On this page, we detail our API interface for Malpedia as well as recommended ways to interact with it.
You have two ways to authenticate towards Malpedia when using the API:
In order to use the token, just add it to the Authorization field in your HTTP header, like so (e.g. when using curl): curl -H 'Authorization: apitoken <TOKEN>' https://malpedia.caad.fkie.fraunhofer.de/api/<API_CALL>
Pim Trouerbach wrote a very nice client for the Malpedia API in Go!
You can pull it from his Git repository: malpedia_cli.
Our own python package / client for Malpedia's REST API can be found here: malpediaclient.
GET /api/check/apikeyCheck if the submitted API-Key is valid.
GET /api/find/actor/<needle><needle> | Your search-string. |
|---|
Provide a list of all actor names and associated synonyms where a part of the name is matched.
Output is potentially subject to change and may include the responsible "name-creator" (e.g. "fireeye": "APT 28", "crowdstrike": "Fancy Bear", ...) in the future.
GET /api/find/family/<needle><needle> | Your search-string. |
|---|
Provide a list of all family names and associated synonyms where a part of the name is matched.
GET /api/get/actor/<actor_id><actor_id> | The ID of the actor you want to download the meta-data of. |
|---|
Provide the meta information for a given <actor_id>.
GET /api/get/actorsProvide meta data for all actors on Malpedia.
GET /api/get/bibProvide the .bib file containing all references of Malpedia.
GET /api/get/bib/actor/<actor_id>Provide the .bib file containing all references for a certain actor
GET /api/get/bib/family/<family_id>Provide the .bib file containing all references for a certain family
GET /api/get/familiesProvide meta data for all families on Malpedia.
GET /api/get/family/<family_id><family_id> | The ID of the family you want to get the meta-data of. |
|---|
Provide meta data for a single family.
GET /api/get/mispA current view of Malpedia in the MISP galaxy cluster format.
GET /api/get/referencesObtain all references including their corresponding families and actors on Malpedia.
GET /api/get/sample/<md5>/info<md5> | Hash of the sample you want to check. |
|---|
Provide info about presence and status of the sample without its contents
GET /api/get/sample/<md5>/raw<md5> | Hash of the sample you want to obtain. |
|---|
Provide the sample alongside potentially existing unpacked or dumped files.
GET /api/get/sample/<md5>/zip<md5> | Hash of the sample you want to obtain. |
|---|
Provide the sample alongside potentially existing unpacked or dumped files.
GET /api/get/sample/<sha256>/info<sha256> | Hash of the sample you want to check. |
|---|
Provide info about presence and status of the sample without its contents
GET /api/get/sample/<sha256>/raw<sha256> | Hash of the sample you want to obtain. |
|---|
Provide the sample alongside potentially existing unpacked or dumped files.
GET /api/get/sample/<sha256>/zip<sha256> | Hash of the sample you want to obtain. |
|---|
Provide the sample alongside potentially existing unpacked or dumped files.
GET /api/get/versionObtain the current version of Malpedia (commit number and date).
GET /api/get/yara/<family_id><family_id> | The ID of the family you want to get the yara-rules of. |
|---|
Provide the YARA rules for a given <family_id>.
Output may vary depending on access level (public = white, registration = green, amber).
GET /api/get/yara/<family_id>/zip<family_id> | The ID of the family you want to get the yara-rules of. |
|---|
Provide the YARA rules for a given <family_id> in a zip archive.
Output may vary depending on access level (public = white, registration = green, amber).
GET /api/get/yara/<tlp>/raw<tlp> | {tlp_white, tlp_green, tlp_amber} |
|---|
Provide all YARA rules with given TLP.
Output may vary depending on access level (public = white, registration = green, amber).
GET /api/get/yara/<tlp>/zip<tlp> | {tlp_white, tlp_green, tlp_amber} |
|---|
Provide all YARA rules with given TLP in a zip archive.
Output may vary depending on access level (public = white, registration = green, amber).
GET /api/get/yara/after/<date><date> | Date in the following format <yyyy-mm-dd>. |
|---|
Provide all YARA rules with a version newer than a specific date. Intended for users intending regular automated updates.
Output may vary depending on access level (public = white, registration = green, amber).
GET /api/get/yara/auto/rawProvide all automatically generated, code-based rules created using YARA-Signator.
GET /api/get/yara/auto/zipProvide all automatically generated, code-based rules created using YARA-Signator in a zip archive.
GET /api/list/actorsList all actor IDs. This is a helper command to enable follow commands involving actor data.
GET /api/list/apiscoutProvide a list of all non-zero ApiVector fingerprints that are currently on Malpedia.
GET /api/list/apiscout/csvProvide a list of all non-zero ApiVector fingerprints that are currently on Malpedia (in CSV format compatible with ApiScout).
GET /api/list/familiesList all family IDs. This is a helper command to enable follow up commands family data.
GET /api/list/samplesProvide a list of all samples on Malpedia for all families, including their packed status and version, if available.
GET /api/list/samples/<family_id><family_id> | The ID of the family you would like to list the samples of. |
|---|
Provide a list of all samples known for a family, including their packed status and version, if available.
GET /api/list/yaraProvide a list of all YARA rules in malpedia for all families.
Output may vary depending on access level (public = white, registration = green, amber).
POST /api/scan/apiscout<POST_Data> | compressed ApiVector as generated by ApiScout |
|---|
Scan a given ApiVector against Malpedia's Database of ApiVector Fingerprints.
POST /api/scan/yara/<family_id><POST_Data> | YARA rule in text format. |
|---|---|
<family_id> | The ID of the family you want the samples to be limited to. |
Have a YARA rule used to scan against all samples (packed, unpacked, dumped) of a given family currently contained in Malpedia.
The format of <yara_scan_report> is TBD.