API Documentation

General Information

The API is exposed on the following base URL: https://exalyze.io/api/

Authentication

For authenticating with the API you must include the X-Api-Key header with your personal API key in all your requests.

Your API key can be found on your account page.

Warning

Keep your API key secure and don’t share it with other people.

Always use HTTPS instead of HTTP for making your requests.

Errors

The API emits a standardized payload in case of error.

{
  "error": {
    "code": "INVALID_FILTER",
    "description": "The query contains an invalid search filter",
    "details": {
      "reason": "FOO is not a valid sample type, supported values are PE or ELF"
    },
    "name": "Invalid search filter value",
    "request_id": "62db241d-c27b-4c6a-9d43-ad5c8b917bf7"
  }
}

It is composed by the following fields:

  • code (string) is a standardized error that is interpretable by a client.

  • description (string) is a human readable description of the error.

  • details (any) error dependant payload, providing detailed information on the error

  • name (string) human readable name of the error

  • request_id (string) an id that will help us to debug if you provide it

Error codes and HTTP Codes

The API can emit the following error codes, associated with HTTP status codes in case of error. Some HTTP endpoints can return domain specific error codes. Please refer to the endpoint documentation for details.

Error Code

HTTP Code

Description

BAD_REQUEST

400

General error indicating that the server was not able to understand the incoming request. For example, the Content-Encoding header is not set to application/json.

UNAUTHORIZED

401

General error indicating that either the request was not authenticated.

NOT_FOUND

404

General error indicating that the requested resource does not exist.

REQUEST_ENTITY_TOO_LARGE

413

General error indicating that request payloads exceeds the server limit.

UNPROCESSABLE_ENTITY

422

General error indicating that the server understood the request but was unable to perform it because of an invalid payload.

OUT_OF_QUOTA

429

Error indicating that the current user ran out of quota for the current feature.

INTRNAL_ERROR

500

General error indicates that the server encountered an unexpected error. Please contact us with the request_id if this happens too frequently.

API Endpoints

POST /api/sample/push

This endpoint is used for uploading samples to analyze.

Request payload

The samples to upload must be sent using multipart/form-data encoding and a POST method

Note

The total upload size is currently limited to 25MB

Query parameters

  • confidentiality: The confidentiality of the sample. Can be one of PUBLIC, SENSITIVE, CONFIDENTIAL, defaults to PUBLIC.

Response status

202 the server has scheduled the sample for analysis

Response payload

The API returns a JSON list of dictionaries containing for each sample submitted the following elements:

  • filename: The filename used for the upload

  • report_url: The report URL, which can be used to access information about the sample once the analysis is completed

  • run_id: The analysis ID, which can be used in the Get Analysis status endpoint to get the status of the analysis

  • sha256: The SHA256 hash of the submitted sample

{
  "analyses": [
    {
      "filename": "Old2008-2010__0F77AF7FA673F5B3D36B926576002A1C_winhlp32.exe",
      "report_url": "https://exalyze.io/sample/e4b7fb80fe8a5b6462b00f82d7d9389fa7724e8449a0bdeef8607a4af3e03481/report",
      "run_id": "6dde6ae5-2444-4a36-abb4-a6d2595f3a6e",
      "sha256": "e4b7fb80fe8a5b6462b00f82d7d9389fa7724e8449a0bdeef8607a4af3e03481"
    }
  ]
}

Example

Example file uploading using curl
 curl -H'X-Api-Key: API_KEY' -F'file=@/PATH_TO_THE_FILE_TO_UPLOAD' https://exalyze.io/api/sample/push?confidentiality=SENSITIVE

Error Codes

Error Code

HTTP Code

Description

MISSING_CONTACT_EMAIL

422

The current user account doesn’t have a contact email set, Happens when pushing with the SENSITIVE confidentiality

INVALID_CONFIDENTIALITY

422

The provided confidentiality is invalid, allowed values are PUBLIC, SENSITIVE and CONFIDENTIAL

POST /api/sample/search

This endpoint allows searching for samples.

Request payload

This endpoint expects the following JSON payload describing the search query.

⚠️The Content-Type header set to application/json is expected by the server

Example of a payload querying the third page of all the samples similar to the sample cbc54f8c60aa5ddaaaaba51a24e37e64fdaef8587e1da7b9de35fdbcda76de66, embedding the IP address 8.8.8.8 and having the suffix crosoft in its CompanyName.
{
  "page": 2,
  "filters": [
    {
      "type": "similar_to",
      "value": "cbc54f8c60aa5ddaaaaba51a24e37e64fdaef8587e1da7b9de35fdbcda76de66",
    },
    {
      "type": "ip",
      "value": "8.8.8.8",
    },
    {
      "type": "company_name",
      "value": "*crosoft",
    },

  ]
}

The root object is composed by the following attribute

  • page The page of results, default to 0. Only users with an active subscription can set a page > 0

  • filters An array of at least one filter objects

A filter objects is composed by the following fields.

  • type: The type of the filter

  • value: Value of the filter

Some filters expect exact values, others expect a pattern matching the value. Patterns are described using the * character representing one or more characters matching. For instance, either M*crosoft, *crosoft, microsoft and micro* match the value Microsoft

All the filters are combined using a logical AND

The following types of filters are available for all authenticated users

Filter Type

Description

*

Exact value of the sha256, sha1, md5, imphash or richhash hashes of the sample

md5

Exact value of the md5 hash of the sample

sha1

Exact value of the sha1 hash of the sample

sha256

Exact value of the sha256 hash of the sample

imphash

Exact value of the imphash of the sample

richhash

Exact value of the richhash of the sample

original_filename

(PE only) Pattern matching on OriginalFilename metadata of the sample

company_name

(PE only) Pattern matching on CompanyName metadata of the sample

file_description

(PE only) Pattern matching on FileDescription metadata of the sample

file_version

(PE only) Pattern matching on FileVersion metadata of the sample

internal_name

(PE only) Pattern matching on InternalName metadata of the sample

legal_copyright

(PE only) Pattern matching on LegalCopyright metadata of the sample

product_name

(PE only) Pattern matching on ProductName metadata of the sample

product_version

(PE only) Pattern matching on ProductVersion metadata of the sample

pdb

(PE only) Pattern matching on Pdb metadata of the sample

submit_filename

Pattern matching on the known filenames for a sample

ip

Exact value of an ipv4 address extracted from the sample

domain

Pattern matching on the extracted domains for a sample

url

Pattern matching on the extracted URLs for a sample

similar_to

Similar samples of the given sample (idientified by the SHA256) using Control Flow Graph similarity

size_below

Sample size below in bytes, supports the following units b, kb, mb

size_above

Sample size above in bytes, supports the following units b, kb, mb

functions_below

Analyzed functions count below

functions_above

Analyzed functions count above

type

Type of the sample, supported values are PE or ELF

bitness

Bitness of the sample, supported values are 32 or 64

max_capabilities_suspiciousness_below

Max capabilties suspiciousness score below

max_capabilities_suspiciousness_above

Max capabilties suspiciousness score above

with

Filter samples with a given flag. Allowed values are packed, capabilities, yaras, publications

without

Filter out samples with a given flag. Allowed values are packed, capabilities, yaras, publications

The following types of filters are available for all users with an active subscription

Filter Type

Description

yara

Pattern matching on the yara rule name matched by the sample

capa

Pattern matching on the capabilities name of the sample

publication

Pattern matching on a publication title

Response status

200 The server has successfully executed the query

Response payload

{
  "matches": [
    {
      "bitness": 32,
      "entropy_match_score": 98,
      "first_submit_filename": "b8fb54330abf1c3fc6cf5096582851ae3d8345f91fc8260660b33ceaf4217e7f",
      "has_yara_matches": true,
      "last_analyzed_at": "2025-10-24T10:13:54.171891+00:00",
      "match_score": 100.0,
      "report_url": "http://localhost:5003/sample/b8fb54330abf1c3fc6cf5096582851ae3d8345f91fc8260660b33ceaf4217e7f/",
      "sha256": "b8fb54330abf1c3fc6cf5096582851ae3d8345f91fc8260660b33ceaf4217e7f",
      "type": "ELF",
      "max_capabilities_suspiciousness_score": 60,
      "is_packed": false
    },
    {
      "bitness": 32,
      "entropy_match_score": 99,
      "first_submit_filename": "a4d6fcd0b0852e7dd4b304a35a11b920fd51eab3a15ffc9c7f480bef479b5a73",
      "has_yara_matches": true,
      "last_analyzed_at": "2025-10-24T10:13:54.124456+00:00",
      "match_score": 100.0,
      "report_url": "http://localhost:5003/sample/a4d6fcd0b0852e7dd4b304a35a11b920fd51eab3a15ffc9c7f480bef479b5a73/",
      "sha256": "a4d6fcd0b0852e7dd4b304a35a11b920fd51eab3a15ffc9c7f480bef479b5a73",
      "type": "ELF"
      "max_capabilities_suspiciousness_score": 40,
      "is_packed": false,
      "has_publications": true
    },
  ],
  "meta": {
    "total_matches": 2
  }
}

The response payload is composed by a single JSON object carrying the following fields:

  • meta meta information on the result.

  • matches an array of sample matches objects. Maximum of 50 matches per page.

The meta objects embeds the following fields

  • total_matches the total matches of the query

A sample match object is composed by the following fields:

  • sha256 (string) Sha256 of the matched sample

  • first_submit_filename (string) First known filename of that sample

  • type (string) Type of the sample, ELF or PE

  • bitness (int) bitness of the matched sample, 32 or 64

  • last_analyzed_at (string) ISO 8601 timestamp of when the sample was analyzed for the last time.

  • has_yara_matches (boolean) Indicates if this sample matches any Yara rules in Exalyze

  • report_url (string) Link to the sample report in Exalyze

  • max_capabilities_suspiciousness_score (int) Score between 0-100 indicating the maximum suspiciousness score encountered in the sample capabilities

  • is_packed (bool) true if Exalyze considers that this sample is packed.

  • has_publications (bool) true if Exalyze knows about publications about this sample

When the similar_to filter, two additional fields are appended

  • match_score (float) control flow graph similarity score, between 0 and 100.0, the higher the most similar

  • entropy_match_score (float) entropy map similarity score, between 0 and 100.0, the higher the most similar

Example

With the example query in a file on disk

Example sample search using curl
curl --header "X-Api-Key: API_KEY"  --json @QUERY_FILE_PATH https://exalyze.io/api/sample/search

Error Codes

Error Code

HTTP Code

Description

UNKNOWN_FILTER

422

The query contains one or multiple filters that the server doesn’t understand

UPGRADE_REQUIRED

422

The query contains one or mutliple filters that require an active subscription to be used

INVALID_QUERY

422

The query contains one or mutliple invalid statements, check the details for for more information

POST /api/sample/<SHA256>/reanalyze

This endpoint is used for reanalyzing a sample from the API.

Path parameters

  • SHA256 The SHA256 hash of the sample to reanalyze

Response status

202 The server has scheduled the sample for analysis

Response payload

Same as the POST /api/sample/push endpoint

GET /api/sample/<SHA256>

This endpoint is used for getting basic information about a sample

Path parameters

  • SHA256 The Sha256 hash of the sample to reanalyze

Response payload

{
  "meta": {
    "report_url": "http://localhost:5003/sample/8cd25f3890b83cca1983424be8866191f6cdc63006e9d7b84d97c333cb4d149a/"
  },
  "sample": {
    "bitness": 32,
    "capabilities": [
      {
        "description": "Can list running processes",
        "name": "process_list_01",
        "suspiciousness_score": 40
      },
      {
        "description": "Can remove a file",
        "name": "remove_file_01",
        "suspiciousness_score": 30
      },
      {
        "description": "Can copy a file",
        "name": "write_file_02",
        "suspiciousness_score": 30
      },
      {
        "description": "User temporary folder",
        "name": "temp_file_01",
        "suspiciousness_score": 30
      },
      {
        "description": "Can write a file",
        "name": "write_file_01",
        "suspiciousness_score": 30
      }
    ],
    "compilation_time": "2019-08-19T19:18:09+00:00",
    "domains": [],
    "dotnet": false,
    "first_submit_filename": "8cd25f3890b83cca1983424be8866191f6cdc63006e9d7b84d97c333cb4d149a",
    "has_premium_yara_matches": false,
    "imphash": "b83b4c7be0b1cdd8e117bba9096d9768",
    "is_packed": false,
    "ip_addresses": [
      {
        "address": "185.73.124.42",
        "type": "IPV4"
      }
    ],
    "last_analyzed_at": "2025-10-27T13:50:20.983752+00:00",
    "max_capabilities_suspiciousness_score": 40,
    "md5": "cc64f95a4208489ff4d7e00d84ef92c5",
    "mitre_tactics": [
      {
        "description": "Defense Evasion",
        "id": "TA0005",
        "techniques": [
          {
            "description": "Indicator Removal",
            "id": "T1070"
          }
        ]
      },
      {
        "description": "Discovery",
        "id": "TA0007",
        "techniques": [
          {
            "description": "Process Discovery",
            "id": "T1057"
          }
        ]
      }
    ],
    "richhash": "b6e6ba7d2ea099153201236a27b84bdd",
    "sha1": "7d8a4bf93e558db774ccf9054cfc72825df9e9cc",
    "sha256": "8cd25f3890b83cca1983424be8866191f6cdc63006e9d7b84d97c333cb4d149a",
    "size": 16384,
    "total_funcs": 130,
    "type": "PE",
    "urls": [],
    "has_publications": true,
    "publications":[
      {
        "title": "Example blog",
        "url": "https://example.com/blog"
      }
    ],
    "yara_matches": [
      {
        "author": "Felix Bilstein - yara-signator at cocacoding dot com",
        "date": "2024-10-31T00:00:00+00:00",
        "description": "autogenerated rule brought to you by yara-signator",
        "modified": "2024-11-11T00:00:00+00:00",
        "name": "MALPEDIA_Win_Systembc_Auto",
        "reference": "https://malpedia.caad.fkie.fraunhofer.de/details/win.systembc",
        "source_url": "https://github.com/malpedia/signator-rules//blob/6558c417dcf07146b1309b6acde6be0aa96dea10/rules/win.systembc_auto.yar#L1-L120",
        "tags": [
          "FILE"
        ]
      },
      {
        "author": "Thomas Barabosch, Deutsche Telekom Security",
        "date": "2022-03-13T00:00:00+00:00",
        "description": "Detects unpacked SystemBC module",
        "modified": "2022-03-13T00:00:00+00:00",
        "name": "TELEKOM_SECURITY_Win_Systembc_20220311",
        "reference": "https://medium.com/walmartglobaltech/inside-the-systembc-malware-as-a-service-9aa03afd09c6",
        "source_url": "https://github.com/telekom-security/malware_analysis//blob/bf832d97e8fd292ec5e095e35bde992a6462e71c/systembc/systembc.yara#L1-L27",
        "tags": [
          "FILE"
        ]
      },
      {
        "author": "Heurs",
        "date": "2020-12-30T00:00:00+00:00",
        "description": "SystemBC backdoor",
        "modified": "2024-03-25T00:00:00+00:00",
        "name": "SystemBC_01",
        "source": "exatrack"
      }
    ]
  }
}

The response payload is JSON object containing the following attributes about the sample:

  • meta: Metadata object about the sample

  • sample: a JSON object representing the sample

The metadata object is composed by the following attributes

  • report_url: URL of the sample report view on Exalyze

The sample object is composed by the following attributes:

  • md5 The sample MD5 hash

  • sha1 The sample SHA1 hash

  • sha256 The sample SHA256 hash

  • size The sample size in bytes

  • bitness The sample bitness (32 or 64)

  • type The sample type (PE or ELF)

  • total_funcs The amount of functions detected in the sample

  • dotnet Set to true when Exalyze analyzed Dotnet functions, otherwise false

  • last_analyzed_at ISO 8601 timestamp of when the sample was analyzed for the last time

  • first_submit_filename The first public submission filename known to Exalyze

  • has_premium_yara_matches Set to true when the sample matches Exalyze premium Yara ruleset

  • is_packed true if Exalyze considers that this sample is packed.

  • richhash (PE Only) The sample rich hash when available

  • imphash (PE Only) The sample import hash when available

  • pdb (PE Only) The sample PDB extracted from the PE metadata

  • compilation_time (PE Only) The sample compilation time extracted from the PE metadata

  • original_filename (PE Only) The sample original filename extracted from the PE metadata

  • company_name (PE Only) The sample company name extracted from the PE metadata

  • file_description (PE Only) The sample file description extracted from the PE metadata

  • file_version (PE Only) The sample file version extracted from the PE metadata

  • internal_name (PE Only) The sample internal name extracted from the PE metadata

  • legal_copyright (PE Only) The sample legal copyright extracted from the PE metadata

  • product_name (PE Only) The sample product name extracted from the PE metadata

  • product_version (PE Only) The sample product version extracted from the PE metadata

  • max_capabilities_suspiciousness_score Score between 0-100 indicating the maximum suspiciousness score encountered in the sample capabilities

  • capabilities An array of objects describing the capabilities detected on this sample

    • name: The name of the capability

    • description: Human readable description of the capability

    • suspiciousness_score: Score between 0-100 indicating the capability suspiciousness

  • mitre_tactics An array of objects describing the ATT&CK tactics used by this sample

    • id The identifier of the tactic

    • description Human readable description of the tactic

    • techniques An array of objects containing the ATT&CK techniques detected on this sample

      • id The identifier of the technique

      • description human readable description of the technique

  • yara_matches An array of objects describing the Yara rules matched by this sample

    • name The name of the matched Yara rule

    • description Human readable description of the matched Yara rule

    • author Author of the matched Yara rule (when available)

    • source Text reference to the matched Yara rule source (when available)

    • source_url URL to the matched Yara rule source (when available)

    • license License of the matched Yara rule (when available)

    • license_url URL to the license of the matched Yara rule (when available)

    • tags An array of tags associated to the matched Yara rule (when available)

    • date ISO 8601 timestamp of the creation date of the matched Yara rule (when available)

    • modified ISO 8601 timestamp of the last modification date of the matched Yara rule (when available)

  • ip_addresses An array of objects representing the IP addresses extracted from this sample

    • type Type of the IP address IPV4 or IPV6

    • address Value of the IP address

  • urls An array of objects representing the URLs addresses extracted from this sample

    • url Value the URL

  • domains An array of objects representing the domains addresses extracted from this sample

    • domain Value the domain

  • has_publications Set to true if the sample has known publications

  • publications An array of object representing a publication refering to the sample

    • url URL of the publication

    • title Title of the publication

    • published_at: ISO 8601 timestamp of the publication

GET /api/analysis/<RUNID>

This endpoint is used to monitor on the analysis status of a sample.

Path parameters

Response status

200 The server has successfully served the request

Response payload

{
  "analysis": {
    "sha256": "1fabf660e05b2c86d594f1d1bd178c5a7f3b6a26690c3a435b12cba9d2925392",
    "status": "done"
  }
}

This endpoint returns a JSON object analysis with the following fields.

  • sha256: (string) The sha256 of the sample being analyzed

  • status: (string) The status of the analysis

Potential values for status

Status

Description

pending

The analysis hasn’t started yet

running

The analysis is ongoing

done

The analysis is done, you can check the sample report

failed

The analysis has failed

Example

Example of an analysis status check
curl 'X-Api-Key: API_KEY' https://exalyze.io/api/analysis/6dde6ae5-2444-4a36-abb4-a6d2595f3a6e

GET /sample/<SHA256>/download

This endpoint is used for downloading samples directly from the API.

Path parameters

  • SHA256 The SHA256 hash of the sample to download

Response status

200 The server has successfully served the request

GET /sample/<SHA256>/gen_yara

Path parameters

  • SHA256 The SHA256 hash identifying the sample

Response status

200 The server has successfully served the request

Response payload

This endpoint returns the raw YARA rule autogenerated for the given sample

rule auto_0d219aa54b1d417da61bd4aed5eeb53d6cba91b3287d53186b21fed450248215 {
  meta:
      author = "Exalyze"
      date =   "2025-04-30"
      update =   "2025-04-30"
      description = "Rule autogenerated by Exalyze"
      score =   50
      tlp =  "GREEN"
      source =  "Exalyze"
      sample_hash = "0d219aa54b1d417da61bd4aed5eeb53d6cba91b3287d53186b21fed450248215"
  strings:

      $str_001 = "exe.gsmfpn" ascii fullword
      $str_002 = "MSG|Folder_Not_Exist." ascii fullword
      $str_003 = "MSG|Lost_Socket!" ascii fullword
      $str_004 = "\\netlink.lnk" ascii fullword
      $str_005 = "MSG|Create_Fail." ascii fullword
      $str_006 = "MSG|Delete_Fail." ascii fullword
      $str_007 = "MSG|Directory is not Exist!" ascii fullword
      $str_008 = "MSG|Uninstall_OK." ascii fullword
      $str_009 = "exe.yartxobefas" ascii fullword
      $str_010 = "MSG|Kill_Proc_Fail! PID " ascii fullword
      $str_011 = "Pwww.dicemention.com" ascii fullword
      $str_012 = "MSG|Insert_Failed!" ascii fullword
      $str_013 = "MSG|Exist_Name_Please_Change." ascii fullword
      $str_014 = "MSG|Can not Found!" ascii fullword
      $str_015 = "MSG|Delete_Fail" ascii fullword
      $str_016 = "\\netlink.exe" ascii fullword
      $str_017 = "Comodo Firewall" ascii fullword
      $str_018 = "MS Sans Serif" ascii fullword

      $bin_001 = { 3b15????????75??292d????????012d????????833d1c???????? }
      $bin_002 = { ff8b????????52088b????????510c?? }
      $bin_003 = { 803dc4????????0f84????????33??5568???????? }
      $bin_004 = { 90833d1c????????7e??833d1c????????7d?? }
      $bin_005 = { c2????c38b??51803d4c???????? }
      $bin_006 = { c745e8????????8d85????????ba????????e8????????8d???? }
      $bin_007 = { 558b??83????f7??ff84c0???????? }
      $bin_008 = { 36e8????????400f84????????6a??89?? }
      $bin_009 = { 52088b????????510c??c703???????? }
      $bin_010 = { 89????ff05????????83????011d????????eb?? }

      condition:
        15 of ($str_*) or 10 of ($bin_*)
  }

Example:

Example yara generation with the API
curl -H'x-Api-Key: API_KEY' https://exalyze.io/api/sample/0d219aa54b1d417da61bd4aed5eeb53d6cba91b3287d53186b21fed450248215/gen_yara