API Documentation
Enrichment
Vulnerabilities
Integration
File Intelligence (V2)
Copy
curl --request POST \
--url https://api.threatbook.io/v2/file/queryCopy
{
"response_code": 200,
"msg": "Success",
"multiengines": {
"result": {
"IKARUS": "safe",
"vbwebshell": "safe",
"Avast": "Win32:Fareit-CW",
"Avira": "Worm/Gamarue.ioemn",
"Sophos": "safe",
"K7": "EmailWorm ( 0040f1211 )",
"Rising": "safe",
"Kaspersky": "Trojan-Ransom.Win32.PornoAsset.cpbb",
"Panda": "Trj/Genetic.gen",
"Baidu-China": "Win32.Trojan.WisdomEyes.151026.9950.9999",
"NANO": "safe",
"Antiy": "Trojan[Downloader]/Win32.Wauchos",
"AVG": "Win32:Fareit-CW",
"Baidu": "safe",
"DrWeb": "safe",
"GDATA": "Gen:Variant.Sirefef.2107",
"Microsoft": "TrojanDropper:Win32/Gamarue.C",
"Qihu360": "Win32/Botnet.Andromeda.HxQBeV0A",
"ESET": "safe",
"ClamAV": "safe",
"JiangMin": "Trojan/PornoAsset.plh",
"Trustlook": "safe",
"MicroAPT": "safe",
"OneAV": "safe",
"OneStatic": "safe",
"MicroNonPE": "safe",
"OneAV-PWSH": "safe",
"ShellPub": "safe"
},
"scan_time": "2025-10-15 07:37:59",
"detect_rate": "12/28"
},
"summary": {
"sha1": "9156eaa5ed26bc220aaac3baf56241c48e7e03c1",
"md5": "b102cd8c3a882636a4ec337a9344a3a6",
"scenes": [],
"tag": {
"s": [
"exe",
"lang_english"
],
"x": [
"Trojan",
"PornoAsset"
]
},
"file_size": 64000,
"is_whitelist": false,
"malware_type": "Trojan",
"malware_family": "PornoAsset",
"sandbox_type_list": [
"win10_1903_enx64_office2016"
],
"threat_level": "malicious",
"submit_time": "2025-08-24 15:00:58",
"last_detection_time": "2025-10-15 15:37:59",
"file_name": "9145f476a9f1f3b793709276de9631dd406e4f240863bbf3d6c66bc3456feb4d",
"file_type": "EXEx86",
"sample_sha256": "9145f476a9f1f3b793709276de9631dd406e4f240863bbf3d6c66bc3456feb4d",
"threat_score": 90,
"sandbox_type": "win10_1903_enx64_office2016",
"multi_engines": "12/28"
},
"signature": [
{
"severity": 1,
"gray": false,
"references": [],
"sig_class": "Network Related",
"name": "network_http",
"description": "{\"en\": \"Performs some HTTP requests\", \"cn\": \"样本发起了HTTP请求\"}",
"markcount": 5,
"marks": [
{
"type": "generic",
"generic": {
"host": "anam0rph.su",
"request": "POST /in.php HTTP/1.1\r\nHost: anam0rph.su\r\nUser-Agent: Mozilla/4.0\r\nContent-Type: application/x-www-form-urlencoded\r\nContent-Length: 84\r\nConnection: close",
"uri": "/in.php"
}
},
{
"type": "generic",
"generic": {
"host": "bdcrqgonzmwuehky.nl",
"request": "POST /in.php HTTP/1.1\r\nHost: bdcrqgonzmwuehky.nl\r\nUser-Agent: Mozilla/4.0\r\nContent-Type: application/x-www-form-urlencoded\r\nContent-Length: 84\r\nConnection: close",
"uri": "/in.php"
}
},
{
"type": "generic",
"generic": {
"host": "somicrososoft.ru",
"request": "POST /in.php HTTP/1.1\r\nHost: somicrososoft.ru\r\nUser-Agent: Mozilla/4.0\r\nContent-Type: application/x-www-form-urlencoded\r\nContent-Length: 84\r\nConnection: close",
"uri": "/in.php"
}
}
],
"families": [],
"attck_id": "",
"attck_info": {}
},
{
"severity": 1,
"gray": false,
"references": [],
"sig_class": "Environment Awareness",
"name": "read_active_computer_name",
"description": "{\"en\": \"Reads the active computer name\", \"cn\": \"读取计算机名称\"}",
"markcount": 1,
"marks": [
{
"type": "ioc",
"ioc": {
"pid": [
6968
],
"category": "registry",
"ioc": "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\ComputerName\\ActiveComputerName\\ComputerName"
}
}
],
"families": [],
"attck_id": "T1087",
"attck_info": {
"Contributors": "Travis Smith, Tripwire",
"title": "Account Discovery",
"Permissions Required": "User",
"Platform": "Linux, macOS, Windows",
"Data Sources": "API monitoring, Process command-line parameters, Process monitoring",
"Tactic": "Discovery",
"CAPEC ID": "CAPEC-575",
"ID": "T1087"
}
},
{
"severity": 3,
"gray": false,
"references": [],
"sig_class": "Malware behavior",
"name": "suspicious_pe_in_memory",
"description": "{\"en\": \"Detected PE file in memory\", \"cn\": \"在内存中检测到PE文件\"}",
"markcount": 3,
"marks": [
{
"type": "generic",
"generic": {
"virtual_address": "0x3970000",
"size": 64512,
"memory_type": "PE",
"pid": 5612,
"process_path": "C:\\Users\\Administrator\\Desktop\\6feb4d.exe"
}
},
{
"type": "generic",
"generic": {
"virtual_address": "0x3ae0000",
"size": 1688,
"memory_type": "shellcode",
"pid": 5612,
"process_path": "C:\\Users\\Administrator\\Desktop\\6feb4d.exe"
}
},
{
"type": "generic",
"generic": {
"virtual_address": "0x6c70000",
"size": 14710,
"memory_type": "shellcode",
"pid": 6968,
"process_path": "C:\\Windows\\SysWOW64\\svchost.exe"
}
}
],
"families": [],
"attck_id": "",
"attck_info": {}
}
],
"static": {
"details": {
"pe_version_info": [],
"pe_sections": [
{
"name": ".text",
"virtual_address": "0x00001000",
"virtual_size": "0x0000518e",
"size_of_data": "0x00005200",
"pointer_to_rawdata": "0x00000400",
"hash": "e6f69cb384e70bf825dcbeb133e0dbbc",
"SectionPermission": "R-E",
"entropy": 6.892130502363175
},
{
"name": ".reloc",
"virtual_address": "0x00014000",
"virtual_size": "0x00001da5",
"size_of_data": "0x00001e00",
"pointer_to_rawdata": "0x0000dc00",
"hash": "3c89baa0cc859837bb9ac8917b6058d7",
"SectionPermission": "RW-",
"entropy": 6.966489345591115
}
],
"pe_signatures": {
"product": "n/a",
"verified": "Unsigned",
"description": "n/a"
},
"pe_imports": [
{
"dll": "SHLWAPI.dll",
"imports": [
{
"address": "0x40e000",
"name": "PathIsURLW"
},
{
"address": "0x40e004",
"name": "PathGetDriveNumberA"
},
{
"address": "0x40e008",
"name": "PathIsRelativeA"
}
]
},
{
"dll": "KERNEL32.dll",
"imports": [
{
"address": "0x40e020",
"name": "lstrcpyW"
}
]
}
],
"pe_resources": [
{
"name": "RT_ICON",
"offset": "0x00013160",
"size": "0x00000128",
"filetype": "GLS_BINARY_LSB_FIRST",
"language": "LANG_ENGLISH",
"sublanguage": "SUBLANG_ENGLISH_US"
},
{
"name": "RT_GROUP_ICON",
"offset": "0x00013728",
"size": "0x00000092",
"filetype": "data",
"language": "LANG_ENGLISH",
"sublanguage": "SUBLANG_ENGLISH_US"
}
],
"tag": [],
"pe_basic": {
"tls_info": {},
"import_hash": "540cba6657a101cb43bb9f60920f4768",
"peid": [
"filetype: PE32",
"arch: I386",
"mode: 32",
"endianess: LE",
"type: GUI",
"compiler: Microsoft Visual C/C++(2008 SP1)[-]",
"linker: Microsoft Linker(9.0)[GUI32]"
],
"time_stamp": "2012-10-09 09:11:58",
"entry_point_section": ".text",
"image_base": "0x400000",
"entry_point": "0x4505"
},
"pe_detect": {
"find_crypt": {},
"urls": []
},
"pe_exports": [
{
"address": "0x401b28",
"name": "FirstMagnitudE",
"ordinal": 1
},
{
"address": "0x40446f",
"name": "?SecondMagni@@YGEUCOMMANDLINE094@@WE",
"ordinal": 2
}
]
},
"basic": {
"sha1": "9156eaa5ed26bc220aaac3baf56241c48e7e03c1",
"sha256": "9145f476a9f1f3b793709276de9631dd406e4f240863bbf3d6c66bc3456feb4d",
"file_type": "PE32 executable (GUI) Intel 80386, for MS Windows",
"file_name": "9145f476a9f1f3b793709276de9631dd406e4f240863bbf3d6c66bc3456feb4d",
"ssdeep": "768:8ZYOGJ8z39m6odrD2ydQtaCGvRDvqguFjI3LOLisuIPcH9e3FEx8EFK4AVSi0WC4:83t2dGanvsh2ki4PQeVEKE38TCNMBMpw",
"file_size": 64000,
"md5": "b102cd8c3a882636a4ec337a9344a3a6"
}
},
"pstree": {
"children": [
{
"pid": 5612,
"ppid": 3832,
"process_name": "6feb4d.exe",
"command_line": "\"C:\\Users\\Administrator\\Desktop\\6feb4d.exe\" ",
"argument_vector": [
"C:\\Users\\Administrator\\Desktop\\6feb4d.exe"
],
"first_seen": 1756047699918.287,
"children": [
{
"pid": 6968,
"ppid": 5612,
"process_name": "svchost.exe",
"command_line": "C:\\Windows\\syswow64\\svchost.exe",
"argument_vector": [
"C:\\Windows\\syswow64\\svchost.exe"
],
"first_seen": 1756047703968.084,
"children": [],
"track": true
}
],
"track": true
}
],
"process_name": {
"en": "Analysed 2 processes in total",
"cn": "共分析了2个进程"
}
},
"network": {
"mitm": [],
"tcp": [
{
"src": "100.64.8.14",
"sport": 49723,
"dst": "50.16.27.236",
"dport": 80,
"offset": 144133,
"time": 19.677597045898438,
"ppid": 5612,
"pid": 6968,
"process_path": "C:\\Windows\\SysWOW64\\svchost.exe",
"process_name": "svchost.exe"
},
{
"src": "100.64.8.14",
"sport": 49726,
"dst": "176.58.104.168",
"dport": 80,
"offset": 153964,
"time": 21.888036012649536,
"ppid": 5612,
"pid": 6968,
"process_path": "C:\\Windows\\SysWOW64\\svchost.exe",
"process_name": "svchost.exe"
}
],
"udp": [],
"icmp": [],
"http": [
{
"count": 3,
"host": "anam0rph.su",
"port": 80,
"data": "POST /in.php HTTP/1.1\r\nHost: anam0rph.su\r\nUser-Agent: Mozilla/4.0\r\nContent-Type: application/x-www-form-urlencoded\r\nContent-Length: 84\r\nConnection: close\r\n\r\n",
"uri": "/in.php",
"body": "",
"path": "/in.php",
"url": "http://anam0rph.su/in.php",
"user-agent": "Mozilla/4.0",
"version": "1.1",
"method": "POST"
},
{
"count": 3,
"host": "somicrososoft.ru",
"port": 80,
"data": "POST /in.php HTTP/1.1\r\nHost: somicrososoft.ru\r\nUser-Agent: Mozilla/4.0\r\nContent-Type: application/x-www-form-urlencoded\r\nContent-Length: 84\r\nConnection: close\r\n\r\n",
"uri": "/in.php",
"body": "",
"path": "/in.php",
"url": "http://somicrososoft.ru/in.php",
"user-agent": "Mozilla/4.0",
"version": "1.1",
"method": "POST"
}
],
"tls": [],
"dns": [
{
"request": "somicrososoft.ru",
"type": "A",
"answers": [
{
"type": "A",
"data": "3.229.117.57",
"time": 22.89440417289734
},
{
"type": "A",
"data": "3.229.117.57",
"time": 43.141231060028076
},
{
"type": "A",
"data": "3.229.117.57",
"time": 62.58969497680664
}
],
"time": 22.542392015457153
}
],
"smtp": [],
"irc": [],
"irc_ex": [],
"dns_servers": [
"223.5.5.5",
"8.8.4.4"
],
"fingerprint": [],
"tcp_ex": [
{
"src": "100.64.8.14",
"dst": "50.16.27.236",
"sport": 49723,
"dport": 80,
"proto": 6,
"time": 19.677597045898438,
"tcp_detail": [
{
"time": 19.677597045898438,
"type": "request",
"size": 241,
"sha256": "fe7525bf77fe49345f26413e8ba8824834beae6d5984ece4f4c581a3df99bf74"
},
{
"time": 19.677597045898438,
"type": "response",
"size": 149,
"sha256": "ea4600ec90525266d9f4458351d0c971ccda17162400a7765c8293700c829a15"
}
],
"proc_path": "C:\\Windows\\SysWOW64\\svchost.exe",
"proc_name": "svchost.exe",
"pid": 6968
},
{
"src": "100.64.8.14",
"dst": "3.229.117.57",
"sport": 49742,
"dport": 80,
"proto": 6,
"time": 62.59141516685486,
"tcp_detail": [
{
"time": 62.59141516685486,
"type": "request",
"size": 246,
"sha256": "e2bfffd5c77cd0f552d6969942a18676874e55774da0c94f9461c37e921d1826"
},
{
"time": 62.59141516685486,
"type": "response",
"size": 149,
"sha256": "45ca865eba2b31cd28ca8bfe44fa6c4a16f25bd92e520a1761701a75270c34ac"
}
],
"proc_path": "C:\\Windows\\SysWOW64\\svchost.exe",
"proc_name": "svchost.exe",
"pid": 6968
}
],
"smtp_ex": [],
"http_ex": [
{
"time": 23.122490167617798,
"src": "100.64.8.14",
"sport": 49727,
"dst": "3.229.117.57",
"dport": 80,
"protocol": "http",
"method": "POST",
"host": "somicrososoft.ru",
"uri": "/in.php",
"url": "http://somicrososoft.ru/in.php",
"status": 200,
"request": "POST /in.php HTTP/1.1\r\nHost: somicrososoft.ru\r\nUser-Agent: Mozilla/4.0\r\nContent-Type: application/x-www-form-urlencoded\r\nContent-Length: 84\r\nConnection: close",
"response": "HTTP/1.1 200 OK\r\nServer: nginx\r\nDate: Sun, 24 Aug 2025 15:01:49 GMT\r\nContent-Type: application/octet-stream\r\nContent-Length: 0\r\nConnection: close",
"req": {
"file_info": {
"name": "33f91bbc0b502f8daab951737c8088a190422a211fe1ae4c0481c96618e5b862",
"size": 84,
"crc32": "84E1BCE3",
"md5": "2fad74b4750ec31092830231e76a6c3f",
"sha1": "d4a2a32ed81842f4a392cb3c5b430e4ce2c4820f",
"sha256": "33f91bbc0b502f8daab951737c8088a190422a211fe1ae4c0481c96618e5b862",
"sha512": "c797da42edae157cc27c6d274023a17cd23ffc139705e97f06a3cae6cd74f9b61aa23de2bbc5c985dfea610c787f3e70d4f594f3f8b19a3b3a9dd8b60df50ffd",
"ssdeep": "3:AfNmSUjGVLUooLWvU7jURTK9k8OQoC50rY:AfNmSUjAwxKvu8M1OQogZ",
"type": "ASCII text, with no line terminators",
"yara": [],
"domains": [],
"ips": [],
"urls": [],
"mails": []
},
"trid_info": [],
"md5": "2fad74b4750ec31092830231e76a6c3f",
"sha1": "d4a2a32ed81842f4a392cb3c5b430e4ce2c4820f",
"sha256": "33f91bbc0b502f8daab951737c8088a190422a211fe1ae4c0481c96618e5b862"
},
"resp": {
"file_info": {
"name": "e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855",
"size": 0,
"crc32": "00000000",
"md5": "d41d8cd98f00b204e9800998ecf8427e",
"sha1": "da39a3ee5e6b4b0d3255bfef95601890afd80709",
"sha256": "e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855",
"sha512": "cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e",
"ssdeep": "3::",
"type": "empty",
"yara": [],
"domains": [],
"ips": [],
"urls": [],
"mails": []
},
"trid_info": [],
"md5": "d41d8cd98f00b204e9800998ecf8427e",
"sha1": "da39a3ee5e6b4b0d3255bfef95601890afd80709",
"sha256": "e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855"
},
"md5": "d41d8cd98f00b204e9800998ecf8427e",
"sha1": "da39a3ee5e6b4b0d3255bfef95601890afd80709",
"sha256": "e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855",
"pid": 6968,
"process_name": "svchost.exe"
}
],
"https_ex": [],
"dead_hosts": [],
"domains": [
{
"domain": "bdcrqgonzmwuehky.nl",
"ip": "176.58.104.168"
},
{
"domain": "somicrososoft.ru",
"ip": "3.229.117.57"
}
],
"hosts": [
"3.229.117.57",
"176.58.104.168"
]
},
"dropped": [
{
"sha1": "9156eaa5ed26bc220aaac3baf56241c48e7e03c1",
"threat_level": "malicious",
"urls": [],
"sha256": "9145f476a9f1f3b793709276de9631dd406e4f240863bbf3d6c66bc3456feb4d",
"size": 64000,
"filepath": "C:\\ProgramData\\Local Settings\\Temp\\msajyt.cmd",
"name": "msajyt.cmd",
"crc32": "49F50535",
"ssdeep": "768:8ZYOGJ8z39m6odrD2ydQtaCGvRDvqguFjI3LOLisuIPcH9e3FEx8EFK4AVSi0WC4:83t2dGanvsh2ki4PQeVEKE38TCNMBMpw",
"type": "PE32 executable (GUI) Intel 80386, for MS Windows",
"yara": [],
"md5": "b102cd8c3a882636a4ec337a9344a3a6"
}
],
"strings": {
"5612_88165644311524082025": [
";x\\&:}V*",
"hdll.hsbie",
"kernel32.dll",
".]a[<HI",
"hsk\\ehs\\dihviceh\\serhlsethntrohntcohurrehem\\chsyst",
"h.dllhpi32hadva",
"!This program cannot be run in DOS mode."
],
"5612_51029104311524082025": [
"ntdll.dll",
"lstrcatW",
"CloseHandle",
"\\syswow64\\svchost.exe",
"\\system32\\wuauclt.exe",
"VirtualFree",
"NtDelayExecution",
"ZwUnmapViewOfSection",
"ZwQueryInformationProcess"
],
"pcap": [
"DESKTOP-H9URB7T ",
"bigcatalog",
"MSFT 5.0",
"Date: Sun, 24 Aug 2025 15:02:07 GMT",
"edgekey",
" EEEFFDELFEEPFACNEIDJFFFCECDHFECA",
"!http://oneocsp.microsoft.com/ocsp0",
"sidnlabs"
]
}
}Enrichment
File Intelligence
Retrieve detailed static and dynamic analysis reports of a file, including file summary information, network behavior, behavioral signatures, static information, dropped behavior, process behavior, and multi-engines detection results.
POST
/
v2
/
file
/
query
File Intelligence (V2)
Copy
curl --request POST \
--url https://api.threatbook.io/v2/file/queryCopy
{
"response_code": 200,
"msg": "Success",
"multiengines": {
"result": {
"IKARUS": "safe",
"vbwebshell": "safe",
"Avast": "Win32:Fareit-CW",
"Avira": "Worm/Gamarue.ioemn",
"Sophos": "safe",
"K7": "EmailWorm ( 0040f1211 )",
"Rising": "safe",
"Kaspersky": "Trojan-Ransom.Win32.PornoAsset.cpbb",
"Panda": "Trj/Genetic.gen",
"Baidu-China": "Win32.Trojan.WisdomEyes.151026.9950.9999",
"NANO": "safe",
"Antiy": "Trojan[Downloader]/Win32.Wauchos",
"AVG": "Win32:Fareit-CW",
"Baidu": "safe",
"DrWeb": "safe",
"GDATA": "Gen:Variant.Sirefef.2107",
"Microsoft": "TrojanDropper:Win32/Gamarue.C",
"Qihu360": "Win32/Botnet.Andromeda.HxQBeV0A",
"ESET": "safe",
"ClamAV": "safe",
"JiangMin": "Trojan/PornoAsset.plh",
"Trustlook": "safe",
"MicroAPT": "safe",
"OneAV": "safe",
"OneStatic": "safe",
"MicroNonPE": "safe",
"OneAV-PWSH": "safe",
"ShellPub": "safe"
},
"scan_time": "2025-10-15 07:37:59",
"detect_rate": "12/28"
},
"summary": {
"sha1": "9156eaa5ed26bc220aaac3baf56241c48e7e03c1",
"md5": "b102cd8c3a882636a4ec337a9344a3a6",
"scenes": [],
"tag": {
"s": [
"exe",
"lang_english"
],
"x": [
"Trojan",
"PornoAsset"
]
},
"file_size": 64000,
"is_whitelist": false,
"malware_type": "Trojan",
"malware_family": "PornoAsset",
"sandbox_type_list": [
"win10_1903_enx64_office2016"
],
"threat_level": "malicious",
"submit_time": "2025-08-24 15:00:58",
"last_detection_time": "2025-10-15 15:37:59",
"file_name": "9145f476a9f1f3b793709276de9631dd406e4f240863bbf3d6c66bc3456feb4d",
"file_type": "EXEx86",
"sample_sha256": "9145f476a9f1f3b793709276de9631dd406e4f240863bbf3d6c66bc3456feb4d",
"threat_score": 90,
"sandbox_type": "win10_1903_enx64_office2016",
"multi_engines": "12/28"
},
"signature": [
{
"severity": 1,
"gray": false,
"references": [],
"sig_class": "Network Related",
"name": "network_http",
"description": "{\"en\": \"Performs some HTTP requests\", \"cn\": \"样本发起了HTTP请求\"}",
"markcount": 5,
"marks": [
{
"type": "generic",
"generic": {
"host": "anam0rph.su",
"request": "POST /in.php HTTP/1.1\r\nHost: anam0rph.su\r\nUser-Agent: Mozilla/4.0\r\nContent-Type: application/x-www-form-urlencoded\r\nContent-Length: 84\r\nConnection: close",
"uri": "/in.php"
}
},
{
"type": "generic",
"generic": {
"host": "bdcrqgonzmwuehky.nl",
"request": "POST /in.php HTTP/1.1\r\nHost: bdcrqgonzmwuehky.nl\r\nUser-Agent: Mozilla/4.0\r\nContent-Type: application/x-www-form-urlencoded\r\nContent-Length: 84\r\nConnection: close",
"uri": "/in.php"
}
},
{
"type": "generic",
"generic": {
"host": "somicrososoft.ru",
"request": "POST /in.php HTTP/1.1\r\nHost: somicrososoft.ru\r\nUser-Agent: Mozilla/4.0\r\nContent-Type: application/x-www-form-urlencoded\r\nContent-Length: 84\r\nConnection: close",
"uri": "/in.php"
}
}
],
"families": [],
"attck_id": "",
"attck_info": {}
},
{
"severity": 1,
"gray": false,
"references": [],
"sig_class": "Environment Awareness",
"name": "read_active_computer_name",
"description": "{\"en\": \"Reads the active computer name\", \"cn\": \"读取计算机名称\"}",
"markcount": 1,
"marks": [
{
"type": "ioc",
"ioc": {
"pid": [
6968
],
"category": "registry",
"ioc": "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\ComputerName\\ActiveComputerName\\ComputerName"
}
}
],
"families": [],
"attck_id": "T1087",
"attck_info": {
"Contributors": "Travis Smith, Tripwire",
"title": "Account Discovery",
"Permissions Required": "User",
"Platform": "Linux, macOS, Windows",
"Data Sources": "API monitoring, Process command-line parameters, Process monitoring",
"Tactic": "Discovery",
"CAPEC ID": "CAPEC-575",
"ID": "T1087"
}
},
{
"severity": 3,
"gray": false,
"references": [],
"sig_class": "Malware behavior",
"name": "suspicious_pe_in_memory",
"description": "{\"en\": \"Detected PE file in memory\", \"cn\": \"在内存中检测到PE文件\"}",
"markcount": 3,
"marks": [
{
"type": "generic",
"generic": {
"virtual_address": "0x3970000",
"size": 64512,
"memory_type": "PE",
"pid": 5612,
"process_path": "C:\\Users\\Administrator\\Desktop\\6feb4d.exe"
}
},
{
"type": "generic",
"generic": {
"virtual_address": "0x3ae0000",
"size": 1688,
"memory_type": "shellcode",
"pid": 5612,
"process_path": "C:\\Users\\Administrator\\Desktop\\6feb4d.exe"
}
},
{
"type": "generic",
"generic": {
"virtual_address": "0x6c70000",
"size": 14710,
"memory_type": "shellcode",
"pid": 6968,
"process_path": "C:\\Windows\\SysWOW64\\svchost.exe"
}
}
],
"families": [],
"attck_id": "",
"attck_info": {}
}
],
"static": {
"details": {
"pe_version_info": [],
"pe_sections": [
{
"name": ".text",
"virtual_address": "0x00001000",
"virtual_size": "0x0000518e",
"size_of_data": "0x00005200",
"pointer_to_rawdata": "0x00000400",
"hash": "e6f69cb384e70bf825dcbeb133e0dbbc",
"SectionPermission": "R-E",
"entropy": 6.892130502363175
},
{
"name": ".reloc",
"virtual_address": "0x00014000",
"virtual_size": "0x00001da5",
"size_of_data": "0x00001e00",
"pointer_to_rawdata": "0x0000dc00",
"hash": "3c89baa0cc859837bb9ac8917b6058d7",
"SectionPermission": "RW-",
"entropy": 6.966489345591115
}
],
"pe_signatures": {
"product": "n/a",
"verified": "Unsigned",
"description": "n/a"
},
"pe_imports": [
{
"dll": "SHLWAPI.dll",
"imports": [
{
"address": "0x40e000",
"name": "PathIsURLW"
},
{
"address": "0x40e004",
"name": "PathGetDriveNumberA"
},
{
"address": "0x40e008",
"name": "PathIsRelativeA"
}
]
},
{
"dll": "KERNEL32.dll",
"imports": [
{
"address": "0x40e020",
"name": "lstrcpyW"
}
]
}
],
"pe_resources": [
{
"name": "RT_ICON",
"offset": "0x00013160",
"size": "0x00000128",
"filetype": "GLS_BINARY_LSB_FIRST",
"language": "LANG_ENGLISH",
"sublanguage": "SUBLANG_ENGLISH_US"
},
{
"name": "RT_GROUP_ICON",
"offset": "0x00013728",
"size": "0x00000092",
"filetype": "data",
"language": "LANG_ENGLISH",
"sublanguage": "SUBLANG_ENGLISH_US"
}
],
"tag": [],
"pe_basic": {
"tls_info": {},
"import_hash": "540cba6657a101cb43bb9f60920f4768",
"peid": [
"filetype: PE32",
"arch: I386",
"mode: 32",
"endianess: LE",
"type: GUI",
"compiler: Microsoft Visual C/C++(2008 SP1)[-]",
"linker: Microsoft Linker(9.0)[GUI32]"
],
"time_stamp": "2012-10-09 09:11:58",
"entry_point_section": ".text",
"image_base": "0x400000",
"entry_point": "0x4505"
},
"pe_detect": {
"find_crypt": {},
"urls": []
},
"pe_exports": [
{
"address": "0x401b28",
"name": "FirstMagnitudE",
"ordinal": 1
},
{
"address": "0x40446f",
"name": "?SecondMagni@@YGEUCOMMANDLINE094@@WE",
"ordinal": 2
}
]
},
"basic": {
"sha1": "9156eaa5ed26bc220aaac3baf56241c48e7e03c1",
"sha256": "9145f476a9f1f3b793709276de9631dd406e4f240863bbf3d6c66bc3456feb4d",
"file_type": "PE32 executable (GUI) Intel 80386, for MS Windows",
"file_name": "9145f476a9f1f3b793709276de9631dd406e4f240863bbf3d6c66bc3456feb4d",
"ssdeep": "768:8ZYOGJ8z39m6odrD2ydQtaCGvRDvqguFjI3LOLisuIPcH9e3FEx8EFK4AVSi0WC4:83t2dGanvsh2ki4PQeVEKE38TCNMBMpw",
"file_size": 64000,
"md5": "b102cd8c3a882636a4ec337a9344a3a6"
}
},
"pstree": {
"children": [
{
"pid": 5612,
"ppid": 3832,
"process_name": "6feb4d.exe",
"command_line": "\"C:\\Users\\Administrator\\Desktop\\6feb4d.exe\" ",
"argument_vector": [
"C:\\Users\\Administrator\\Desktop\\6feb4d.exe"
],
"first_seen": 1756047699918.287,
"children": [
{
"pid": 6968,
"ppid": 5612,
"process_name": "svchost.exe",
"command_line": "C:\\Windows\\syswow64\\svchost.exe",
"argument_vector": [
"C:\\Windows\\syswow64\\svchost.exe"
],
"first_seen": 1756047703968.084,
"children": [],
"track": true
}
],
"track": true
}
],
"process_name": {
"en": "Analysed 2 processes in total",
"cn": "共分析了2个进程"
}
},
"network": {
"mitm": [],
"tcp": [
{
"src": "100.64.8.14",
"sport": 49723,
"dst": "50.16.27.236",
"dport": 80,
"offset": 144133,
"time": 19.677597045898438,
"ppid": 5612,
"pid": 6968,
"process_path": "C:\\Windows\\SysWOW64\\svchost.exe",
"process_name": "svchost.exe"
},
{
"src": "100.64.8.14",
"sport": 49726,
"dst": "176.58.104.168",
"dport": 80,
"offset": 153964,
"time": 21.888036012649536,
"ppid": 5612,
"pid": 6968,
"process_path": "C:\\Windows\\SysWOW64\\svchost.exe",
"process_name": "svchost.exe"
}
],
"udp": [],
"icmp": [],
"http": [
{
"count": 3,
"host": "anam0rph.su",
"port": 80,
"data": "POST /in.php HTTP/1.1\r\nHost: anam0rph.su\r\nUser-Agent: Mozilla/4.0\r\nContent-Type: application/x-www-form-urlencoded\r\nContent-Length: 84\r\nConnection: close\r\n\r\n",
"uri": "/in.php",
"body": "",
"path": "/in.php",
"url": "http://anam0rph.su/in.php",
"user-agent": "Mozilla/4.0",
"version": "1.1",
"method": "POST"
},
{
"count": 3,
"host": "somicrososoft.ru",
"port": 80,
"data": "POST /in.php HTTP/1.1\r\nHost: somicrososoft.ru\r\nUser-Agent: Mozilla/4.0\r\nContent-Type: application/x-www-form-urlencoded\r\nContent-Length: 84\r\nConnection: close\r\n\r\n",
"uri": "/in.php",
"body": "",
"path": "/in.php",
"url": "http://somicrososoft.ru/in.php",
"user-agent": "Mozilla/4.0",
"version": "1.1",
"method": "POST"
}
],
"tls": [],
"dns": [
{
"request": "somicrososoft.ru",
"type": "A",
"answers": [
{
"type": "A",
"data": "3.229.117.57",
"time": 22.89440417289734
},
{
"type": "A",
"data": "3.229.117.57",
"time": 43.141231060028076
},
{
"type": "A",
"data": "3.229.117.57",
"time": 62.58969497680664
}
],
"time": 22.542392015457153
}
],
"smtp": [],
"irc": [],
"irc_ex": [],
"dns_servers": [
"223.5.5.5",
"8.8.4.4"
],
"fingerprint": [],
"tcp_ex": [
{
"src": "100.64.8.14",
"dst": "50.16.27.236",
"sport": 49723,
"dport": 80,
"proto": 6,
"time": 19.677597045898438,
"tcp_detail": [
{
"time": 19.677597045898438,
"type": "request",
"size": 241,
"sha256": "fe7525bf77fe49345f26413e8ba8824834beae6d5984ece4f4c581a3df99bf74"
},
{
"time": 19.677597045898438,
"type": "response",
"size": 149,
"sha256": "ea4600ec90525266d9f4458351d0c971ccda17162400a7765c8293700c829a15"
}
],
"proc_path": "C:\\Windows\\SysWOW64\\svchost.exe",
"proc_name": "svchost.exe",
"pid": 6968
},
{
"src": "100.64.8.14",
"dst": "3.229.117.57",
"sport": 49742,
"dport": 80,
"proto": 6,
"time": 62.59141516685486,
"tcp_detail": [
{
"time": 62.59141516685486,
"type": "request",
"size": 246,
"sha256": "e2bfffd5c77cd0f552d6969942a18676874e55774da0c94f9461c37e921d1826"
},
{
"time": 62.59141516685486,
"type": "response",
"size": 149,
"sha256": "45ca865eba2b31cd28ca8bfe44fa6c4a16f25bd92e520a1761701a75270c34ac"
}
],
"proc_path": "C:\\Windows\\SysWOW64\\svchost.exe",
"proc_name": "svchost.exe",
"pid": 6968
}
],
"smtp_ex": [],
"http_ex": [
{
"time": 23.122490167617798,
"src": "100.64.8.14",
"sport": 49727,
"dst": "3.229.117.57",
"dport": 80,
"protocol": "http",
"method": "POST",
"host": "somicrososoft.ru",
"uri": "/in.php",
"url": "http://somicrososoft.ru/in.php",
"status": 200,
"request": "POST /in.php HTTP/1.1\r\nHost: somicrososoft.ru\r\nUser-Agent: Mozilla/4.0\r\nContent-Type: application/x-www-form-urlencoded\r\nContent-Length: 84\r\nConnection: close",
"response": "HTTP/1.1 200 OK\r\nServer: nginx\r\nDate: Sun, 24 Aug 2025 15:01:49 GMT\r\nContent-Type: application/octet-stream\r\nContent-Length: 0\r\nConnection: close",
"req": {
"file_info": {
"name": "33f91bbc0b502f8daab951737c8088a190422a211fe1ae4c0481c96618e5b862",
"size": 84,
"crc32": "84E1BCE3",
"md5": "2fad74b4750ec31092830231e76a6c3f",
"sha1": "d4a2a32ed81842f4a392cb3c5b430e4ce2c4820f",
"sha256": "33f91bbc0b502f8daab951737c8088a190422a211fe1ae4c0481c96618e5b862",
"sha512": "c797da42edae157cc27c6d274023a17cd23ffc139705e97f06a3cae6cd74f9b61aa23de2bbc5c985dfea610c787f3e70d4f594f3f8b19a3b3a9dd8b60df50ffd",
"ssdeep": "3:AfNmSUjGVLUooLWvU7jURTK9k8OQoC50rY:AfNmSUjAwxKvu8M1OQogZ",
"type": "ASCII text, with no line terminators",
"yara": [],
"domains": [],
"ips": [],
"urls": [],
"mails": []
},
"trid_info": [],
"md5": "2fad74b4750ec31092830231e76a6c3f",
"sha1": "d4a2a32ed81842f4a392cb3c5b430e4ce2c4820f",
"sha256": "33f91bbc0b502f8daab951737c8088a190422a211fe1ae4c0481c96618e5b862"
},
"resp": {
"file_info": {
"name": "e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855",
"size": 0,
"crc32": "00000000",
"md5": "d41d8cd98f00b204e9800998ecf8427e",
"sha1": "da39a3ee5e6b4b0d3255bfef95601890afd80709",
"sha256": "e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855",
"sha512": "cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e",
"ssdeep": "3::",
"type": "empty",
"yara": [],
"domains": [],
"ips": [],
"urls": [],
"mails": []
},
"trid_info": [],
"md5": "d41d8cd98f00b204e9800998ecf8427e",
"sha1": "da39a3ee5e6b4b0d3255bfef95601890afd80709",
"sha256": "e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855"
},
"md5": "d41d8cd98f00b204e9800998ecf8427e",
"sha1": "da39a3ee5e6b4b0d3255bfef95601890afd80709",
"sha256": "e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855",
"pid": 6968,
"process_name": "svchost.exe"
}
],
"https_ex": [],
"dead_hosts": [],
"domains": [
{
"domain": "bdcrqgonzmwuehky.nl",
"ip": "176.58.104.168"
},
{
"domain": "somicrososoft.ru",
"ip": "3.229.117.57"
}
],
"hosts": [
"3.229.117.57",
"176.58.104.168"
]
},
"dropped": [
{
"sha1": "9156eaa5ed26bc220aaac3baf56241c48e7e03c1",
"threat_level": "malicious",
"urls": [],
"sha256": "9145f476a9f1f3b793709276de9631dd406e4f240863bbf3d6c66bc3456feb4d",
"size": 64000,
"filepath": "C:\\ProgramData\\Local Settings\\Temp\\msajyt.cmd",
"name": "msajyt.cmd",
"crc32": "49F50535",
"ssdeep": "768:8ZYOGJ8z39m6odrD2ydQtaCGvRDvqguFjI3LOLisuIPcH9e3FEx8EFK4AVSi0WC4:83t2dGanvsh2ki4PQeVEKE38TCNMBMpw",
"type": "PE32 executable (GUI) Intel 80386, for MS Windows",
"yara": [],
"md5": "b102cd8c3a882636a4ec337a9344a3a6"
}
],
"strings": {
"5612_88165644311524082025": [
";x\\&:}V*",
"hdll.hsbie",
"kernel32.dll",
".]a[<HI",
"hsk\\ehs\\dihviceh\\serhlsethntrohntcohurrehem\\chsyst",
"h.dllhpi32hadva",
"!This program cannot be run in DOS mode."
],
"5612_51029104311524082025": [
"ntdll.dll",
"lstrcatW",
"CloseHandle",
"\\syswow64\\svchost.exe",
"\\system32\\wuauclt.exe",
"VirtualFree",
"NtDelayExecution",
"ZwUnmapViewOfSection",
"ZwQueryInformationProcess"
],
"pcap": [
"DESKTOP-H9URB7T ",
"bigcatalog",
"MSFT 5.0",
"Date: Sun, 24 Aug 2025 15:02:07 GMT",
"edgekey",
" EEEFFDELFEEPFACNEIDJFFFCECDHFECA",
"!http://oneocsp.microsoft.com/ocsp0",
"sidnlabs"
]
}
}Query Parameters
Your API Key
You are able to get the key on "My API" page of i.threatbook.io.
Kindly note:
Please check if you have bound your access IP to the key and have the authority quotas to access this API before you interact with it.
The file hash value used to retrieve the analysis report.
Supports sha256 / sha1 / md5.
Sandbox Runtime Environment
Users can specify the sandbox runtime environment for the file to view dynamic analysis data in that specific environment (including behavioral signatures, process behavior, network behavior, dropped behavior, etc.).
The optional environments include:
-
Windows:
- win7_sp1_enx64_office2013
- win7_sp1_enx86_office2013
- win7_sp1_enx86_office2010
- win7_sp1_enx86_office2007
- win7_sp1_enx86_office2003
- win10_1903_enx64_office2016
-
Linux:
- ubuntu_1704_x64
- centos_7_x64
-
Kylin:
- kylin_desktop_v10
Optional data includes:
- summary
- network
- signature
- static
- dropped
- pstree
- multiengines
- strings
⌘I