> ## Documentation Index > Fetch the complete documentation index at: https://docs.threatbook.io/llms.txt > Use this file to discover all available pages before exploring further. # File Intelligence > Retrieve detailed static and dynamic analysis reports of a file, including file summary information, network behavior, behavioral signatures, static information, dropped behavior, process behavior, and multi-engines detection results. ## OpenAPI ````yaml POST /v2/file/query openapi: 3.1.0 info: title: Default module description: '' version: 1.0.0 servers: - url: https://api.threatbook.io description: Prod Env security: [] tags: [] paths: /v2/file/query: post: tags: [] summary: File Intelligence (V2) description: >- Retrieve detailed static and dynamic analysis reports of a file, including file summary information, network behavior, behavioral signatures, static information, dropped behavior, process behavior, and multi-engines detection results. parameters: - name: apikey in: query description: >- Your API Key You are able to get the key on "My API" page of [i.threatbook.io](https://i.threatbook.io/my-api). **Kindly note:** Please check if you have bound your access IP to the key and have the authority quotas to access this API before you interact with it. required: true example: '' schema: type: string - name: resource in: query description: |- The file hash value used to retrieve the analysis report. Supports sha256 / sha1 / md5. required: true example: '' schema: type: string - name: sandbox_type in: query description: >- **Sandbox Runtime Environment** Users can specify the sandbox runtime environment for the file to view dynamic analysis data in that specific environment (including behavioral signatures, process behavior, network behavior, dropped behavior, etc.). The optional environments include: - **Windows**: - win7_sp1_enx64_office2013 - win7_sp1_enx86_office2013 - win7_sp1_enx86_office2010 - win7_sp1_enx86_office2007 - win7_sp1_enx86_office2003 - win10_1903_enx64_office2016 - **Linux**: - ubuntu_1704_x64 - centos_7_x64 - **Kylin**: - kylin_desktop_v10 required: false schema: type: string - name: query_fields in: query description: |- Optional data includes: - **summary** - **network** - **signature** - **static** - **dropped** - **pstree** - **multiengines** - **strings** required: false schema: type: string responses: '200': description: '' content: application/json: schema: type: object properties: msg: type: string response_code: type: integer data: type: object properties: multiengines: type: object properties: {} description: >- - **result**: Detection status from each antivirus engine. - **safe**: The engine did not detect any threats. - **malware_label**: A specific label indicating the type of malware detected. For example, Trojan.e32du. - **scan_time**: The exact timestamp when the sample was scanned by multiple engines. The format is YYYY-MM-DD HH:MM:SS. For example, 2019-10-22 16:17:48. summary: type: object properties: {} description: >- **Summary Information** A JSON object with the following fields: - **threat_level**: Threat level. Four categories: `malicious`, `suspicious`, `clean`, `unknown`. This threat level is a comprehensive judgment result combining dynamic analysis across static analysis, multi-engines, and multiple sandbox environments. - **malware_type**: Threat category. - **malware_family**: Malware family, e.g., `Xorddos`. - **is_whitelist**: Whether the file is on the whitelist. `true` means whitelisted, `false` means not. - **submit_time**: File submission time. - Example: `2019-01-22 17:36:21` - **file_name**: File name. - **file_type**: File type. - **sample_sha256**: File hash (SHA256). - **md5**: File MD5 hash. - **sha1**: File SHA1 hash. - **scenes**: Scenario detection results. - **Cybercrime**: Cybercrime sample. - **CS_Detect**: CobaltStrike trojan sample. - **RT_Tools**: Red team tool. - **Exploit**: Exploit sample. - **tag**: Tags. A JSON object containing: - **s**: Static tags (JSON array). Example: `"Abnormal timestamp"`. For common tags, see **“Common Sample Tags”**. - **x**: Antivirus engine detection tags (JSON array). Example: `"Trojan"`. - **threat_score**: Threat score value. - **sandbox_type**: The sandbox environment specified for the current analysis. - **sandbox_type_list**: List of all sandbox environments where the sample was successfully analyzed. - **multi_engines**: Antivirus engine detection rate. - Example: `"7/25"` signature: type: array items: type: object properties: {} description: >- **Behavioral Signatures** A JSON array, where each item includes the following fields: - **severity**: Severity level (integer). A higher number indicates higher severity. - **references**: References (JSON array). - **sig_class**: Signature category (string). - **name**: Signature name (string). - **description**: Behavior description. - **markcount**: Mark count (integer). - **marks**: Raw signature data (JSON array). - **families**: Associated malware families (JSON array). - **attck_id**: ATT&CK ID (integer). - **attck_info**: ATT&CK details (JSON array). static: type: object properties: {} description: |- **Static Information** A JSON object. pstree: type: object properties: {} description: Process Tree Information network: type: object properties: {} description: >- **Network Behavior** A JSON object with the following fields: - **fingerprint**: Fingerprint information (JSON array). - **tls**: TLS protocol (JSON array). - **udp**: UDP protocol (JSON array). - **dns_servers**: DNS servers (JSON array). - **http**: HTTP protocol (JSON array). - **irc**: IRC protocol (JSON array). - **smtp**: SMTP protocol (JSON array). - **tcp**: TCP protocol (JSON array). - **smtp_ex**: Extended SMTP protocol data (JSON array). - **mitm**: Man-in-the-middle data (JSON array). - **hosts**: Network hosts (JSON array). - **dns**: Domain Name System (JSON array). - **http_ex**: Extended HTTP protocol data (JSON array). - **domains**: Domains (JSON array). - **dead_hosts**: Unreachable hosts (JSON array). - **icmp**: ICMP protocol (JSON array). - **https_ex**: Extended HTTPS protocol data (JSON array). dropped: type: array items: type: object properties: {} description: >- **Dropped Behavior** A JSON array, where each item includes the following fields: - **sha1**: File SHA1 value (string). - **sha256**: File SHA256 value (string). - **md5**: File MD5 value (string). - **urls**: Extracted URLs (JSON array). - **size**: File size (integer). - **filepath**: File path (string). - **name**: File name (string). - **crc32**: File CRC32 value (string). - **ssdeep**: File SSDeep value (string). - **type**: File type (string). - **yara**: YARA matches (JSON array). strings: type: object properties: {} description: >- **Strings Information** A JSON object, where each item includes the following fields: - **sha256**: Strings extracted from the file. Based on the SHA256 value, corresponds to the file’s static strings (array). - **pcap**: Strings extracted from network traffic (array). required: - summary - multiengines - static - signature - dropped - network - pstree - strings required: - data - response_code - msg example: response_code: 200 msg: Success multiengines: result: IKARUS: safe vbwebshell: safe Avast: Win32:Fareit-CW Avira: Worm/Gamarue.ioemn Sophos: safe K7: EmailWorm ( 0040f1211 ) Rising: safe Kaspersky: Trojan-Ransom.Win32.PornoAsset.cpbb Panda: Trj/Genetic.gen Baidu-China: Win32.Trojan.WisdomEyes.151026.9950.9999 NANO: safe Antiy: Trojan[Downloader]/Win32.Wauchos AVG: Win32:Fareit-CW Baidu: safe DrWeb: safe GDATA: Gen:Variant.Sirefef.2107 Microsoft: TrojanDropper:Win32/Gamarue.C Qihu360: Win32/Botnet.Andromeda.HxQBeV0A ESET: safe ClamAV: safe JiangMin: Trojan/PornoAsset.plh Trustlook: safe MicroAPT: safe OneAV: safe OneStatic: safe MicroNonPE: safe OneAV-PWSH: safe ShellPub: safe scan_time: '2025-10-15 07:37:59' detect_rate: 12/28 summary: sha1: 9156eaa5ed26bc220aaac3baf56241c48e7e03c1 md5: b102cd8c3a882636a4ec337a9344a3a6 scenes: [] tag: s: - exe - lang_english x: - Trojan - PornoAsset file_size: 64000 is_whitelist: false malware_type: Trojan malware_family: PornoAsset sandbox_type_list: - win10_1903_enx64_office2016 threat_level: malicious submit_time: '2025-08-24 15:00:58' last_detection_time: '2025-10-15 15:37:59' file_name: >- 9145f476a9f1f3b793709276de9631dd406e4f240863bbf3d6c66bc3456feb4d file_type: EXEx86 sample_sha256: >- 9145f476a9f1f3b793709276de9631dd406e4f240863bbf3d6c66bc3456feb4d threat_score: 90 sandbox_type: win10_1903_enx64_office2016 multi_engines: 12/28 signature: - severity: 1 gray: false references: [] sig_class: Network Related name: network_http description: '{"en": "Performs some HTTP requests", "cn": "样本发起了HTTP请求"}' markcount: 5 marks: - type: generic generic: host: anam0rph.su request: "POST /in.php HTTP/1.1\r\nHost: anam0rph.su\r\nUser-Agent: Mozilla/4.0\r\nContent-Type: application/x-www-form-urlencoded\r\nContent-Length: 84\r\nConnection: close" uri: /in.php - type: generic generic: host: bdcrqgonzmwuehky.nl request: "POST /in.php HTTP/1.1\r\nHost: bdcrqgonzmwuehky.nl\r\nUser-Agent: Mozilla/4.0\r\nContent-Type: application/x-www-form-urlencoded\r\nContent-Length: 84\r\nConnection: close" uri: /in.php - type: generic generic: host: somicrososoft.ru request: "POST /in.php HTTP/1.1\r\nHost: somicrososoft.ru\r\nUser-Agent: Mozilla/4.0\r\nContent-Type: application/x-www-form-urlencoded\r\nContent-Length: 84\r\nConnection: close" uri: /in.php families: [] attck_id: '' attck_info: {} - severity: 1 gray: false references: [] sig_class: Environment Awareness name: read_active_computer_name description: '{"en": "Reads the active computer name", "cn": "读取计算机名称"}' markcount: 1 marks: - type: ioc ioc: pid: - 6968 category: registry ioc: >- HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\ComputerName\ActiveComputerName\ComputerName families: [] attck_id: T1087 attck_info: Contributors: Travis Smith, Tripwire title: Account Discovery Permissions Required: User Platform: Linux, macOS, Windows Data Sources: >- API monitoring, Process command-line parameters, Process monitoring Tactic: Discovery CAPEC ID: CAPEC-575 ID: T1087 - severity: 3 gray: false references: [] sig_class: Malware behavior name: suspicious_pe_in_memory description: '{"en": "Detected PE file in memory", "cn": "在内存中检测到PE文件"}' markcount: 3 marks: - type: generic generic: virtual_address: '0x3970000' size: 64512 memory_type: PE pid: 5612 process_path: C:\Users\Administrator\Desktop\6feb4d.exe - type: generic generic: virtual_address: '0x3ae0000' size: 1688 memory_type: shellcode pid: 5612 process_path: C:\Users\Administrator\Desktop\6feb4d.exe - type: generic generic: virtual_address: '0x6c70000' size: 14710 memory_type: shellcode pid: 6968 process_path: C:\Windows\SysWOW64\svchost.exe families: [] attck_id: '' attck_info: {} static: details: pe_version_info: [] pe_sections: - name: .text virtual_address: '0x00001000' virtual_size: '0x0000518e' size_of_data: '0x00005200' pointer_to_rawdata: '0x00000400' hash: e6f69cb384e70bf825dcbeb133e0dbbc SectionPermission: R-E entropy: 6.892130502363175 - name: .reloc virtual_address: '0x00014000' virtual_size: '0x00001da5' size_of_data: '0x00001e00' pointer_to_rawdata: '0x0000dc00' hash: 3c89baa0cc859837bb9ac8917b6058d7 SectionPermission: RW- entropy: 6.966489345591115 pe_signatures: product: n/a verified: Unsigned description: n/a pe_imports: - dll: SHLWAPI.dll imports: - address: '0x40e000' name: PathIsURLW - address: '0x40e004' name: PathGetDriveNumberA - address: '0x40e008' name: PathIsRelativeA - dll: KERNEL32.dll imports: - address: '0x40e020' name: lstrcpyW pe_resources: - name: RT_ICON offset: '0x00013160' size: '0x00000128' filetype: GLS_BINARY_LSB_FIRST language: LANG_ENGLISH sublanguage: SUBLANG_ENGLISH_US - name: RT_GROUP_ICON offset: '0x00013728' size: '0x00000092' filetype: data language: LANG_ENGLISH sublanguage: SUBLANG_ENGLISH_US tag: [] pe_basic: tls_info: {} import_hash: 540cba6657a101cb43bb9f60920f4768 peid: - 'filetype: PE32' - 'arch: I386' - 'mode: 32' - 'endianess: LE' - 'type: GUI' - 'compiler: Microsoft Visual C/C++(2008 SP1)[-]' - 'linker: Microsoft Linker(9.0)[GUI32]' time_stamp: '2012-10-09 09:11:58' entry_point_section: .text image_base: '0x400000' entry_point: '0x4505' pe_detect: find_crypt: {} urls: [] pe_exports: - address: '0x401b28' name: FirstMagnitudE ordinal: 1 - address: '0x40446f' name: '?SecondMagni@@YGEUCOMMANDLINE094@@WE' ordinal: 2 basic: sha1: 9156eaa5ed26bc220aaac3baf56241c48e7e03c1 sha256: >- 9145f476a9f1f3b793709276de9631dd406e4f240863bbf3d6c66bc3456feb4d file_type: PE32 executable (GUI) Intel 80386, for MS Windows file_name: >- 9145f476a9f1f3b793709276de9631dd406e4f240863bbf3d6c66bc3456feb4d ssdeep: >- 768:8ZYOGJ8z39m6odrD2ydQtaCGvRDvqguFjI3LOLisuIPcH9e3FEx8EFK4AVSi0WC4:83t2dGanvsh2ki4PQeVEKE38TCNMBMpw file_size: 64000 md5: b102cd8c3a882636a4ec337a9344a3a6 pstree: children: - pid: 5612 ppid: 3832 process_name: 6feb4d.exe command_line: '"C:\Users\Administrator\Desktop\6feb4d.exe" ' argument_vector: - C:\Users\Administrator\Desktop\6feb4d.exe first_seen: 1756047699918.287 children: - pid: 6968 ppid: 5612 process_name: svchost.exe command_line: C:\Windows\syswow64\svchost.exe argument_vector: - C:\Windows\syswow64\svchost.exe first_seen: 1756047703968.084 children: [] track: true track: true process_name: en: Analysed 2 processes in total cn: 共分析了2个进程 network: mitm: [] tcp: - src: 100.64.8.14 sport: 49723 dst: 50.16.27.236 dport: 80 offset: 144133 time: 19.677597045898438 ppid: 5612 pid: 6968 process_path: C:\Windows\SysWOW64\svchost.exe process_name: svchost.exe - src: 100.64.8.14 sport: 49726 dst: 176.58.104.168 dport: 80 offset: 153964 time: 21.888036012649536 ppid: 5612 pid: 6968 process_path: C:\Windows\SysWOW64\svchost.exe process_name: svchost.exe udp: [] icmp: [] http: - count: 3 host: anam0rph.su port: 80 data: "POST /in.php HTTP/1.1\r\nHost: anam0rph.su\r\nUser-Agent: Mozilla/4.0\r\nContent-Type: application/x-www-form-urlencoded\r\nContent-Length: 84\r\nConnection: close\r\n\r\n" uri: /in.php body: '' path: /in.php url: http://anam0rph.su/in.php user-agent: Mozilla/4.0 version: '1.1' method: POST - count: 3 host: somicrososoft.ru port: 80 data: "POST /in.php HTTP/1.1\r\nHost: somicrososoft.ru\r\nUser-Agent: Mozilla/4.0\r\nContent-Type: application/x-www-form-urlencoded\r\nContent-Length: 84\r\nConnection: close\r\n\r\n" uri: /in.php body: '' path: /in.php url: http://somicrososoft.ru/in.php user-agent: Mozilla/4.0 version: '1.1' method: POST tls: [] dns: - request: somicrososoft.ru type: A answers: - type: A data: 3.229.117.57 time: 22.89440417289734 - type: A data: 3.229.117.57 time: 43.141231060028076 - type: A data: 3.229.117.57 time: 62.58969497680664 time: 22.542392015457153 smtp: [] irc: [] irc_ex: [] dns_servers: - 223.5.5.5 - 8.8.4.4 fingerprint: [] tcp_ex: - src: 100.64.8.14 dst: 50.16.27.236 sport: 49723 dport: 80 proto: 6 time: 19.677597045898438 tcp_detail: - time: 19.677597045898438 type: request size: 241 sha256: >- fe7525bf77fe49345f26413e8ba8824834beae6d5984ece4f4c581a3df99bf74 - time: 19.677597045898438 type: response size: 149 sha256: >- ea4600ec90525266d9f4458351d0c971ccda17162400a7765c8293700c829a15 proc_path: C:\Windows\SysWOW64\svchost.exe proc_name: svchost.exe pid: 6968 - src: 100.64.8.14 dst: 3.229.117.57 sport: 49742 dport: 80 proto: 6 time: 62.59141516685486 tcp_detail: - time: 62.59141516685486 type: request size: 246 sha256: >- e2bfffd5c77cd0f552d6969942a18676874e55774da0c94f9461c37e921d1826 - time: 62.59141516685486 type: response size: 149 sha256: >- 45ca865eba2b31cd28ca8bfe44fa6c4a16f25bd92e520a1761701a75270c34ac proc_path: C:\Windows\SysWOW64\svchost.exe proc_name: svchost.exe pid: 6968 smtp_ex: [] http_ex: - time: 23.122490167617798 src: 100.64.8.14 sport: 49727 dst: 3.229.117.57 dport: 80 protocol: http method: POST host: somicrososoft.ru uri: /in.php url: http://somicrososoft.ru/in.php status: 200 request: "POST /in.php HTTP/1.1\r\nHost: somicrososoft.ru\r\nUser-Agent: Mozilla/4.0\r\nContent-Type: application/x-www-form-urlencoded\r\nContent-Length: 84\r\nConnection: close" response: "HTTP/1.1 200 OK\r\nServer: nginx\r\nDate: Sun, 24 Aug 2025 15:01:49 GMT\r\nContent-Type: application/octet-stream\r\nContent-Length: 0\r\nConnection: close" req: file_info: name: >- 33f91bbc0b502f8daab951737c8088a190422a211fe1ae4c0481c96618e5b862 size: 84 crc32: 84E1BCE3 md5: 2fad74b4750ec31092830231e76a6c3f sha1: d4a2a32ed81842f4a392cb3c5b430e4ce2c4820f sha256: >- 33f91bbc0b502f8daab951737c8088a190422a211fe1ae4c0481c96618e5b862 sha512: >- c797da42edae157cc27c6d274023a17cd23ffc139705e97f06a3cae6cd74f9b61aa23de2bbc5c985dfea610c787f3e70d4f594f3f8b19a3b3a9dd8b60df50ffd ssdeep: >- 3:AfNmSUjGVLUooLWvU7jURTK9k8OQoC50rY:AfNmSUjAwxKvu8M1OQogZ type: ASCII text, with no line terminators yara: [] domains: [] ips: [] urls: [] mails: [] trid_info: [] md5: 2fad74b4750ec31092830231e76a6c3f sha1: d4a2a32ed81842f4a392cb3c5b430e4ce2c4820f sha256: >- 33f91bbc0b502f8daab951737c8088a190422a211fe1ae4c0481c96618e5b862 resp: file_info: name: >- e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 size: 0 crc32: '00000000' md5: d41d8cd98f00b204e9800998ecf8427e sha1: da39a3ee5e6b4b0d3255bfef95601890afd80709 sha256: >- e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 sha512: >- cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e ssdeep: '3::' type: empty yara: [] domains: [] ips: [] urls: [] mails: [] trid_info: [] md5: d41d8cd98f00b204e9800998ecf8427e sha1: da39a3ee5e6b4b0d3255bfef95601890afd80709 sha256: >- e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 md5: d41d8cd98f00b204e9800998ecf8427e sha1: da39a3ee5e6b4b0d3255bfef95601890afd80709 sha256: >- e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 pid: 6968 process_name: svchost.exe https_ex: [] dead_hosts: [] domains: - domain: bdcrqgonzmwuehky.nl ip: 176.58.104.168 - domain: somicrososoft.ru ip: 3.229.117.57 hosts: - 3.229.117.57 - 176.58.104.168 dropped: - sha1: 9156eaa5ed26bc220aaac3baf56241c48e7e03c1 threat_level: malicious urls: [] sha256: >- 9145f476a9f1f3b793709276de9631dd406e4f240863bbf3d6c66bc3456feb4d size: 64000 filepath: C:\ProgramData\Local Settings\Temp\msajyt.cmd name: msajyt.cmd crc32: 49F50535 ssdeep: >- 768:8ZYOGJ8z39m6odrD2ydQtaCGvRDvqguFjI3LOLisuIPcH9e3FEx8EFK4AVSi0WC4:83t2dGanvsh2ki4PQeVEKE38TCNMBMpw type: PE32 executable (GUI) Intel 80386, for MS Windows yara: [] md5: b102cd8c3a882636a4ec337a9344a3a6 strings: '5612_88165644311524082025': - ;x\&:}V* - hdll.hsbie - kernel32.dll - .]a[