API Documentation

General Information

The API is exposed on the following base URL: https://exalyze.io/api/

Authentication

For authenticating with the API you must include the X-Api-Key header with your personal API key in all your requests.

Your API key can be found on your account page.

Warning

Keep your API key secure and don’t share it with other people.

Always use HTTPS instead of HTTP for making your requests.

Errors

The API emits a standardized payload in case of error.

{
  "error": {
    "code": "INVALID_FILTER",
    "description": "The query contains an invalid search filter",
    "details": {
      "reason": "FOO is not a valid sample type, supported values are PE or ELF"
    },
    "name": "Invalid search filter value",
    "request_id": "62db241d-c27b-4c6a-9d43-ad5c8b917bf7"
  }
}

It is composed by the following fields:

  • code (string) is a standardized error that is interpretable by a client.

  • description (string) is a human readable description of the error.

  • details (any) error dependant payload, providing detailed information on the error

  • name (string) human readable name of the error

  • request_id (string) an id that will help us to debug if you provide it

Error codes and HTTP Codes

The API can emit the following error codes, associated with HTTP status codes in case of error. Some HTTP endpoints can return domain specific error codes. Please refer to the endpoint documentation for details.

Error Code

HTTP Code

Description

BAD_REQUEST

400

General error indicating that the server was not able to understand the incoming request. For example, the Content-Encoding header is not set to application/json.

UNAUTHORIZED

401

General error indicating that either the request was not authenticated.

NOT_FOUND

404

General error indicating that the requested resource does not exist.

REQUEST_ENTITY_TOO_LARGE

413

General error indicating that request payloads exceeds the server limit.

UNPROCESSABLE_CONTENT

422

General error indicating that the server understood the request but was unable to perform it because of an invalid payload.

OUT_OF_QUOTA

429

Error indicating that the current user ran out of quota for the current feature.

INTRNAL_ERROR

500

General error indicates that the server encountered an unexpected error. Please contact us with the request_id if this happens too frequently.

API Endpoints

POST /api/sample/push

This endpoint is used for uploading samples to analyze.

Request payload

The samples to upload must be sent using multipart/form-data encoding and a POST method

Note

The total upload size is currently limited to 25MB

Query parameters

  • confidentiality: The confidentiality of the sample. Can be one of PUBLIC, SENSITIVE, CONFIDENTIAL, defaults to PUBLIC.

Response status

202 the server has scheduled the sample for analysis

Response payload

The API returns a JSON list of dictionaries containing for each sample submitted the following elements:

  • filename: The filename used for the upload

  • report_url: The report URL, which can be used to access information about the sample once the analysis is completed

  • run_id: The analysis ID, which can be used in the Get Analysis status endpoint to get the status of the analysis

  • sha256: The SHA256 hash of the submitted sample

{
  "analyses": [
    {
      "filename": "Old2008-2010__0F77AF7FA673F5B3D36B926576002A1C_winhlp32.exe",
      "report_url": "https://exalyze.io/sample/e4b7fb80fe8a5b6462b00f82d7d9389fa7724e8449a0bdeef8607a4af3e03481/report",
      "run_id": "6dde6ae5-2444-4a36-abb4-a6d2595f3a6e",
      "sha256": "e4b7fb80fe8a5b6462b00f82d7d9389fa7724e8449a0bdeef8607a4af3e03481"
    }
  ]
}

Example

Example file uploading using curl
 curl -H'X-Api-Key: API_KEY' -F'file=@/PATH_TO_THE_FILE_TO_UPLOAD' https://exalyze.io/api/sample/push?confidentiality=SENSITIVE

Error Codes

Error Code

HTTP Code

Description

MISSING_CONTACT_EMAIL

422

The current user account doesn’t have a contact email set, Happens when pushing with the SENSITIVE confidentiality

INVALID_CONFIDENTIALITY

422

The provided confidentiality is invalid, allowed values are PUBLIC, SENSITIVE and CONFIDENTIAL

POST /api/sample/search

This endpoint allows searching for samples.

Request payload

This endpoint expects the following JSON payload describing the search query.

⚠️The Content-Type header set to application/json is expected by the server

Example of a payload querying the second page of all the samples similar to the sample cbc54f8c60aa5ddaaaaba51a24e37e64fdaef8587e1da7b9de35fdbcda76de66, embedding the IP address 8.8.8.8 and having the suffix crosoft in its CompanyName.
{
  "page": 2,
  "filters": [
    {
      "type": "similar_to",
      "value": "cbc54f8c60aa5ddaaaaba51a24e37e64fdaef8587e1da7b9de35fdbcda76de66",
    },
    {
      "type": "ip",
      "value": "8.8.8.8",
    },
    {
      "type": "company_name",
      "value": "*crosoft",
    },

  ]
}

The root object is composed by the following attribute

  • page The page of results, default to 1. Only users with an active subscription can set a page > 1

  • filters An array of at least one filter objects

A filter objects is composed by the following fields.

  • type: The type of the filter

  • value: Value of the filter

Some filters expect exact values, others expect a pattern matching the value. Patterns are described using the * character representing one or more characters matching. For instance, either M*crosoft, *crosoft, microsoft and micro* match the value Microsoft

All the filters are combined using a logical AND

The following types of filters are available for all authenticated users

Filter Type

Description

*

Exact value of the sha256, sha1, md5, imphash or richhash hashes of the sample

md5

Exact value of the md5 hash of the sample

sha1

Exact value of the sha1 hash of the sample

sha256

Exact value of the sha256 hash of the sample

imphash

Exact value of the imphash of the sample

richhash

Exact value of the richhash of the sample

original_filename

(PE only) Pattern matching on OriginalFilename metadata of the sample

company_name

(PE only) Pattern matching on CompanyName metadata of the sample

file_description

(PE only) Pattern matching on FileDescription metadata of the sample

file_version

(PE only) Pattern matching on FileVersion metadata of the sample

internal_name

(PE only) Pattern matching on InternalName metadata of the sample

legal_copyright

(PE only) Pattern matching on LegalCopyright metadata of the sample

product_name

(PE only) Pattern matching on ProductName metadata of the sample

product_version

(PE only) Pattern matching on ProductVersion metadata of the sample

pdb

(PE only) Pattern matching on Pdb metadata of the sample

submit_filename

Pattern matching on the known filenames for a sample

ip

Exact value of an ipv4 address extracted from the sample

domain

Pattern matching on the extracted domains for a sample

url

Pattern matching on the extracted URLs for a sample

similar_to

Similar samples of the given sample (idientified by the SHA256) using Control Flow Graph similarity

size_below

Sample size below in bytes, supports the following units b, kb, mb

size_above

Sample size above in bytes, supports the following units b, kb, mb

functions_below

Analyzed functions count below

functions_above

Analyzed functions count above

type

Type of the sample, supported values are PE or ELF

bitness

Bitness of the sample, supported values are 32 or 64

max_capabilities_suspiciousness_below

Max capabilties suspiciousness score below

max_capabilities_suspiciousness_above

Max capabilties suspiciousness score above

with

Filter samples with a given flag. Allowed values are packed, capabilities, yaras, publications

without

Filter out samples with a given flag. Allowed values are packed, capabilities, yaras, publications

compiled_before

Samples compiled before ISO8601 timestamp

compiled_after

Samples compiled after ISO8601 timestamp

compiled_at

Samples compiled at ISO8601 timestamp

The following types of filters are available for all users with an active subscription

Filter Type

Description

yara

Pattern matching on the yara rule name matched by the sample

capa

Pattern matching on the capabilities name of the sample

publication

Pattern matching on a publication title

publication_url

Exact match on a the publication URL

Response status

200 The server has successfully executed the query

Response payload

{
  "matches": [
    {
      "bitness": 32,
      "entropy_match_score": 98,
      "first_submit_filename": "b8fb54330abf1c3fc6cf5096582851ae3d8345f91fc8260660b33ceaf4217e7f",
      "has_yara_matches": true,
      "last_analyzed_at": "2025-10-24T10:13:54.171891+00:00",
      "match_score": 100.0,
      "report_url": "http://localhost:5003/sample/b8fb54330abf1c3fc6cf5096582851ae3d8345f91fc8260660b33ceaf4217e7f/",
      "sha256": "b8fb54330abf1c3fc6cf5096582851ae3d8345f91fc8260660b33ceaf4217e7f",
      "type": "ELF",
      "max_capabilities_suspiciousness_score": 60,
      "is_packed": false
    },
    {
      "bitness": 32,
      "entropy_match_score": 99,
      "first_submit_filename": "a4d6fcd0b0852e7dd4b304a35a11b920fd51eab3a15ffc9c7f480bef479b5a73",
      "has_yara_matches": true,
      "last_analyzed_at": "2025-10-24T10:13:54.124456+00:00",
      "match_score": 100.0,
      "report_url": "http://localhost:5003/sample/a4d6fcd0b0852e7dd4b304a35a11b920fd51eab3a15ffc9c7f480bef479b5a73/",
      "sha256": "a4d6fcd0b0852e7dd4b304a35a11b920fd51eab3a15ffc9c7f480bef479b5a73",
      "type": "ELF"
      "max_capabilities_suspiciousness_score": 40,
      "is_packed": false,
      "has_publications": true
    },
  ],
  "meta": {
    "total_matches": 2
  }
}

The response payload is composed by a single JSON object carrying the following fields:

  • meta meta information on the result.

  • matches an array of sample matches objects. Maximum of 50 matches per page.

The meta objects embeds the following fields

  • total_matches the total matches of the query

A sample match object is composed by the following fields:

  • sha256 (string) Sha256 of the matched sample

  • first_submit_filename (string) First known filename of that sample

  • type (string) Type of the sample, ELF or PE

  • bitness (int) bitness of the matched sample, 32 or 64

  • last_analyzed_at (string) ISO 8601 timestamp of when the sample was analyzed for the last time.

  • has_yara_matches (boolean) Indicates if this sample matches any Yara rules in Exalyze

  • report_url (string) Link to the sample report in Exalyze

  • max_capabilities_suspiciousness_score (int) Score between 0-100 indicating the maximum suspiciousness score encountered in the sample capabilities

  • is_packed (bool) true if Exalyze considers that this sample is packed.

  • has_publications (bool) true if Exalyze knows about publications about this sample

  • labels (str[]) list of labels for the sample

  • tags (str[]) list of user tags for the sample

When the similar_to filter, two additional fields are appended

  • match_score (float) control flow graph similarity score, between 0 and 100.0, the higher the most similar

  • entropy_match_score (float) entropy map similarity score, between 0 and 100.0, the higher the most similar

Example

With the example query in a file on disk

Example sample search using curl
curl --header "X-Api-Key: API_KEY"  --json @QUERY_FILE_PATH https://exalyze.io/api/sample/search

Error Codes

Error Code

HTTP Code

Description

UNKNOWN_FILTER

422

The query contains one or multiple filters that the server doesn’t understand

UPGRADE_REQUIRED

422

The query contains one or mutliple filters that require an active subscription to be used

INVALID_QUERY

422

The query contains one or mutliple invalid statements, check the details for for more information

POST /api/sample/<HASH>/reanalyze

This endpoint is used for reanalyzing a sample from the API.

Path parameters

  • HASH The SHA256, MD5 or SHA1 hash of the sample to reanalyze

Response status

202 The server has scheduled the sample for analysis

Response payload

Same as the POST /api/sample/push endpoint

GET /api/sample/<HASH>

This endpoint is used for getting basic information about a sample

Path parameters

  • HASH The SHA256, MD5 or SHA1 hash of the sample to get

Response payload

{
  "meta": {
    "report_url": "http://localhost:5003/sample/8cd25f3890b83cca1983424be8866191f6cdc63006e9d7b84d97c333cb4d149a/"
  },
  "sample": {
    "bitness": 32,
    "capabilities": [
      {
        "description": "Can list running processes",
        "name": "process_list_01",
        "suspiciousness_score": 40
      },
      {
        "description": "Can remove a file",
        "name": "remove_file_01",
        "suspiciousness_score": 30
      },
      {
        "description": "Can copy a file",
        "name": "write_file_02",
        "suspiciousness_score": 30
      },
      {
        "description": "User temporary folder",
        "name": "temp_file_01",
        "suspiciousness_score": 30
      },
      {
        "description": "Can write a file",
        "name": "write_file_01",
        "suspiciousness_score": 30
      }
    ],
    "compilation_time": "2019-08-19T19:18:09+00:00",
    "domains": [],
    "dotnet": false,
    "first_submit_filename": "8cd25f3890b83cca1983424be8866191f6cdc63006e9d7b84d97c333cb4d149a",
    "has_premium_yara_matches": false,
    "imphash": "b83b4c7be0b1cdd8e117bba9096d9768",
    "is_packed": false,
    "ip_addresses": [
      {
        "address": "185.73.124.42",
        "type": "IPV4"
      }
    ],
    "last_analyzed_at": "2025-10-27T13:50:20.983752+00:00",
    "max_capabilities_suspiciousness_score": 40,
    "md5": "cc64f95a4208489ff4d7e00d84ef92c5",
    "mitre_tactics": [
      {
        "description": "Defense Evasion",
        "id": "TA0005",
        "techniques": [
          {
            "description": "Indicator Removal",
            "id": "T1070"
          }
        ]
      },
      {
        "description": "Discovery",
        "id": "TA0007",
        "techniques": [
          {
            "description": "Process Discovery",
            "id": "T1057"
          }
        ]
      }
    ],
    "richhash": "b6e6ba7d2ea099153201236a27b84bdd",
    "sha1": "7d8a4bf93e558db774ccf9054cfc72825df9e9cc",
    "sha256": "8cd25f3890b83cca1983424be8866191f6cdc63006e9d7b84d97c333cb4d149a",
    "size": 16384,
    "total_funcs": 130,
    "type": "PE",
    "urls": [],
    "has_publications": true,
    "publications":[
      {
        "title": "Example blog",
        "url": "https://example.com/blog"
      }
    ],
    "yara_matches": [
      {
        "author": "Felix Bilstein - yara-signator at cocacoding dot com",
        "date": "2024-10-31T00:00:00+00:00",
        "description": "autogenerated rule brought to you by yara-signator",
        "modified": "2024-11-11T00:00:00+00:00",
        "name": "MALPEDIA_Win_Systembc_Auto",
        "reference": "https://malpedia.caad.fkie.fraunhofer.de/details/win.systembc",
        "source_url": "https://github.com/malpedia/signator-rules//blob/6558c417dcf07146b1309b6acde6be0aa96dea10/rules/win.systembc_auto.yar#L1-L120",
        "tags": [
          "FILE"
        ]
      },
      {
        "author": "Thomas Barabosch, Deutsche Telekom Security",
        "date": "2022-03-13T00:00:00+00:00",
        "description": "Detects unpacked SystemBC module",
        "modified": "2022-03-13T00:00:00+00:00",
        "name": "TELEKOM_SECURITY_Win_Systembc_20220311",
        "reference": "https://medium.com/walmartglobaltech/inside-the-systembc-malware-as-a-service-9aa03afd09c6",
        "source_url": "https://github.com/telekom-security/malware_analysis//blob/bf832d97e8fd292ec5e095e35bde992a6462e71c/systembc/systembc.yara#L1-L27",
        "tags": [
          "FILE"
        ]
      },
      {
        "author": "Heurs",
        "date": "2020-12-30T00:00:00+00:00",
        "description": "SystemBC backdoor",
        "modified": "2024-03-25T00:00:00+00:00",
        "name": "SystemBC_01",
        "source": "exatrack"
      }
    ]
  }
}

The response payload is JSON object containing the following attributes about the sample:

  • meta: Metadata object about the sample

  • sample: a JSON object representing the sample

The metadata object is composed by the following attributes

  • report_url: URL of the sample report view on Exalyze

The sample object is composed by the following attributes:

  • md5 The sample MD5 hash

  • sha1 The sample SHA1 hash

  • sha256 The sample SHA256 hash

  • size The sample size in bytes

  • bitness The sample bitness (32 or 64)

  • type The sample type (PE or ELF)

  • total_funcs The amount of functions detected in the sample

  • dotnet Set to true when Exalyze analyzed Dotnet functions, otherwise false

  • last_analyzed_at ISO 8601 timestamp of when the sample was analyzed for the last time

  • first_submit_filename The first public submission filename known to Exalyze

  • has_premium_yara_matches Set to true when the sample matches Exalyze premium Yara ruleset

  • is_packed true if Exalyze considers that this sample is packed.

  • richhash (PE Only) The sample rich hash when available

  • imphash (PE Only) The sample import hash when available

  • pdb (PE Only) The sample PDB extracted from the PE metadata

  • compilation_time (PE Only) The sample compilation time extracted from the PE metadata

  • original_filename (PE Only) The sample original filename extracted from the PE metadata

  • company_name (PE Only) The sample company name extracted from the PE metadata

  • file_description (PE Only) The sample file description extracted from the PE metadata

  • file_version (PE Only) The sample file version extracted from the PE metadata

  • internal_name (PE Only) The sample internal name extracted from the PE metadata

  • legal_copyright (PE Only) The sample legal copyright extracted from the PE metadata

  • product_name (PE Only) The sample product name extracted from the PE metadata

  • product_version (PE Only) The sample product version extracted from the PE metadata

  • max_capabilities_suspiciousness_score Score between 0-100 indicating the maximum suspiciousness score encountered in the sample capabilities

  • capabilities An array of objects describing the capabilities detected on this sample

    • name: The name of the capability

    • description: Human readable description of the capability

    • suspiciousness_score: Score between 0-100 indicating the capability suspiciousness

  • mitre_tactics An array of objects describing the ATT&CK tactics used by this sample

    • id The identifier of the tactic

    • description Human readable description of the tactic

    • techniques An array of objects containing the ATT&CK techniques detected on this sample

      • id The identifier of the technique

      • description human readable description of the technique

  • yara_matches An array of objects describing the Yara rules matched by this sample

    • name The name of the matched Yara rule

    • description Human readable description of the matched Yara rule

    • author Author of the matched Yara rule (when available)

    • source Text reference to the matched Yara rule source (when available)

    • source_url URL to the matched Yara rule source (when available)

    • license License of the matched Yara rule (when available)

    • license_url URL to the license of the matched Yara rule (when available)

    • tags An array of tags associated to the matched Yara rule (when available)

    • date ISO 8601 timestamp of the creation date of the matched Yara rule (when available)

    • modified ISO 8601 timestamp of the last modification date of the matched Yara rule (when available)

  • ip_addresses An array of objects representing the IP addresses extracted from this sample

    • type Type of the IP address IPV4 or IPV6

    • address Value of the IP address

  • urls An array of objects representing the URLs addresses extracted from this sample

    • url Value the URL

  • domains An array of objects representing the domains addresses extracted from this sample

    • domain Value the domain

  • has_publications Set to true if the sample has known publications

  • publications An array of object representing a publication refering to the sample

    • url URL of the publication

    • title Title of the publication

    • published_at: ISO 8601 timestamp of the publication

  • labels An array of string representing the sample labels

  • tags An array of string representing the sample tags set by the user

GET /api/analysis/<RUNID>

This endpoint is used to monitor on the analysis status of a sample.

Path parameters

Response status

200 The server has successfully served the request

Response payload

{
  "analysis": {
    "sha256": "1fabf660e05b2c86d594f1d1bd178c5a7f3b6a26690c3a435b12cba9d2925392",
    "status": "done"
  }
}

This endpoint returns a JSON object analysis with the following fields.

  • sha256: (string) The sha256 of the sample being analyzed

  • status: (string) The status of the analysis

Potential values for status

Status

Description

pending

The analysis hasn’t started yet

running

The analysis is ongoing

done

The analysis is done, you can check the sample report

failed

The analysis has failed

Example

Example of an analysis status check
curl 'X-Api-Key: API_KEY' https://exalyze.io/api/analysis/6dde6ae5-2444-4a36-abb4-a6d2595f3a6e

GET /sample/<HASH>/download

This endpoint is used for downloading samples directly from the API.

Path parameters

  • HASH The SHA256, MD5 or SHA1 hash of the sample to download

Response status

200 The server has successfully served the request

GET /sample/<HASH>/gen_yara

Path parameters

  • SHA256 The SHA256, MD5 or SHA1 hash identifying the sample

Response status

200 The server has successfully served the request

Response payload

This endpoint returns the raw YARA rule autogenerated for the given sample

rule auto_0d219aa54b1d417da61bd4aed5eeb53d6cba91b3287d53186b21fed450248215 {
  meta:
      author = "Exalyze"
      date =   "2025-04-30"
      update =   "2025-04-30"
      description = "Rule autogenerated by Exalyze"
      score =   50
      tlp =  "GREEN"
      source =  "Exalyze"
      sample_hash = "0d219aa54b1d417da61bd4aed5eeb53d6cba91b3287d53186b21fed450248215"
  strings:

      $str_001 = "exe.gsmfpn" ascii fullword
      $str_002 = "MSG|Folder_Not_Exist." ascii fullword
      $str_003 = "MSG|Lost_Socket!" ascii fullword
      $str_004 = "\\netlink.lnk" ascii fullword
      $str_005 = "MSG|Create_Fail." ascii fullword
      $str_006 = "MSG|Delete_Fail." ascii fullword
      $str_007 = "MSG|Directory is not Exist!" ascii fullword
      $str_008 = "MSG|Uninstall_OK." ascii fullword
      $str_009 = "exe.yartxobefas" ascii fullword
      $str_010 = "MSG|Kill_Proc_Fail! PID " ascii fullword
      $str_011 = "Pwww.dicemention.com" ascii fullword
      $str_012 = "MSG|Insert_Failed!" ascii fullword
      $str_013 = "MSG|Exist_Name_Please_Change." ascii fullword
      $str_014 = "MSG|Can not Found!" ascii fullword
      $str_015 = "MSG|Delete_Fail" ascii fullword
      $str_016 = "\\netlink.exe" ascii fullword
      $str_017 = "Comodo Firewall" ascii fullword
      $str_018 = "MS Sans Serif" ascii fullword

      $bin_001 = { 3b15????????75??292d????????012d????????833d1c???????? }
      $bin_002 = { ff8b????????52088b????????510c?? }
      $bin_003 = { 803dc4????????0f84????????33??5568???????? }
      $bin_004 = { 90833d1c????????7e??833d1c????????7d?? }
      $bin_005 = { c2????c38b??51803d4c???????? }
      $bin_006 = { c745e8????????8d85????????ba????????e8????????8d???? }
      $bin_007 = { 558b??83????f7??ff84c0???????? }
      $bin_008 = { 36e8????????400f84????????6a??89?? }
      $bin_009 = { 52088b????????510c??c703???????? }
      $bin_010 = { 89????ff05????????83????011d????????eb?? }

      condition:
        15 of ($str_*) or 10 of ($bin_*)
  }

Example:

Example yara generation with the API
curl -H 'X-Api-Key: API_KEY' https://exalyze.io/api/sample/0d219aa54b1d417da61bd4aed5eeb53d6cba91b3287d53186b21fed450248215/gen_yara

POST /api/sample/<HASH>/functions

This endpoint is used to trigger a function matching for a specific sample. Function matching is the process of searching for similar functions for every function contained in the analyzed sample.

This search can take some amount of time, so this endpoint has to be used in conjunction with the GET endpoint on the same path to collect results. We recommend using polling for synchronisation.

This endpoint uses the Sample function matching quota, only if the search results in at least one significant match. It also doesn’t consume quota if you already had a result for the sample and you want to refresh the results.

Results are cached 30 days.

Path parameters

  • HASH The SHA256, MD5 or SHA1 hash of the sample to analyze

Response status

202 The server has scheduled the sample matching

Response payload

{
  "analysis": {
    "result": null,
    "sample_sha256": "7acb7ed2c8609d235d356a17058684fcf39beaa492f1369897ceeb7b71f5ff0a",
    "started_at": "2026-06-01T14:07:58.264013+00:00",
    "status": "running"
  }
}

The response payload is composed by a single JSON object carrying the following fields:

  • analysis information on the ongoing analysis.

An analysis object is composed by the following fields

  • result the result of the analysis, see the following paragraph

  • sample_sha256 The SHA256 of the sample sample being analyzed

  • started_at ISO 8601 timestamp of the start time of the analysis

  • finished_at ISO 8601 timestamp of the end time of the analysis

  • status the status of the analysis. Could be “pending”, “running”, “error” or “ready”. The result field is only set when status is ready.

The result object is a map of the analyzed sample function addresses (as base10 integers) to a list of sample function matches

A sample match is composed of the following fields

  • benign: true if the matched sample present in Exalyze’s benign sample dataset: this function is non significant and safe.

  • func: base10 integer of the address of the matched function in the matched sample

  • score: Similarity score between the searched function and the matched function (ranges from 0 to 100)

  • sha256: sha256 of the matched sample

  • is_packed: Is the matched sample packed

  • max_capas_score: highest capability score of the matched sample (ranges from 0 to 100)

  • publications: true if the matched sample has any pulications attached ot it

  • yaras: true if the matched sample matches any of Exalyze’s Yara rules

Example:

curl -XPOST -H 'X-Api-Key: API_KEY' https://exalyze.io/api/sample/0d219aa54b1d417da61bd4aed5eeb53d6cba91b3287d53186b21fed450248215/functions

GET /api/sample/<HASH>/functions

This endpoint is used for getting basic information about a sample

Path parameters

  • HASH The SHA256, MD5 or SHA1 hash of the sample to reanalyze

Response status

200 The server has successfully executed the query

Response payload

Same as the Response payload of the POST endpoint

{
  "analysis": {
    "sample_sha256": "7acb7ed2c8609d235d356a17058684fcf39beaa492f1369897ceeb7b71f5ff0a",
    "started_at": "2026-06-01T14:07:58.264013+00:00",
    "finished_at": null,
    "status": "ready"
    "result": {
      "6442457168": [
        {
          "benign": true
        }
      ],
      "6442458656": [
        {
          "benign": false,
          "func": 6442573584,
          "is_packed": false,
          "max_capas_score": 40,
          "publications": false,
          "score": 83,
          "sha256": "9aea0a84e91d8dc08896ad55aafd4623de2329fed2201abb48b27d709be15fe4",
          "yaras": false
        }
      ]
    }
  }
}

Example:

curl -H 'X-Api-Key: API_KEY' https://exalyze.io/api/sample/0d219aa54b1d417da61bd4aed5eeb53d6cba91b3287d53186b21fed450248215/functions

PATCH /api/sample/<HASH>/tags

This sample allows to edit user tags placed on a specific sample. Tags are shared for a group but aren’t visible to users outside of your group. It can be used to set the tags (this overrides the existing value, be careful) or to express a diff.

Tags:

  • Are case insensitive

  • Cannot be shorter than 3 characters

  • Cannot be longer than 50 characters

  • Cannot contain whitespaces characters

Path parameters

  • HASH The SHA256, MD5 or SHA1 hash of the sample to edit

Request payload

This endpoint expects the following JSON payload describing the modification.

The request payload is composed by a single JSON object carrying the following fields:

  • tags: (optional) an array of string representing the values to set

  • diff: (optional an object representing the diff to apply to the set of tags

The diff object is composed by the following fields

  • added: (optional) an array of string representing the values to add

  • removed: (optional) an array of string representing the values to remove

All those fields can be used in combination, even if this doesn’t make a lot of sense.

⚠️The Content-Type header set to application/json is expected by the server

Example of a payload setting the tags of a sample.
{
  "tags": ["Hello", "There"]
}
Example of a payload adding tags.
{
  "diff": {
    "added": ["Hello", "There"]
  }
}
Example of a payload removing tags.
{
  "diff": {
    "removed": ["Hello"]
  }
}

Response status

200 The server has successfully executed the query

Response payload

Updated sample tags

{
  "tags": ["hello", "there"]
}

Example:

curl -H 'X-Api-Key: API_KEY' --json @QUERY_FILE_PATH https://exalyze.io/api/sample/HASH/tags