297E103D289C5E67E80D0DCF3A7917F2539F",
            "telfhash": null,
            "gimphash": null,
            "dhash_icon": "399998ecd4d46c0e"
        },
        {
            "sha256_hash": "72011546699b21166467da8d7bd37ff0d96717288519f3fad8c19750e39aca42",
            "file_size": 1771258,
            "mime_type": "application\/x-dosexec",
            "md5_hash": "59f2c99f52c368a923c74621d8b4e6fd",
            "sha1_hash": "fe5e0f5cf0ebd90e17034483eb9a902dd5cdd7bc",
            "sha3_384_hash": "8038039ec77602fbfe8ac922a7e1509c42dcbf6f07713af294df84c780b438e9b85181eab199ed8bcc70bba259bb18be",
            "first_seen": "2022-04-14 10:17:43 UTC",
            "last_seen": null,
            "sightings": 1,
            "imphash": "680b9682922177224183342c299d809f",
            "ssdeep": "24576:nKtpZm23yqec9S5hZqT5\/ZMoK3EHBCTFvfrr+E+OLzO9AO4k17vvoA+rXBxQHKbC:nC3LoqNG0HBi1X+5OmmPA7Hj+hb",
            "tlsh": "T1AE859E62AE9D4876C076363C8C1F6259A8297E103D289C5E67E80D0DCF3A7917F2539F",
            "telfhash": null,
            "gimphash": null,
            "dhash_icon": "399998ecd4d46c0e"
        },
        {
            "sha256_hash": "cb36a871888de7f8de75a2e0204526e07429390e9a15a7031406c9d3c2ee2207",
            "file_size": 1747228,
            "mime_type": "application\/x-dosexec",
            "md5_hash": "825b058531390b5c602b02353a5fa550",
            "sha1_hash": "09b9844ff84985cba76060b8f982060287b77fde",
            "sha3_384_hash": "7e376e7c47642c0729d87337696e3b1940c91b0cd410668d642f37a8a492e7502d0daeda56529a710fa0f81a09aecf38",
            "first_seen": "2022-04-13 19:52:33 UTC",
            "last_seen": null,
            "sightings": 1,
            "imphash": "680b9682922177224183342c299d809f",
            "ssdeep": "24576:nKtpZm23yqec9S5hZqT5\/ZMoK3EHBCTFvfrr+E+OLzO9AO4k17vvoA+rXBxQHKbC:nC3LoqNG0HBi1X+5OmmPA7Hj+hb",
            "tlsh": "T1F3859E62AE9D4876C076363C8C1F6259A8297E103D289C5E67E80D0DCF3A7917F2539F",
            "telfhash": null,
            "gimphash": null,
            "dhash_icon": "399998ecd4d46c0e"
        }
        [...]
}

Query telfhash


You can get a list of recent files associated with a specific telfhash by query the API as follow:

ParameterExampleComment
queryget_telfhash 
search_termt1dd211d716b2195266ea0cd9088eca7[...]telfhash you want to get results for
result_max100Optional: Max number of results you want to display (default: 25, max: 1'000)

Here's a sample curl command:

curl -X POST -d '{ "query": "get_telfhash", "search_term": "t1dd211d716b2195266ea0cd9088eca7b2512c97072349df33cf31849c24140aeea3ac4f" '} https://yaraify-api.abuse.ch/api/v1/
        

A response from this API endpoint looks like this:

{
    "query_status": "ok",
    "query_info": {
        "search_scope": "all time",
        "result_count": 9,
        "result_max": 250
    },
    "data": [
        {
            "sha256_hash": "56c438f5a581a639f3f3853f2a01d850f51faf0fdd50f4f07bbc0826a0aabe55",
            "file_size": 134572,
            "mime_type": "application\/x-executable",
            "md5_hash": "e259d954ad3f1b037c3ba0fbcf109a3c",
            "sha1_hash": "71d11d2e8dd7256136108752303f06746dd91a56",
            "sha3_384_hash": "9a1d4e5ab8c336d8d6c332716c317255c1eeec9de16c3896e258e71470d65408f86e9a5ddb84c780550e1020fdf5c39e",
            "first_seen": "2022-04-14 11:51:01 UTC",
            "last_seen": null,
            "sightings": 1,
            "imphash": null,
            "ssdeep": "3072:TDvifpXS+5mdlV7fqEJ\/itr6xQds\/HQq5QEbOmyM\/9Ybfrr:TDvifpXS+5mdfbAp6xQds\/wqXbO3M\/9I",
            "tlsh": "T1A9D35C06FB418F13C4D617BAF9AF424933229B94E3EB730659285FB43F8665E0E53905",
            "telfhash": "t1dd211d716b2195266ea0cd9088eca7b2512c97072349df33cf31849c24140aeea3ac4f",
            "gimphash": null,
            "dhash_icon": null
        },
        {
            "sha256_hash": "27e74f5f1ffd22b209362964acc0de74b9ca4b2476766cd49764b6b245eb370c",
            "file_size": 134556,
            "mime_type": "application\/x-executable",
            "md5_hash": "a9fab86dbdffd6b239f8ce9dfd2dcf33",
            "sha1_hash": "19f5cde32036e688244ebfdf6b63efacc45cc989",
            "sha3_384_hash": "4e01ea80eeecc957c990f186e2e05351990bc8f31a27dd6d70da7997848bc3c704b2f4eefc36f49aaf17ee864c109bb7",
            "first_seen": "2022-04-13 20:51:03 UTC",
            "last_seen": null,
            "sightings": 1,
            "imphash": null,
            "ssdeep": "3072:PEDfiXp7SnrDqtVcxBjRqBg9M\/m+RG6Ob2mKM\/9Yfkurr:PEDfiXp7SnrDectqBg9M\/xRSb2vM\/9YD",
            "tlsh": "T115D34C06FB418F13C4D617BAFAAF424933229B94E3EB730659185FB43F8665E0E53A05",
            "telfhash": "t1dd211d716b2195266ea0cd9088eca7b2512c97072349df33cf31849c24140aeea3ac4f",
            "gimphash": null,
            "dhash_icon": null
        },
        {
            "sha256_hash": "0023f54ea7e345d6791921be8c8636a22c7ef8edcfe9d64971d3cbec0c3b1a91",
            "file_size": 134572,
            "mime_type": "application\/x-executable",
            "md5_hash": "e399cfbb622bdf06872a146fd05655cd",
            "sha1_hash": "a1c988a49cf44053f7ad6db046eb89032cb4e16f",
            "sha3_384_hash": "41b5bf490dd895ed8711eeadcd5744255623230e4f6f897e4084269150e38ea5dd7db5890d3da393fbd7169d80f31fba",
            "first_seen": "2022-04-12 23:51:02 UTC",
            "last_seen": null,
            "sightings": 1,
            "imphash": null,
            "ssdeep": "3072:f0DvinprSHrDqtVGDB3RJxQds\/neqfasb2mKM\/9M\/zrr:f0DvinprSHrDeGDJxQds\/eqfb2vM\/9Mz",
            "tlsh": "T1DBD34B46FB418F13C4D617BAF9AF424933229B94E3EB730649285FB43F8666E0E53905",
            "telfhash": "t1dd211d716b2195266ea0cd9088eca7b2512c97072349df33cf31849c24140aeea3ac4f",
            "gimphash": null,
            "dhash_icon": null
        },
        [...]
}

Query gimphash


You can get a list of recent files associated with a specific gimphash by query the API as follow:

ParameterExampleComment
queryget_gimphash 
search_terma081e2fab5999d99ed6be718af55[...]gimphash you want to get results for
result_max100Optional: Max number of results you want to display (default: 25, max: 1'000)

Here's a sample curl command:

curl -X POST -d '{ "query": "get_gimphash", "search_term": "a081e2fab5999d99ed6be718af55e93df171d14bc83c7ca5fdc0907edba0d338c" '} https://yaraify-api.abuse.ch/api/v1/
        

A response from this API endpoint looks like this:

{
    "query_status": "ok",
    "query_info": {
        "search_scope": "all time",
        "result_count": 1,
        "result_max": 25
    },
    "data": [
        {
            "sha256_hash": "631fc8da17bc3eb84718969a48b679237165887baede146faba6df842c80ab5c",
            "file_size": 7053280,
            "mime_type": "application\/x-dosexec",
            "md5_hash": "132a961afc5b7846f72c5944798535f6",
            "sha1_hash": "5ff9a26cba1baa65d34dd53cd9b7913b8e524570",
            "sha3_384_hash": "9404fba96909631807b2821f17a21d6315ec5f068b0c146a5cb7c58b073d7462374f44080f4ba5e255d130e0de981a72",
            "first_seen": "2022-07-02 09:24:03 UTC",
            "last_seen": "2022-07-02 12:26:15 UTC",
            "sightings": 2,
            "imphash": "c7269d59926fa4252270f407e4dab043",
            "ssdeep": "98304:lcjs3aEh2qJechqerH0KCYXidWPpTuEVtTZtWAI4AmnXTj+q+c6q1:28dqcp0KC8iMBLvTZkAI\/m\/+cF1",
            "tlsh": "T12C668D43F89560E9C6EAD130CA75C2527B307888073027D36F65AABA6B73BD05FB9750",
            "telfhash": null,
            "gimphash": "a081e2fab5999d99ed6be718af55e93df171d14bc83c7ca5fdc0907edba0d338",
            "dhash_icon": null
        }
    ]
}

Query icon dhash


You can get a list of recent files associated with a specific icon dhash by query the API as follow:

ParameterExampleComment
queryget_dhash_icon 
search_term92264e9e361ccdeetelfhash you want to get results for
result_max100Optional: Max number of results you want to display (default: 25, max: 1'000)

Here's a sample curl command:

curl -X POST -d '{ "query": "get_dhash_icon", "search_term": "92264e9e361ccdee" '} https://yaraify-api.abuse.ch/api/v1/
        

A response from this API endpoint looks like this:

{
    "query_status": "ok",
    "query_info": {
        "search_scope": "all time",
        "result_count": 6,
        "result_max": 250
    },
    "data": [
        {
            "sha256_hash": "3d30ec7012f3477319137f7637f9879772e5ba3dcfc06dc341e8a4c14ea9598a",
            "file_size": 5427200,
            "mime_type": "application\/x-dosexec",
            "md5_hash": "6ca7e57dad6a21d1f7aaf1aa030281a1",
            "sha1_hash": "66f37a918854e4ded2a335a085a9ea87374deef2",
            "sha3_384_hash": "2fce52c1c52383d4bebc5182f68431c81b241936193a318762bfa3bb8cbce9b9e7ebe8b00b66396c9d0cb61fbb5d7140",
            "first_seen": "2022-04-02 15:12:27 UTC",
            "last_seen": null,
            "sightings": 1,
            "imphash": null,
            "ssdeep": "49152:eMdViVljGTvvC4cgeCcjoTkr3VNTqAFikjhpBn36DwkuxG+GgeGVQGouGU0:eKVijz3gXSoTol9vpBWwdRCaG",
            "tlsh": "T137469D12A6624877C37A0730DC6BA274B7F83D1C17FB5763B384B9DAAAB72407464346",
            "telfhash": null,
            "gimphash": null,
            "dhash_icon": "92264e9e361ccdee"
        },
        {
            "sha256_hash": "4990abcda7532f88a7ae4b8731c14423260620276cc054b495a2d76c390747f8",
            "file_size": 1808896,
            "mime_type": "application\/x-dosexec",
            "md5_hash": "0d0287c298c1e9cf54a0d92b0d75f21a",
            "sha1_hash": "fd309ba565157011973275d9cd11841119debb3a",
            "sha3_384_hash": "b0bdf049cccd822baec05f2f74c8ac128eec8a1b8ccef991fbe4537428b667f0ca1055f84f36cb5a0f38fcc4f7b62cb1",
            "first_seen": "2022-04-02 15:05:27 UTC",
            "last_seen": null,
            "sightings": 1,
            "imphash": "4a99d91e1b68c500bb1244eb377c47a1",
            "ssdeep": "49152:2EPusxhC77OgLE2JqBc+MwlcF4SVJK91t23fPvVD7fZ:SYy73K2UL3tO1fZ",
            "tlsh": "T14E85226344B237EADBB3B1B692389D16F59A6C34C64A8319C381F9762FFDC5641B40E0",
            "telfhash": null,
            "gimphash": null,
            "dhash_icon": "92264e9e361ccdee"
        },
        {
            "sha256_hash": "84368982d6f2253dcc10371cf1f7079199e0e1df21bb9608b0f73103b53283a8",
            "file_size": 5427200,
            "mime_type": "application\/x-dosexec",
            "md5_hash": "44f2ea6379dd28895c62792dbf19713d",
            "sha1_hash": "0b667870d8daf13825f4ae8fbf9467f6f39a4e1b",
            "sha3_384_hash": "4056f3bd6fd0d9150f7c1edd5f9aa591e3df9146a0761eaa6677aabca15d6b485a4bdf44ea80267824df1b6b6b86ff44",
            "first_seen": "2022-03-30 12:16:05 UTC",
            "last_seen": null,
            "sightings": 1,
            "imphash": null,
            "ssdeep": "49152:tnYVqVljGTvvCpcCewc2Lyw9XTsTqFF2T36Yq6CHiiFCzoxv4YN:tYVqjzOCdrLyCjH2T7LCHigC8xv4",
            "tlsh": "T17D46AD12A6514C77C2790330DC6BA678B7F83D0C27FB5763B384B9DAAAB72907464346",
            "telfhash": null,
            "gimphash": null,
            "dhash_icon": "92264e9e361ccdee"
        },
        [...]
}

Download a file


You can download a file from YARAify by query the API as follow:

ParameterExampleComment
queryget_file 
sha256_hasha638404ab71199981be143591853b[...]sha256 hash of the file you want to download

Here's a sample curl command:

curl -X POST -d '{ "query": "get_file", "sha256_hash": "a638404ab71199981be143591853b713b8826a82904a1cf72675de6bb026c8f9" '} https://yaraify-api.abuse.ch/api/v1/
        

Please note that files for which the reporter has choosen the no sharing option are not available for download.

Download an unpacked file


You can download an unpacked file from YARAify by query the API as follow:

ParameterExampleComment
queryget_unpacked 
sha256_hasha638404ab71199981be143591853b[...]sha256 hash of the file you want to download

Here's a sample curl command:

curl -X POST -d '{ "query": "get_unpacked", "sha256_hash": "de7fa65d5cd5314ba0ce6ab19a7dcd9853639a1152447457de7efb39a9ba1f46" '} https://yaraify-api.abuse.ch/api/v1/
        

Please note that files for which the reporter has choosen the no sharing option are not available for download.

List recently deployed YARA rules


You can get a list of the most recent deployed YARA rules on YARAify as follow. Please take note that the author of the YARA rule must have set the YARA rule's meta field yarahub_rule_matching_tlp to TLP:WHITE.

ParameterExampleComment
queryrecent_yararules 

Here's a sample curl command:

curl -X POST -d '{ "query": "recent_yararules" '} https://yaraify-api.abuse.ch/api/v1/
        

A response from this API endpoint looks like this:

{
    "query_status": "ok",
    "data": [
        {
            "time_stamp": "2022-05-01 08:10:52 UTC",
            "yarahub_uuid": "1b95ce79-6034-4740-8e45-5f0840602d1a",
            "rule_name": "win_danabot",
            "author": "Johannes Bader",
            "description": "detects DanaBot",
            "date": "2022-04-19",
            "yarahub_license": "CC BY-SA 4.0",
            "yarahub_author_twitter": "@viql",
            "yarahub_reference_link": "https:\/\/test.ch\/bla",
            "yarahub_reference_md5": "8195d9c7b7193e9c63137d156df7b6f3",
            "yarahub_rule_matching_tlp": "TLP:WHITE",
            "yarahub_rule_sharing_tlp": "TLP:WHITE",
            "malpedia_family": "win.danabot"
        },
        [...]
    ]
}

Download a specific YARA rule


You can download a specific YARA rule present on YARAhub. Please take note that the author of the YARA rule must have set the YARA rule's meta field yarahub_rule_sharing_tlp to TLP:WHITE to allow sharing of the YARA rule in public.

ParameterExampleComment
queryget_yara_rule 
uuid1b95ce79-6034-4740-8e45-5f0840602d1aUUID of the YARA rule you want to download

Here's a sample curl command:

curl -X POST -d '{ "query": "get_yara_rule", "uuid": "1b95ce79-6034-4740-8e45-5f0840602d1a" '} https://yaraify-api.abuse.ch/api/v1/
        

Download all available YARA rule


You can download all available YARA rules that are currently present in YARAhub. Please take note that the author of the YARA rule must have set the YARA rule's meta field yarahub_rule_sharing_tlp to TLP:WHITE to allow sharing of the YARA rule in public.

Here's a sample curl command:

curl https://yaraify-api.abuse.ch/download/yaraify-rules.zip --output yaraify-rules.zip
        

Or simply click on the following download link:

Download all YARA rules

Note that the file gets generated every 5 minutes. Please do not fetch it more often than that.

Example scripts


You can find a handful example scripts for how to interacting with the YARAify API on our github repository: