API Documentation

Notice - API Usage

This API only accepts hash values (MD5, SHA-1, SHA-256). File uploads via the API are not supported. To analyze files, please submit them manually via the main service screen.

Response Elements

List Format

• AVServices - Refers to services related to antivirus software, which may be targeted or manipulated by malware to disable or evade detection.
• AVServices(UNICODE) - The Unicode representation of antivirus services, potentially used to bypass detection mechanisms that rely on standard character encoding.
• AntiVMSandboxDebugTricks - Techniques employed by malware to detect and evade analysis in virtual machines, sandboxes, or debuggers, often by checking for specific artifacts or behaviours indicative of such environments.
• AntiVMSandboxDebugTricks(UNICODE) - The Unicode representation of anti-VM, sandbox, and debugger evasion techniques, which may be used to obfuscate detection methods targeting these environments.
• BinderJoinerCrypter - A tool or technique that combines multiple malicious payloads into a single executable, often encrypting them to evade detection and facilitate delivery.
• DuplicateSections - Refers to the presence of multiple sections within a file that are identical or nearly identical, a technique used to obfuscate the file's true purpose or to evade detection by signature-based scanners.
• EntryPoint - The initial point of execution in a program, which may be manipulated by malware to control the flow of execution and evade detection.
• FileAccess - Refers to the permissions and methods by which a file can be read, written, or executed, which may be exploited by malware to gain unauthorized access to system resources.
• FileAccess(UNICODE) - The Unicode representation of file access methods, potentially used to bypass detection mechanisms that rely on standard character encoding.
• IntelligentString - A module responsible for using exclusive methods to identify notable strings when performing a malware analysis.
• IPAddresses - Module designed for extracting IP addresses from within the analyzed file.
• InterestsWords - Specific words or phrases that are of interest in the context of malware analysis, often used to identify patterns or indicators of compromise.
• InterestsWords(UNICODE) - The Unicode representation of interest words, potentially used to bypass detection mechanisms that rely on standard character encoding.
• KnownIPDomains - List of known IP addresses and Domains that have been identified through comparison in the analyzed file.
• KnownIPDomains(UNICODE) - The Unicode representation of known IP addresses and Domains that have been identified through comparison in the analyzed file.
• Payloads - The part of the malware that performs the intended malicious action, such as data exfiltration, system compromise, or denial of service.
• Signatures - Verification of known signatures such as the integrity of the Rich Signature or the status of the signed executable.
• URLs - Uniform Resource Locators that may be used by malware to download additional payloads, communicate with command and control servers, or exfiltrate data.
• URLs(UNICODE) - The Unicode representation of URLs, potentially used to bypass detection mechanisms that rely on standard character encoding.
• WindowsREG - Refers to the Windows Registry, a hierarchical database used by the Windows operating system to store configuration settings and options, which may be manipulated by malware to maintain persistence or evade detection.
• WindowsREG(UNICODE) - The Unicode representation of Windows Registry entries, potentially used to bypass detection mechanisms that rely on standard character encoding.
• ETFunctions(carving) - Functions specifically designed to extract and recover the names of exported functions listed in the Export Table. These functions utilize carving techniques to locate and reconstruct data, even in cases where the Export Table might be partially corrupted or obfuscated.

Structured Format

• Information
  • Architecture - Specifies the system architecture (e.g., x86, x64) that the file is built for, indicating whether the file is intended for 32-bit or 64-bit systems.
  • EntryPointRVA - The Relative Virtual Address (RVA) pointing to the entry point in the code, where the execution of the program starts when loaded into memory.
  • ExportTable - Contains the list of all functions and data that the executable exports for use by other programs, detailing what is accessible externally.
  • FileType - Describes the type of the file, such as executable, dynamic link library (DLL), or other binary formats.
  • Imphash - A hash value derived from the import table, used to uniquely identify files based on their external function dependencies.
  • ImageBase - The preferred base address where the executable image is loaded in memory, influencing how the operating system manages memory allocations for the file.
  • MajorOSVersion - Represents the major version number of the operating system that the file is compatible with (e.g., Windows 10, Windows 7).
  • MinorOSVersion - Represents the minor version number of the operating system that the file is compatible with (used alongside MajorOSVersion to define the full OS version).
  • IAT - Refers to the Import Address Table, which contains the memory addresses of functions imported from external DLLs used by the executable.
  • MD5Hash - The MD5 hash of the file, a checksum used to verify file integrity and detect any tampering or corruption.
  • NumberOfExecutableSections - The number of sections within the file that are marked as executable, indicating areas where code can run.
  • NumberOfSections - The total number of sections within the PE (Portable Executable) file, which could include code, data, and other resources.
  • SHA-1Hash - The SHA-1 hash of the file, providing a more secure method of file integrity verification than MD5.
  • SHA-256Hash - The SHA-256 hash of the file, used for strong verification and detecting changes in the file's content.
  • SectionNames - The names of the sections in the PE file, which help identify and categorize the contents, such as `.text`, `.data`, `.rdata`, etc.
  • Size - The total size of the file in bytes, providing an overall indication of how large the binary is.
  • SizeOfHeaders - The size of the PE headers, which include important metadata such as entry points and section information.
  • SizeOfImage - The total size of the image in memory once loaded, including all sections and headers.
  • Subsystem - The subsystem type defines the environment the executable expects to run in (e.g., Windows GUI, console application, native Windows).
  • UACExecutionLevelManifest - The User Account Control (UAC) execution level specified in the file's manifest, determining whether elevated permissions are required to run the program.
  • TimeDateStamp - A timestamp indicating when the file was created or last modified, typically stored as a Unix timestamp.
  • CheckSum - A checksum value used to verify the integrity of the PE file to ensure it hasn't been altered or corrupted.
• Description
  • CompanyName - The name of the company or organization associated with the creation or distribution of the file.
  • FileVersion - The version number of the file, which helps in tracking changes, bug fixes, and updates to the executable.
  • InternalName - An internal identifier or name for the file, often used by developers or within the software's source code.
  • LegalCopyright - Information about the copyright holder, detailing the legal protection granted to the file's content.
  • LegalTrademarks - Trademarks associated with the file, typically indicating intellectual property rights or brand identity related to the product.
  • OriginalFilename - The original filename of the file, which may differ from the current name if it has been renamed or modified.
  • ProductName - The name of the product that the file is associated with, such as a software suite or application.
• SectionsInfo
  • Name - The name of each section in the file, such as `.text`, `.data`, `.rdata`, which represents different types of data (code, read-only data, etc.).
  • Flags - Section flags indicate the characteristics of the section (e.g., executable, read-only, writable), affecting how the operating system handles them.
  • ROffset - The raw offset within the file to the beginning of the section, giving its position in the raw data stream.
  • RSize - The raw size of the section, describing how much space is allocated to it in the raw file.
  • VOffset - The virtual offset of the section, indicating its position in the memory map when the file is loaded into memory.
  • VSize - The virtual size of the section, representing the amount of memory allocated to the section when loaded into memory.
• PECarving
  • StartIn - The start position in the file from which the PE section begins, useful in forensic analysis for extracting executable code from fragmented files.
  • EndsIn - The end position of the PE carving, marking the conclusion of the extracted PE data.
  • SizeBytes - The size in bytes of the carved PE section, indicating how much data was successfully extracted.
• PackerCompiler
  • Compiler - The name of the compiler used to create the executable, which can provide clues about the development environment and tools.
  • Entropy - A measure of randomness or disorder within the file, often used to detect packed or obfuscated files that attempt to evade analysis.
  • PE - Indicates whether the file has been packed using a packing tool, which compresses or encrypts the executable to obfuscate its content.
  • PE+(64) - Identifies whether the file is a 64-bit variant of a packed PE file, useful for distinguishing between 32-bit and 64-bit executables.
• ExtraAnalysis
  • AsciiCode - An analysis of ASCII code sequences found within the file, highlighting potential areas of interest such as strings, commands, or hidden data.
  • TotalAscii - The total number of ASCII characters found in the file, useful for understanding the presence of human-readable data or malware signatures.
  • NullByteCode - An analysis of null byte occurrences, which can indicate padding or manipulation of file structures.
  • TotalNullBytes - The total number of null bytes in the file, which could be a sign of certain types of obfuscation or packed data.
  • NOP(0x90)BlockCount - The number of NOP (No Operation) instructions, which can be used as padding in packed files or in buffer overflow exploits.
  • NOP(0x90)TotalCave - The total amount of NOP slide (cave) space, often used in exploits or when the file contains packed data.
• Resources

  In the Resources section of a portable executable (PE) file, it is possible to identify built-in executables or shellcode expressed in list format.

  • Path - The path where the resource is located, typically indicating whether it is embedded or external to the main executable.
  • DataRVA - The Relative Virtual Address of the resource's data, which points to the location of the resource once the file is loaded into memory.
  • Size - The size of the resource, indicating how much memory or disk space is required to store the resource.
  • FileOffset - The offset within the file where the resource's raw data begins, useful for extracting or analyzing the resource directly from the binary.
  • Code - The raw hexadecimal of the resource's data, often used for further inspection or disassembly to identify patterns or signatures.
  • Text - The textual content associated with the resource, often extracted for analysis or inspection to detect embedded strings or other relevant information.
• FileRules

  Rules defined for identifying patterns within the file.

  • RuleText(Ascii) - Rules for detecting ASCII text patterns within the file.
  • RuleText(Unicode) - Rules for detecting Unicode text patterns within the file.
  • RuleHex - Rules for detecting hexadecimal string patterns within the file.
  • EPRules - Rules for analyzing the entry point of the executable.
• FlowAnomalies

  The Flow Anomalies section reports unusual or suspicious control flow patterns detected during static analysis. This includes both indirect call/jump instructions and obfuscated jump sequences that may indicate anti-disassembly or evasion techniques.

  • Offset - The file offset of the anomalous instruction or sequence, provided in hexadecimal format.
  • RVA - Relative Virtual Address of the instruction or sequence, if determinable, within its corresponding section.
  • Section - The name of the PE section (e.g., .text, .rdata) where the anomaly is located.
  • Details - A descriptive message identifying the anomaly type, such as:
    Indirect jump via pointer at address in EDX or Potential obfuscated jump sequence detected (12 chained jumps).

If the analysis was performed with a Valid Code, the following structure will be generated:

• Files
  • Strings - Contains all the strings found within the file, encoded entirely in Base64 format.
  • ImportTable - Details of the import table, which lists all external functions and symbols that the file references.
  • ExportTable - Details of the export table, which lists all functions and symbols that the file makes available to other modules.
  • History - Information about the file's creation and modification history, including timestamps and version information.
  • YaraRule - A YARA rule associated with the file, encoded entirely in Base64 format.