10.3 Hash lookup with sandbox

Request

Value

Method

GET

URL

https://api.metadefender.com/v4/hash/:hash/sandbox

Summary

This endpoint retrieves the last dynamic analysis for the file identified by the hash parameter.

Request

URL Parameters

 

Description

Example

:hash

MD5, SHA1, or SHA256 of a file

511884530114A95F24461FBAD1014271FFE95A3DD7F39D4085E86AF7515A926D

Header Parameters

 

Description

Allowed Values

Required

apikey

Identifies and authorizes the user (API Authentication Mechanisms)

apikey

YES

Response

HTTP Status Codes

Please refer to Status Codes for more information.

Body

Example of a successful request:

Full sandbox analysis entry

{
"md5": "1E5CF9095D05553E7860020736538639",
"sha1": "1F20AE619063EC0647571BC7CBCFB2D07E3A4DA2",
"sha256": "511884530114A95F24461FBAD1014271FFE95A3DD7F39D4085E86AF7515A926D",
"data_id": "bzIxMDExMW5PNTdWY09xQXNSb085WkNLVA",
"request_time": "2021-04-07T08:12:17.123Z",
"browser": "os_default",
"timeout": "short",
"scan_results": {
"scan_all_result_a": "Infected",
"scan_all_result_i": 1,
"progress_percentage": 100,
"infection_score": 8
},
"system": "windows10",
"details": {
"procLabels": [
{
"name": "smss.exe",
"d": {
"status": 0,
"orig": true,
"pid": 336,
"cmd": "\\SystemRoot\\System32\\smss.exe",
"image": "C:\\Windows\\System32\\smss.exe",
"kind": "Existing",
"time": 94,
"proc": 1
},
"n": "windows.proc.create"
},
{
"name": "csrss.exe",
"d": {
"status": 0,
"orig": true,
"pid": 420,
"cmd": "%SystemRoot%\\system32\\csrss.exe ObjectDirectory=\\Windows SharedSection=1024,20480,768 Windows=On SubSystemType=Windows ServerDll=basesrv,1 ServerDll=winsrv:UserServerDllInitialization,3 ServerDll=sxssrv,4 ProfileControl=Off MaxRequestThreads=16",
"image": "C:\\Windows\\system32\\csrss.exe",
"kind": "Existing",
"time": 94,
"proc": 2
},
"n": "windows.proc.create"
},
{
"name": "csrss.exe",
"d": {
"status": 0,
"orig": true,
"pid": 492,
"cmd": "%SystemRoot%\\system32\\csrss.exe ObjectDirectory=\\Windows SharedSection=1024,20480,768 Windows=On SubSystemType=Windows ServerDll=basesrv,1 ServerDll=winsrv:UserServerDllInitialization,3 ServerDll=sxssrv,4 ProfileControl=Off MaxRequestThreads=16",
"image": "C:\\Windows\\system32\\csrss.exe",
"kind": "Existing",
"time": 94,
"proc": 3
},
"n": "windows.proc.create"
}
],
"flowLabels": [
{
"d": {
"remote_port": "138",
"remote_addr": "10.0.0.255",
"local_port": "138",
"local_addr": "10.0.0.71",
"proto": "udp",
"time": 0,
"flow": 1
},
"n": "net.flow.start"
},
{
"d": {
"remote_port": "53",
"remote_addr": "8.8.8.8",
"local_port": "54089",
"local_addr": "10.0.0.71",
"proto": "udp",
"time": 3286,
"flow": 2
},
"n": "net.flow.start"
},
{
"d": {
"remote_port": "1900",
"remote_addr": "239.255.255.250",
"local_port": "54092",
"local_addr": "10.0.0.71",
"proto": "udp",
"time": 3991,
"flow": 3
},
"n": "net.flow.start"
}
],
"data": {
"search": [],
"mutex": [
{
"d": {
"status": 3221225524,
"op": "EventOpen",
"event": "HookSwitchHookEnabledEvent",
"proc": 66
},
"n": "windows.event"
},
{
"d": {
"status": 3221225524,
"op": "EventOpen",
"event": "HookSwitchHookEnabledEvent",
"proc": 70
},
"n": "windows.event"
},
{
"d": {
"status": 1073741824,
"op": "MutantCreate",
"mutant": "Local\\SessionImmersiveColorMutex",
"proc": 70
},
"n": "windows.mutant"
}
],
"processes": [
{
"name": "smss.exe",
"d": {
"status": 0,
"orig": true,
"pid": 336,
"cmd": "\\SystemRoot\\System32\\smss.exe",
"image": "C:\\Windows\\System32\\smss.exe",
"kind": "Existing",
"time": 94,
"proc": 1
},
"n": "windows.proc.create"
},
{
"name": "csrss.exe",
"d": {
"status": 0,
"orig": true,
"pid": 420,
"cmd": "%SystemRoot%\\system32\\csrss.exe ObjectDirectory=\\Windows SharedSection=1024,20480,768 Windows=On SubSystemType=Windows ServerDll=basesrv,1 ServerDll=winsrv:UserServerDllInitialization,3 ServerDll=sxssrv,4 ProfileControl=Off MaxRequestThreads=16",
"image": "C:\\Windows\\system32\\csrss.exe",
"kind": "Existing",
"time": 94,
"proc": 2
},
"n": "windows.proc.create"
},
{
"name": "csrss.exe",
"d": {
"status": 0,
"orig": true,
"pid": 492,
"cmd": "%SystemRoot%\\system32\\csrss.exe ObjectDirectory=\\Windows SharedSection=1024,20480,768 Windows=On SubSystemType=Windows ServerDll=basesrv,1 ServerDll=winsrv:UserServerDllInitialization,3 ServerDll=sxssrv,4 ProfileControl=Off MaxRequestThreads=16",
"image": "C:\\Windows\\system32\\csrss.exe",
"kind": "Existing",
"time": 94,
"proc": 3
},
"n": "windows.proc.create"
}
],
"misc": [
{
"d": {
"platform": "windows10_x64",
"resource": "win10x64_2",
"backend": "sandbox-production",
"task": "210407-jjjlm1rz7x-behavioral1",
"sample": "210407-jjjlm1rz7x",
"version": "0.2"
},
"n": "analog.header"
}
],
"network": [
{
"d": {
"flow": 2,
"time": 828,
"proc": 33
},
"n": "net.flow.proc"
},
{
"d": {
"flow": 3,
"time": 1531,
"proc": 71
},
"n": "net.flow.proc"
},
{
"d": {
"flow": 5,
"time": 1531,
"proc": 71
},
"n": "net.flow.proc"
}
],
"registry": [
{
"d": {
"path": "HKLM\\SOFTWARE\\Microsoft\\Wow64\\x86\\youtube_downloader_hd.exe",
"status": 3221225524,
"op": "QueryValueKey",
"proc": 66
},
"n": "windows.reg.read"
},
{
"d": {
"path": "HKLM\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows NT\\CurrentVersion\\Compatibility32\\youtube_downloader_hd",
"status": 3221225524,
"op": "QueryValueKey",
"proc": 66
},
"n": "windows.reg.read"
},
{
"d": {
"path": "HKLM",
"status": 0,
"op": "QueryKey",
"proc": 66
},
"n": "windows.reg.read"
}
],
"files": [
{
"d": {
"status": 0,
"op": "Unknown",
"path": "C:\\Windows",
"proc": 66
},
"n": "windows.file.read"
},
{
"d": {
"status": 0,
"op": "OpenRead",
"path": "C:\\Windows",
"proc": 66
},
"n": "windows.file.read"
},
{
"d": {
"status": 0,
"op": "Unknown",
"path": "C:\\Users\\Admin\\AppData\\Local\\Temp\\",
"proc": 66
},
"n": "windows.file.read"
}
]
}
},
"summary": {
"dumped": [
{
"kind": "3",
"name": "memory/196-0-0x0000000000000000-mapping.dmp",
"procid": 70,
"pid": 196,
"at": 875
},
{
"kind": "martian",
"name": "files/0x0005000000014927-1.dat",
"path": "C:\\Users\\Admin\\AppData\\Local\\Temp\\is-LG89R.tmp\\youtube_downloader_hd.tmp",
"procid": 70,
"pid": 196,
"at": 906
}
],
"network": {},
"signatures": [
{
"indicators": [
{
"procid": 70,
"pid": 196
}
],
"score": 8,
"name": "Executes dropped EXE"
},
{
"indicators": [
{
"procid_target": 70,
"procid": 66,
"pid": 1776,
"description": "PID 1776 wrote to memory of 196"
}
],
"name": "Suspicious use of WriteProcessMemory"
}
],
"processes": [
{
"started": 235,
"orig": false,
"image": "C:\\Users\\Admin\\AppData\\Local\\Temp\\youtube_downloader_hd.exe",
"cmd": "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\youtube_downloader_hd.exe\"",
"ppid": 2996,
"pid": 1776,
"procid_parent": 55,
"procid": 66
},
{
"started": 750,
"orig": false,
"image": "C:\\Users\\Admin\\AppData\\Local\\Temp\\is-LG89R.tmp\\youtube_downloader_hd.tmp",
"cmd": "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\is-LG89R.tmp\\youtube_downloader_hd.tmp\" /SL5=\"$201F2,18793909,423424,C:\\Users\\Admin\\AppData\\Local\\Temp\\youtube_downloader_hd.exe\" ",
"ppid": 1776,
"pid": 196,
"procid_parent": 66,
"procid": 70
}
]
},
"sandbox_version": "2",
"sandbox_id": "606d69618104a46c24cc44e6",
"rescan_available": true
}

Example of a failed request:

{
"error": {
"code": 400064,
"messages": [
"The hash value is not valid"
]
}
}

Response description:

md5

The hash of the file

sha1

The hash of the file

sha256

The hash of the file

data_id

The generated id of the file

request_time

Timestamp when the dynamic analysis was initiated

browser

Browser used in the scanning process

timeout

Analysis timeout profile

system

The sandbox type used for analysis

scan_results.scan_all_result_a

A string status code of the analysis. Possible values: "No threat detected", "Infected", "Suspicious"

scan_results.scan_all_result_i

A status code for the analysis (the numeric version of "scan_results.scan_all_result_a". Possible values: 0,1,2

scan_results.progress_percentage

Shows the progress on the analysis (1-100).

scan_results.infection_score

A number from 1 to 10:

  • 1: low probability of infection

  • 10: high probability of infections

details

Detailed analysis information

details.procLabels

Recorded processes detailed data

details.flowLabels

Recorded network flow detailed data

details.data

Detailed analysis information data

details.data.search

Detailed search activity

details.data.mutex

Detailed mutex activity

details.data.processes

Detailed processes activity

details.data.misc

Detailed miscellaneous activity

details.data.network

Detailed network activity

details.data.registry

Detailed registry key activity

details.data.files

Detailed filesystem activity

summary

A short reference of the analysis highlights

summary.dumped

A summary of the dumped data activity recorded by the sandbox

summary.network

A summary of the network activity recorded by the sandbox

summary.signatures

A summary of the signatures detected based on the behavior

summary.processes

A summary of the process activity recorded by the sandbox

summary.ttp

MITRE tactic, technique or procedure. See this reference.

sandbox_version

Version of the sandbox used

sandbox_id

The unique sandbox scan ID that can be used to retrieve this exact scan version

rescan_available

Whether a rescan request can be submitted

Errors

Please refer to Errors for more information.

Sample code (Node.js)

var http = require("https");
 
var options = {
"method": "GET",
"hostname": [
"api",
"metadefender",
"com"
],
"path": [
"v4",
"hash",
"AAA1C1CF2E78F64C0894EBC568B145039BB06DC3",
"sandbox"
],
"headers": {
"apikey": process.env.APIKEY
}
};
 
var req = http.request(options, function (res) {
var chunks = [];
 
res.on("data", function (chunk) {
chunks.push(chunk);
});
 
res.on("end", function () {
var body = Buffer.concat(chunks);
console.log(body.toString());
});
});
 
req.end();

Sample code (cURL)

curl -X GET \
https://api.metadefender.com/v4/hash/AAA1C1CF2E78F64C0894EBC568B145039BB06DC3/sandbox \
-H "apikey: ${APIKEY}"