API Documentation

Basics

The API is exposed on the following base URL: https://exalyze.io/api/

Authentication

For authenticating with the API you must include the x-api-key header with your personal API key in all your requests.

Your API key can be found on your account page.

Warning

Keep your API key secure and don’t share it with other people.

Always use HTTPS instead of HTTP for making your requests.

HTTP Error codes

The API can emit the following HTTP error codes:

• 429: Too many requests. This error code is emitted when you sent too many requests to the API in a short time, or you have exceeded your quota for the desired feature

• 404: The desired endpoint was not found, or the sample does not exist

• 400: One of the submitted parameter did not have a correct format

• 401: The API key was invalid or not provided

• 500: Something went wrong on our side, do not hesitate to report this bug to us .

API Endpoints

/push

This endpoint is used for uploading samples to analyze.

The samples to upload must be sent using multipart/form-data encoding and a POST method

Note

The total upload size is currently limited to 25MB

Accepted parameters:

• confidentiality: The confidentiality of the sample. Can be one of PUBLIC, SENSITIVE, CONFIDENTIAL, defaults to PUBLIC. See What are the “confidentiality levels” for uploading binaries for more information about the confidentiality levels.

Return values:

The API returns a JSON list of dictionaries containing for each sample submitted the following elements:

• filename: The filename used for the upload

• report_url: The report URL, which can be used to access information about the sample once the analysis is completed

• run_id: The analysis ID, which can be used in the Get Analysis status endpoint to get the status of the analysis

• sha256: The SHA256 hash of the submitted sample

Example:

Example file uploading using curl

 curl -XPOST -H'X-Api-key: API_KEY' -F'file=@/PATH_TO_THE_FILE_TO_UPLOAD' https://exalyze.io/api/push?confidentiality=SENSITIVE

 {
   "analyses": [
     {
       "filename": "Old2008-2010__0F77AF7FA673F5B3D36B926576002A1C_winhlp32.exe",
       "report_url": "http://localhost:5003/sample/e4b7fb80fe8a5b6462b00f82d7d9389fa7724e8449a0bdeef8607a4af3e03481/report",
       "run_id": "6dde6ae5-2444-4a36-abb4-a6d2595f3a6e",
       "sha256": "e4b7fb80fe8a5b6462b00f82d7d9389fa7724e8449a0bdeef8607a4af3e03481"
     }
   ]
 }

/sample/<SHA256>/reanalyze

This endpoint is used for reanalyzing a sample from the API.

Accepted parameters:

• SHA256 The SHA256 hash of the sample to reanalyze

Return values:

Same as the /push endpoint

/sample/<SHA256>

This endpoint is used for getting basic information about a sample

Accepted parameters:

• SHA256 The SHA256 hash of the sample to reanalyze

Return values:

A dictionary containing the following items about the sample:

• md5: The sample MD5 hash

• sha1: The sample SHA1 hash

• sha256: The sample SHA256 hash

• size: The sample size in bytes

• bitness: The sample bitness (32 or 64)

• imphash: The sample import hash when available

• last_analysis_time: The last time the sample was analyzed

/analysis/<RUNID>

This endpoint is used to check on the analysis status of a sample.

Accepted parameters

• RUNID The unique identifier of the analysis, returned by the /push endpoint

Return values:

This endpoint return a single dictionary containing a state key indicating the analysis status.

The possible status are the following:

• 0: The analysis has not started yet

• -1: The analysis has failed for some reason

• 0x70000000: The analysis has completed successfully

• Others values: The analysis is in progress

Example:

Example of an analysis status check

curl -XPOST -H'X-Api-key: API_KEY' https://exalyze.io/api/analysis/6dde6ae5-2444-4a36-abb4-a6d2595f3a6e

 {
   "state": "1879048192"
 }

/sample/<SHA256>/download

This endpoint is used for downloading samples directly from the API.

Accepted parameters:

• SHA256 The SHA256 hash of the sample to download

/sample/<SHA256>/similarity_matches

This endpoint will calculate the similarity of the sample identified by its SHA256 hash against all the samples currently in the database.

Accepted parameters:

• SHA256 The SHA256 hash identifying the sample to match against the database

Return values:

This API endpoint returns a JSON dictionary containing a list of samples matching the selected binary.

Each of these results is a value between 0 and 100, 0 being a non match using the corresponding algorithm, and 100 being a complete match.

Note

There is currently two similarity matching algorithms available:

• The entropy_diff is a proprietary algorithm based on structural entropy of the files

• The machoc_match is a proprietary variant of the Machoc hash (See Similarity Analysis)

Example:

Example similarity matching using curl

curl -H'x-Api-key: API_KEY' https://exalyze.io/api/sample/c4016c7e0bac4e97ac4cdad81b26860c1167bba705f5de2010d0370ceb5ab4a2/similarity_matches

 {
 "results": [
     {
     "entropy_diff": 9,
     "machoc_match": 100,
     "sha256": "313eb939c93f408abe7663bfa69ab885c8ba7d36f2f9a4233fa8669c0e637869"
     },
     {
     "entropy_diff": 55,
     "machoc_match": 100,
     "sha256": "483c8261c40d8dfdb0f1b17c8b775f4f26d9b60bb6c3de503cc2894ef53cb4e0"
     },
     {
     "entropy_diff": 9,
     "machoc_match": 100,
     "sha256": "765af0d8f9e0e1d9b1729f55e34a2df56dc69704cada964ceb1beeda7f82c0f4"
     },
     {
     "entropy_diff": 9,
     "machoc_match": 100,
     "sha256": "fdc3975e8ee69d1aefbb2c27f84a2b4ae02ec98d430e6930b820259eba61ca43"
     }
 ]
 }

/sample/<SHA256>/gen_yara

Accepted parameters:

• SHA256 The SHA256 hash identifying the sample

Return values:

This endpoint returns the raw YARA rule autogenerated for the given sample

Example:

Example yara generation with the API

curl -H'x-Api-key: API_KEY' https://exalyze.io/api/sample/0d219aa54b1d417da61bd4aed5eeb53d6cba91b3287d53186b21fed450248215/gen_yara

 rule auto_0d219aa54b1d417da61bd4aed5eeb53d6cba91b3287d53186b21fed450248215 {
     meta:
         author = "Exalyze"
         date =   "2025-04-30"
         update =   "2025-04-30"
         description = "Rule autogenerated by Exalyze"
         score =   50
         tlp =  "GREEN"
         source =  "Exalyze"
         sample_hash = "0d219aa54b1d417da61bd4aed5eeb53d6cba91b3287d53186b21fed450248215"
     strings:

         $str_001 = "exe.gsmfpn" ascii fullword
         $str_002 = "MSG|Folder_Not_Exist." ascii fullword
         $str_003 = "MSG|Lost_Socket!" ascii fullword
         $str_004 = "\\netlink.lnk" ascii fullword
         $str_005 = "MSG|Create_Fail." ascii fullword
         $str_006 = "MSG|Delete_Fail." ascii fullword
         $str_007 = "MSG|Directory is not Exist!" ascii fullword
         $str_008 = "MSG|Uninstall_OK." ascii fullword
         $str_009 = "exe.yartxobefas" ascii fullword
         $str_010 = "MSG|Kill_Proc_Fail! PID " ascii fullword
         $str_011 = "Pwww.dicemention.com" ascii fullword
         $str_012 = "MSG|Insert_Failed!" ascii fullword
         $str_013 = "MSG|Exist_Name_Please_Change." ascii fullword
         $str_014 = "MSG|Can not Found!" ascii fullword
         $str_015 = "MSG|Delete_Fail" ascii fullword
         $str_016 = "\\netlink.exe" ascii fullword
         $str_017 = "Comodo Firewall" ascii fullword
         $str_018 = "MS Sans Serif" ascii fullword

         $bin_001 = { 3b15????????75??292d????????012d????????833d1c???????? }
         $bin_002 = { ff8b????????52088b????????510c?? }
         $bin_003 = { 803dc4????????0f84????????33??5568???????? }
         $bin_004 = { 90833d1c????????7e??833d1c????????7d?? }
         $bin_005 = { c2????c38b??51803d4c???????? }
         $bin_006 = { c745e8????????8d85????????ba????????e8????????8d???? }
         $bin_007 = { 558b??83????f7??ff84c0???????? }
         $bin_008 = { 36e8????????400f84????????6a??89?? }
         $bin_009 = { 52088b????????510c??c703???????? }
         $bin_010 = { 89????ff05????????83????011d????????eb?? }
     condition:
         15 of ($str_*) or 10 of ($bin_*)
 }