API Documentation
General Information
The API is exposed on the following base URL: https://exalyze.io/api/
Authentication
For authenticating with the API you must include the X-Api-Key header with your personal API key in all your requests.
Your API key can be found on your account page.
Warning
Keep your API key secure and don’t share it with other people.
Always use HTTPS instead of HTTP for making your requests.
Errors
The API emits a standardized payload in case of error.
{
"error": {
"code": "INVALID_FILTER",
"description": "The query contains an invalid search filter",
"details": {
"reason": "FOO is not a valid sample type, supported values are PE or ELF"
},
"name": "Invalid search filter value",
"request_id": "62db241d-c27b-4c6a-9d43-ad5c8b917bf7"
}
}
It is composed by the following fields:
code(string) is a standardized error that is interpretable by a client.description(string) is a human readable description of the error.details(any) error dependant payload, providing detailed information on the errorname(string) human readable name of the errorrequest_id(string) an id that will help us to debug if you provide it
Error codes and HTTP Codes
The API can emit the following error codes, associated with HTTP status codes in case of error. Some HTTP endpoints can return domain specific error codes. Please refer to the endpoint documentation for details.
Error Code |
HTTP Code |
Description |
|---|---|---|
BAD_REQUEST |
400 |
General error indicating that the server was not able to understand the incoming request. For example, the |
UNAUTHORIZED |
401 |
General error indicating that either the request was not authenticated. |
NOT_FOUND |
404 |
General error indicating that the requested resource does not exist. |
REQUEST_ENTITY_TOO_LARGE |
413 |
General error indicating that request payloads exceeds the server limit. |
UNPROCESSABLE_CONTENT |
422 |
General error indicating that the server understood the request but was unable to perform it because of an invalid payload. |
OUT_OF_QUOTA |
429 |
Error indicating that the current user ran out of quota for the current feature. |
INTRNAL_ERROR |
500 |
General error indicates that the server encountered an unexpected error. Please contact us with the request_id if this happens too frequently. |
API Endpoints
POST /api/sample/push
This endpoint is used for uploading samples to analyze.
Request payload
The samples to upload must be sent using multipart/form-data encoding and a POST method
Note
The total upload size is currently limited to 25MB
Query parameters
confidentiality: The confidentiality of the sample. Can be one ofPUBLIC,SENSITIVE,CONFIDENTIAL, defaults toPUBLIC.
Response status
202 the server has scheduled the sample for analysis
Response payload
The API returns a JSON list of dictionaries containing for each sample submitted the following elements:
filename: The filename used for the uploadreport_url: The report URL, which can be used to access information about the sample once the analysis is completedrun_id: The analysis ID, which can be used in the Get Analysis status endpoint to get the status of the analysissha256: The SHA256 hash of the submitted sample
{
"analyses": [
{
"filename": "Old2008-2010__0F77AF7FA673F5B3D36B926576002A1C_winhlp32.exe",
"report_url": "https://exalyze.io/sample/e4b7fb80fe8a5b6462b00f82d7d9389fa7724e8449a0bdeef8607a4af3e03481/report",
"run_id": "6dde6ae5-2444-4a36-abb4-a6d2595f3a6e",
"sha256": "e4b7fb80fe8a5b6462b00f82d7d9389fa7724e8449a0bdeef8607a4af3e03481"
}
]
}
Example
curl -H'X-Api-Key: API_KEY' -F'file=@/PATH_TO_THE_FILE_TO_UPLOAD' https://exalyze.io/api/sample/push?confidentiality=SENSITIVE
Error Codes
Error Code |
HTTP Code |
Description |
|---|---|---|
MISSING_CONTACT_EMAIL |
422 |
The current user account doesn’t have a contact email set, Happens when pushing with the |
INVALID_CONFIDENTIALITY |
422 |
The provided confidentiality is invalid, allowed values are |
POST /api/sample/search
This endpoint allows searching for samples.
Request payload
This endpoint expects the following JSON payload describing the search query.
⚠️The Content-Type header set to application/json is expected by the server
{
"page": 2,
"filters": [
{
"type": "similar_to",
"value": "cbc54f8c60aa5ddaaaaba51a24e37e64fdaef8587e1da7b9de35fdbcda76de66",
},
{
"type": "ip",
"value": "8.8.8.8",
},
{
"type": "company_name",
"value": "*crosoft",
},
]
}
The root object is composed by the following attribute
pageThe page of results, default to 1. Only users with an active subscription can set a page > 1filtersAn array of at least one filter objects
A filter objects is composed by the following fields.
type: The type of the filtervalue: Value of the filter
Some filters expect exact values, others expect a pattern matching the value. Patterns are described using the * character representing one or more characters matching.
For instance, either M*crosoft, *crosoft, microsoft and micro* match the value Microsoft
All the filters are combined using a logical AND
The following types of filters are available for all authenticated users
Filter Type |
Description |
|---|---|
|
Exact value of the sha256, sha1, md5, imphash or richhash hashes of the sample |
|
Exact value of the md5 hash of the sample |
|
Exact value of the sha1 hash of the sample |
|
Exact value of the sha256 hash of the sample |
|
Exact value of the imphash of the sample |
|
Exact value of the richhash of the sample |
|
(PE only) Pattern matching on |
|
(PE only) Pattern matching on |
|
(PE only) Pattern matching on |
|
(PE only) Pattern matching on |
|
(PE only) Pattern matching on |
|
(PE only) Pattern matching on |
|
(PE only) Pattern matching on |
|
(PE only) Pattern matching on |
|
(PE only) Pattern matching on |
|
Pattern matching on the known filenames for a sample |
|
Exact value of an ipv4 address extracted from the sample |
|
Pattern matching on the extracted domains for a sample |
|
Pattern matching on the extracted URLs for a sample |
|
Similar samples of the given sample (idientified by the SHA256) using Control Flow Graph similarity |
|
Sample size below in bytes, supports the following units |
|
Sample size above in bytes, supports the following units |
|
Analyzed functions count below |
|
Analyzed functions count above |
|
Type of the sample, supported values are |
|
Bitness of the sample, supported values are |
|
Max capabilties suspiciousness score below |
|
Max capabilties suspiciousness score above |
|
Filter samples with a given flag. Allowed values are |
|
Filter out samples with a given flag. Allowed values are |
|
Samples compiled before ISO8601 timestamp |
|
Samples compiled after ISO8601 timestamp |
|
Samples compiled at ISO8601 timestamp |
The following types of filters are available for all users with an active subscription
Filter Type |
Description |
|---|---|
|
Pattern matching on the yara rule name matched by the sample |
|
Pattern matching on the capabilities name of the sample |
|
Pattern matching on a publication title |
|
Exact match on a the publication URL |
Response status
200 The server has successfully executed the query
Response payload
{
"matches": [
{
"bitness": 32,
"entropy_match_score": 98,
"first_submit_filename": "b8fb54330abf1c3fc6cf5096582851ae3d8345f91fc8260660b33ceaf4217e7f",
"has_yara_matches": true,
"last_analyzed_at": "2025-10-24T10:13:54.171891+00:00",
"match_score": 100.0,
"report_url": "http://localhost:5003/sample/b8fb54330abf1c3fc6cf5096582851ae3d8345f91fc8260660b33ceaf4217e7f/",
"sha256": "b8fb54330abf1c3fc6cf5096582851ae3d8345f91fc8260660b33ceaf4217e7f",
"type": "ELF",
"max_capabilities_suspiciousness_score": 60,
"is_packed": false
},
{
"bitness": 32,
"entropy_match_score": 99,
"first_submit_filename": "a4d6fcd0b0852e7dd4b304a35a11b920fd51eab3a15ffc9c7f480bef479b5a73",
"has_yara_matches": true,
"last_analyzed_at": "2025-10-24T10:13:54.124456+00:00",
"match_score": 100.0,
"report_url": "http://localhost:5003/sample/a4d6fcd0b0852e7dd4b304a35a11b920fd51eab3a15ffc9c7f480bef479b5a73/",
"sha256": "a4d6fcd0b0852e7dd4b304a35a11b920fd51eab3a15ffc9c7f480bef479b5a73",
"type": "ELF"
"max_capabilities_suspiciousness_score": 40,
"is_packed": false,
"has_publications": true
},
],
"meta": {
"total_matches": 2
}
}
The response payload is composed by a single JSON object carrying the following fields:
metameta information on the result.matchesan array of sample matches objects. Maximum of 50 matches per page.
The meta objects embeds the following fields
total_matchesthe total matches of the query
A sample match object is composed by the following fields:
sha256(string) Sha256 of the matched samplefirst_submit_filename(string) First known filename of that sampletype(string) Type of the sample,ELForPEbitness(int) bitness of the matched sample,32or64last_analyzed_at(string) ISO 8601 timestamp of when the sample was analyzed for the last time.has_yara_matches(boolean) Indicates if this sample matches any Yara rules in Exalyzereport_url(string) Link to the sample report in Exalyzemax_capabilities_suspiciousness_score(int) Score between 0-100 indicating the maximum suspiciousness score encountered in the sample capabilitiesis_packed(bool) true if Exalyze considers that this sample is packed.has_publications(bool) true if Exalyze knows about publications about this samplelabels(str[]) list of labels for the sampletags(str[]) list of user tags for the sample
When the similar_to filter, two additional fields are appended
match_score(float) control flow graph similarity score, between 0 and 100.0, the higher the most similarentropy_match_score(float) entropy map similarity score, between 0 and 100.0, the higher the most similar
Example
With the example query in a file on disk
curl --header "X-Api-Key: API_KEY" --json @QUERY_FILE_PATH https://exalyze.io/api/sample/search
Error Codes
Error Code |
HTTP Code |
Description |
|---|---|---|
UNKNOWN_FILTER |
422 |
The query contains one or multiple filters that the server doesn’t understand |
UPGRADE_REQUIRED |
422 |
The query contains one or mutliple filters that require an active subscription to be used |
INVALID_QUERY |
422 |
The query contains one or mutliple invalid statements, check the details for for more information |
POST /api/sample/<HASH>/reanalyze
This endpoint is used for reanalyzing a sample from the API.
Path parameters
HASHThe SHA256, MD5 or SHA1 hash of the sample to reanalyze
Response status
202 The server has scheduled the sample for analysis
Response payload
Same as the POST /api/sample/push endpoint
GET /api/sample/<HASH>
This endpoint is used for getting basic information about a sample
Path parameters
HASHThe SHA256, MD5 or SHA1 hash of the sample to get
Response payload
{
"meta": {
"report_url": "http://localhost:5003/sample/8cd25f3890b83cca1983424be8866191f6cdc63006e9d7b84d97c333cb4d149a/"
},
"sample": {
"bitness": 32,
"capabilities": [
{
"description": "Can list running processes",
"name": "process_list_01",
"suspiciousness_score": 40
},
{
"description": "Can remove a file",
"name": "remove_file_01",
"suspiciousness_score": 30
},
{
"description": "Can copy a file",
"name": "write_file_02",
"suspiciousness_score": 30
},
{
"description": "User temporary folder",
"name": "temp_file_01",
"suspiciousness_score": 30
},
{
"description": "Can write a file",
"name": "write_file_01",
"suspiciousness_score": 30
}
],
"compilation_time": "2019-08-19T19:18:09+00:00",
"domains": [],
"dotnet": false,
"first_submit_filename": "8cd25f3890b83cca1983424be8866191f6cdc63006e9d7b84d97c333cb4d149a",
"has_premium_yara_matches": false,
"imphash": "b83b4c7be0b1cdd8e117bba9096d9768",
"is_packed": false,
"ip_addresses": [
{
"address": "185.73.124.42",
"type": "IPV4"
}
],
"last_analyzed_at": "2025-10-27T13:50:20.983752+00:00",
"max_capabilities_suspiciousness_score": 40,
"md5": "cc64f95a4208489ff4d7e00d84ef92c5",
"mitre_tactics": [
{
"description": "Defense Evasion",
"id": "TA0005",
"techniques": [
{
"description": "Indicator Removal",
"id": "T1070"
}
]
},
{
"description": "Discovery",
"id": "TA0007",
"techniques": [
{
"description": "Process Discovery",
"id": "T1057"
}
]
}
],
"richhash": "b6e6ba7d2ea099153201236a27b84bdd",
"sha1": "7d8a4bf93e558db774ccf9054cfc72825df9e9cc",
"sha256": "8cd25f3890b83cca1983424be8866191f6cdc63006e9d7b84d97c333cb4d149a",
"size": 16384,
"total_funcs": 130,
"type": "PE",
"urls": [],
"has_publications": true,
"publications":[
{
"title": "Example blog",
"url": "https://example.com/blog"
}
],
"yara_matches": [
{
"author": "Felix Bilstein - yara-signator at cocacoding dot com",
"date": "2024-10-31T00:00:00+00:00",
"description": "autogenerated rule brought to you by yara-signator",
"modified": "2024-11-11T00:00:00+00:00",
"name": "MALPEDIA_Win_Systembc_Auto",
"reference": "https://malpedia.caad.fkie.fraunhofer.de/details/win.systembc",
"source_url": "https://github.com/malpedia/signator-rules//blob/6558c417dcf07146b1309b6acde6be0aa96dea10/rules/win.systembc_auto.yar#L1-L120",
"tags": [
"FILE"
]
},
{
"author": "Thomas Barabosch, Deutsche Telekom Security",
"date": "2022-03-13T00:00:00+00:00",
"description": "Detects unpacked SystemBC module",
"modified": "2022-03-13T00:00:00+00:00",
"name": "TELEKOM_SECURITY_Win_Systembc_20220311",
"reference": "https://medium.com/walmartglobaltech/inside-the-systembc-malware-as-a-service-9aa03afd09c6",
"source_url": "https://github.com/telekom-security/malware_analysis//blob/bf832d97e8fd292ec5e095e35bde992a6462e71c/systembc/systembc.yara#L1-L27",
"tags": [
"FILE"
]
},
{
"author": "Heurs",
"date": "2020-12-30T00:00:00+00:00",
"description": "SystemBC backdoor",
"modified": "2024-03-25T00:00:00+00:00",
"name": "SystemBC_01",
"source": "exatrack"
}
]
}
}
The response payload is JSON object containing the following attributes about the sample:
meta: Metadata object about the samplesample: a JSON object representing the sample
The metadata object is composed by the following attributes
report_url: URL of the sample report view on Exalyze
The sample object is composed by the following attributes:
md5The sample MD5 hashsha1The sample SHA1 hashsha256The sample SHA256 hashsizeThe sample size in bytesbitnessThe sample bitness (32 or 64)typeThe sample type (PE or ELF)total_funcsThe amount of functions detected in the sampledotnetSet to true when Exalyze analyzed Dotnet functions, otherwise falselast_analyzed_atISO 8601 timestamp of when the sample was analyzed for the last timefirst_submit_filenameThe first public submission filename known to Exalyzehas_premium_yara_matchesSet to true when the sample matches Exalyze premium Yara rulesetis_packedtrue if Exalyze considers that this sample is packed.richhash(PE Only) The sample rich hash when availableimphash(PE Only) The sample import hash when availablepdb(PE Only) The sample PDB extracted from the PE metadatacompilation_time(PE Only) The sample compilation time extracted from the PE metadataoriginal_filename(PE Only) The sample original filename extracted from the PE metadatacompany_name(PE Only) The sample company name extracted from the PE metadatafile_description(PE Only) The sample file description extracted from the PE metadatafile_version(PE Only) The sample file version extracted from the PE metadatainternal_name(PE Only) The sample internal name extracted from the PE metadatalegal_copyright(PE Only) The sample legal copyright extracted from the PE metadataproduct_name(PE Only) The sample product name extracted from the PE metadataproduct_version(PE Only) The sample product version extracted from the PE metadatamax_capabilities_suspiciousness_scoreScore between 0-100 indicating the maximum suspiciousness score encountered in the sample capabilitiescapabilitiesAn array of objects describing the capabilities detected on this samplename: The name of the capabilitydescription: Human readable description of the capabilitysuspiciousness_score: Score between 0-100 indicating the capability suspiciousness
mitre_tacticsAn array of objects describing the ATT&CK tactics used by this sampleidThe identifier of the tacticdescriptionHuman readable description of the tactictechniquesAn array of objects containing the ATT&CK techniques detected on this sampleidThe identifier of the techniquedescriptionhuman readable description of the technique
yara_matchesAn array of objects describing the Yara rules matched by this samplenameThe name of the matched Yara ruledescriptionHuman readable description of the matched Yara ruleauthorAuthor of the matched Yara rule (when available)sourceText reference to the matched Yara rule source (when available)source_urlURL to the matched Yara rule source (when available)licenseLicense of the matched Yara rule (when available)license_urlURL to the license of the matched Yara rule (when available)tagsAn array of tags associated to the matched Yara rule (when available)dateISO 8601 timestamp of the creation date of the matched Yara rule (when available)modifiedISO 8601 timestamp of the last modification date of the matched Yara rule (when available)
ip_addressesAn array of objects representing the IP addresses extracted from this sampletypeType of the IP addressIPV4orIPV6addressValue of the IP address
urlsAn array of objects representing the URLs addresses extracted from this sampleurlValue the URL
domainsAn array of objects representing the domains addresses extracted from this sampledomainValue the domain
has_publicationsSet to true if the sample has known publicationspublicationsAn array of object representing a publication refering to the sampleurlURL of the publicationtitleTitle of the publicationpublished_at: ISO 8601 timestamp of the publication
labelsAn array of string representing the sample labelstagsAn array of string representing the sample tags set by the user
GET /api/analysis/<RUNID>
This endpoint is used to monitor on the analysis status of a sample.
Path parameters
RUNIDThe unique identifier of the analysis, returned by the POST /api/sample/push endpoint
Response status
200 The server has successfully served the request
Response payload
{
"analysis": {
"sha256": "1fabf660e05b2c86d594f1d1bd178c5a7f3b6a26690c3a435b12cba9d2925392",
"status": "done"
}
}
This endpoint returns a JSON object analysis with the following fields.
sha256: (string) The sha256 of the sample being analyzedstatus: (string) The status of the analysis
Potential values for status
Status |
Description |
|---|---|
|
The analysis hasn’t started yet |
|
The analysis is ongoing |
|
The analysis is done, you can check the sample report |
|
The analysis has failed |
Example
curl 'X-Api-Key: API_KEY' https://exalyze.io/api/analysis/6dde6ae5-2444-4a36-abb4-a6d2595f3a6e
GET /sample/<HASH>/download
This endpoint is used for downloading samples directly from the API.
Path parameters
HASHThe SHA256, MD5 or SHA1 hash of the sample to download
Response status
200 The server has successfully served the request
GET /sample/<HASH>/gen_yara
Path parameters
SHA256The SHA256, MD5 or SHA1 hash identifying the sample
Response status
200 The server has successfully served the request
Response payload
This endpoint returns the raw YARA rule autogenerated for the given sample
rule auto_0d219aa54b1d417da61bd4aed5eeb53d6cba91b3287d53186b21fed450248215 {
meta:
author = "Exalyze"
date = "2025-04-30"
update = "2025-04-30"
description = "Rule autogenerated by Exalyze"
score = 50
tlp = "GREEN"
source = "Exalyze"
sample_hash = "0d219aa54b1d417da61bd4aed5eeb53d6cba91b3287d53186b21fed450248215"
strings:
$str_001 = "exe.gsmfpn" ascii fullword
$str_002 = "MSG|Folder_Not_Exist." ascii fullword
$str_003 = "MSG|Lost_Socket!" ascii fullword
$str_004 = "\\netlink.lnk" ascii fullword
$str_005 = "MSG|Create_Fail." ascii fullword
$str_006 = "MSG|Delete_Fail." ascii fullword
$str_007 = "MSG|Directory is not Exist!" ascii fullword
$str_008 = "MSG|Uninstall_OK." ascii fullword
$str_009 = "exe.yartxobefas" ascii fullword
$str_010 = "MSG|Kill_Proc_Fail! PID " ascii fullword
$str_011 = "Pwww.dicemention.com" ascii fullword
$str_012 = "MSG|Insert_Failed!" ascii fullword
$str_013 = "MSG|Exist_Name_Please_Change." ascii fullword
$str_014 = "MSG|Can not Found!" ascii fullword
$str_015 = "MSG|Delete_Fail" ascii fullword
$str_016 = "\\netlink.exe" ascii fullword
$str_017 = "Comodo Firewall" ascii fullword
$str_018 = "MS Sans Serif" ascii fullword
$bin_001 = { 3b15????????75??292d????????012d????????833d1c???????? }
$bin_002 = { ff8b????????52088b????????510c?? }
$bin_003 = { 803dc4????????0f84????????33??5568???????? }
$bin_004 = { 90833d1c????????7e??833d1c????????7d?? }
$bin_005 = { c2????c38b??51803d4c???????? }
$bin_006 = { c745e8????????8d85????????ba????????e8????????8d???? }
$bin_007 = { 558b??83????f7??ff84c0???????? }
$bin_008 = { 36e8????????400f84????????6a??89?? }
$bin_009 = { 52088b????????510c??c703???????? }
$bin_010 = { 89????ff05????????83????011d????????eb?? }
condition:
15 of ($str_*) or 10 of ($bin_*)
}
Example:
curl -H 'X-Api-Key: API_KEY' https://exalyze.io/api/sample/0d219aa54b1d417da61bd4aed5eeb53d6cba91b3287d53186b21fed450248215/gen_yara
POST /api/sample/<HASH>/functions
This endpoint is used to trigger a function matching for a specific sample. Function matching is the process of searching for similar functions for every function contained in the analyzed sample.
This search can take some amount of time, so this endpoint has to be used in conjunction with the GET endpoint on the same path to collect results. We recommend using polling for synchronisation.
This endpoint uses the Sample function matching quota, only if the search results in at least one significant match. It also doesn’t consume quota if you already had a result for the sample and you want to refresh the results.
Results are cached 30 days.
Path parameters
HASHThe SHA256, MD5 or SHA1 hash of the sample to analyze
Response status
202 The server has scheduled the sample matching
Response payload
{
"analysis": {
"result": null,
"sample_sha256": "7acb7ed2c8609d235d356a17058684fcf39beaa492f1369897ceeb7b71f5ff0a",
"started_at": "2026-06-01T14:07:58.264013+00:00",
"status": "running"
}
}
The response payload is composed by a single JSON object carrying the following fields:
analysisinformation on the ongoing analysis.
An analysis object is composed by the following fields
resultthe result of the analysis, see the following paragraphsample_sha256The SHA256 of the sample sample being analyzedstarted_atISO 8601 timestamp of the start time of the analysisfinished_atISO 8601 timestamp of the end time of the analysisstatusthe status of the analysis. Could be “pending”, “running”, “error” or “ready”. Theresultfield is only set whenstatusisready.
The result object is a map of the analyzed sample function addresses (as base10 integers) to a list of sample function matches
A sample match is composed of the following fields
benign: true if the matched sample present in Exalyze’s benign sample dataset: this function is non significant and safe.func: base10 integer of the address of the matched function in the matched samplescore: Similarity score between the searched function and the matched function (ranges from 0 to 100)sha256: sha256 of the matched sampleis_packed: Is the matched sample packedmax_capas_score: highest capability score of the matched sample (ranges from 0 to 100)publications: true if the matched sample has any pulications attached ot ityaras: true if the matched sample matches any of Exalyze’s Yara rules
Example:
curl -XPOST -H 'X-Api-Key: API_KEY' https://exalyze.io/api/sample/0d219aa54b1d417da61bd4aed5eeb53d6cba91b3287d53186b21fed450248215/functions
GET /api/sample/<HASH>/functions
This endpoint is used for getting basic information about a sample
Path parameters
HASHThe SHA256, MD5 or SHA1 hash of the sample to reanalyze
Response status
200 The server has successfully executed the query
Response payload
Same as the Response payload of the POST endpoint
{
"analysis": {
"sample_sha256": "7acb7ed2c8609d235d356a17058684fcf39beaa492f1369897ceeb7b71f5ff0a",
"started_at": "2026-06-01T14:07:58.264013+00:00",
"finished_at": null,
"status": "ready"
"result": {
"6442457168": [
{
"benign": true
}
],
"6442458656": [
{
"benign": false,
"func": 6442573584,
"is_packed": false,
"max_capas_score": 40,
"publications": false,
"score": 83,
"sha256": "9aea0a84e91d8dc08896ad55aafd4623de2329fed2201abb48b27d709be15fe4",
"yaras": false
}
]
}
}
}
Example:
curl -H 'X-Api-Key: API_KEY' https://exalyze.io/api/sample/0d219aa54b1d417da61bd4aed5eeb53d6cba91b3287d53186b21fed450248215/functions