Kaspersky Threat Intelligence Portal

Looking up a hash

Expand all | Collapse all

Kaspersky Threat Intelligence Portal provides an API for looking up a hash.

Request

Request method: GET

Endpoint: https://opentip.kaspersky.com/api/v1/search/hash

Query parameter: request—Hash that you want to investigate.

cURL command sample:

curl --request GET 'https://opentip.kaspersky.com/api/v1/search/hash?request=<hash>' --header 'x-api-key: <API token>'

Here:

Responses

200 OK

Request processed successfully.

Endpoint returns a JSON object that contains lookup results for the specified hash.

200 OK response parameters

Parameter

Type

Description

Zone

string

Color of the zone that a hash belongs to. Available values:

Red—The file can be classified as Malware.

Yellow—The file is classified as Adware and other (Adware, Pornware, and other programs).

Grey—No data or not enough information is available for the hash.

Green—The file has the Clean or No threats detected status. The No threats detected status is applied if the file was not classified by Kaspersky, but it was previously scanned and/or analyzed, and no threats were detected at the time of the analysis.

FileGeneralInfo

object

General information about the requested hash.

FileStatus

string

Status of the file requested by the hash (Malware, Adware and other, Clean, No threats detected, or Not categorized).

Sha1

string

SHA1 hash of the file requested by the hash.

Md5

string

MD5 hash of the file requested the hash.

Sha256

string

SHA256 hash of the file requested by the hash.

FirstSeen

string <date-time>

Date and time when the requested hash was detected by Kaspersky expert systems for the first time.

LastSeen

string <date-time>

Date and time when the requested hash was detected by Kaspersky expert systems for the last time.

Signer

string

Organization that signed the requested hash.

Packer

string

Packer name (if available).

Size

integer

Size of the object being investigated by the hash (in bytes).

Type

string

Type of the object being investigated the by hash.

HitsCount

integer

Number of hits (popularity) of the requested hash detected by Kaspersky expert systems. Number of hits is rounded to the nearest power of 10.

DetectionsInfo

Array of objects

Information about detected objects.

LastDetectDate

string <date-time>

Date and time when the object was last detected by Kaspersky expert systems.

DescriptionUrl

string

Link to the detected object's description in the Kaspersky threats website (if available).

Zone

string

Color of the zone that the detected object belongs to.

DetectionName

string

Name of the detected object.

DetectionMethod

string

Method used to detect the object.

DynamicAnalisysResults

object

Information about dynamic analysis results.

Detections

Array of objects

The number of detected objects with Malware (red) or Adware and other (yellow) statuses.

Zone—Color of the zone of the detected object (Red or Yellow).

Count—Number of objects that belong to the zone.

SuspiciousActivities

Array of objects

The number of suspicious activities with High (red), Medium (yellow), or Low (grey) levels.

Zone—Color of the zone of the activity (Red, Yellow, or Grey).

Count—Number of activities that belong to the zone.

ExtractedFiles

Array of objects

The number of files that were downloaded or dropped by the file during the execution process, and the proportion of files with the status of Malicious (extracted files that can be classified as malicious, in red), Adware and other (extracted files that can be classified as Not-a-virus, in yellow), Clean (extracted files that can be classified as not malicious, in green), or Not categorized (no information about the extracted files is available, in grey).

Zone—Color of the zone of the file (Red, Yellow, Green, or Grey).

Count—Number of files that belong to the zone.

NetworkActivities

Array of objects

The number of registered network interactions that the file performed during the execution process and the proportion of network interactions with the status of Dangerous (requests to resources with the Dangerous status, in red), Adware and other (requests to resources with the Adware and other status, in yellow), Good (requests to resources with the Good status, in green), or Not categorized (requests to resources with the Not categorized status, in grey).

Zone—Color of the zone of the network activity (Red, Yellow, Green, or Grey).

Count—Number of network activities that belong to the zone.

DynamicDetections

Array of objects

Detects related to the analyzed file.

Zone—Color of the zone of the detected object (Red or Yellow).

Threat—Number of detected objects that belong to the zone.

TriggeredNetworkRules

Array of objects

SNORT and Suricata rules triggered during analysis of traffic from the file.

Zone—Color of the zone of the triggered rule (Red or Yellow).

RuleName—Name of the triggered rule.

400 Bad Request

Request not processed: incorrect query.

Make sure you enter the correct parameter, and then try to run the query again.

401 Unauthorized

Request not processed: user authentication failed.

Make sure you enter the correct credentials, and then try to run the query again.

403 Forbidden

Request not processed: quota or request limit exceeded.

Check your quota and limitations, and try to run the query again later.

404 Not Found

Request not processed: requested object lookup results not found.

Make sure the specified object is correct, and then run the query again.

Page top
[Topic HashLookupAPI]