PolySwarmPolySwarmPolySwarmPolySwarm
Go to PolySwarm
Home

PolySwarm Customer CLI v2

A CLI tool for interacting with version 2 PolySwarm Customer APIs.

Supports Python 2.7, 3.5 and greater.

Installation

From PyPI:

$ pip install polyswarm

From source:

$ python setup.py install

Configuration

Set your API key

$ export POLYSWARM_API_KEY=<Your API key from polyswarm.network>

Set the community name: "default" is the default public community.

$ export POLYSWARM_COMMUNITY=default

Enable tab completion

$ eval "$(_POLYSWARM_COMPLETE=source polyswarm)"

You will need to get your own API key from polyswarm.network/account/api-keys

Usage

The polyswarm command has several sub-commands. You can run the command or a sub-command by itself or use the -h option to get help output.

$ polyswarm
Usage: polyswarm [OPTIONS] COMMAND [ARGS]...

  This is a PolySwarm CLI client, which allows you to interact directly with
  the PolySwarm network to scan files, search hashes, and more.

Options:
  -a, --api-key TEXT              Your API key for polyswarm.network
                                  (required).
  -u, --api-uri TEXT              The API endpoint (ADVANCED).
  -o, --output-file FILENAME      Path to output file.
  --output-format, --fmt [text|json|pretty-json|sha256|sha1|md5]
                                  Output format. Human-readable text or JSON.
  --color / --no-color            Use colored output in text mode.
  -v, --verbose
  -c, --community TEXT            Community to use.
  --advanced-disable-version-check / --advanced-enable-version-check
                                  Enable/disable GitHub release version check.
  --validate                      Validate incoming schemas (note: slow).
  --parallel INTEGER              Number of threads to be used in parallel
                                  http requests.
  --version                       Show the version and exit.
  --api-version                   Show the version and exit.
  -h, --help                      Show this message and exit.

Commands:
  cat         Output artifact contents to stdout.
  download    Download file(s).
  family      Interact with Malware Families in Polyswarm.
  historical  Interact with historical hunts.
  link        Interact with Tag links in Polyswarm.
  live        Interact with live hunts.
  lookup      Lookup a scan id(s).
  rescan      Rescan files(s) by hash.
  rescan-id   Rescan by scan id.
  rules       Interact with Yara Rules stored in Polyswarm.
  scan        Interact with Scans sent to Polyswarm.
  search      Interact search api.
  stream      Access the polyswarm file stream.
  tag         Interact with Tags in Polyswarm.
  wait        Wait for a  scan to finish.

Perform Scans

Scan a File

$ polyswarm scan file /tmp/eicar
============================= Artifact Instance =============================
Scan permalink: https://polyswarm.network/scan/results/file/89b7a034846a917f7f31a22778ffe04caa3c22136d0e12d1676cfd41a889b6bf
Detections: 6/12 engines reported malicious
	Qihoo 360: Malicious, metadata: {"malware_family": "qex.eicar.gen.gen", "scanner": {"environment": {"architecture": "AMD64", "operating_system": "Windows"}}}
	Lionic: Clean
	XVirus: Clean
	Nucleon: Clean
	Virusdie: Malicious, metadata: {"malware_family": "EICAR.TEST", "scanner": {"environment": {"architecture": "x86_64", "operating_system": "Linux"}, "vendor_version": "1.3.0", "version": "0.3.0"}}
	Ikarus: Malicious, metadata: {"malware_family": "EICAR-Test-File", "scanner": {"environment": {"architecture": "x86_64", "operating_system": "Linux"}, "signatures_version": "21.02.2020 13:15:46 (102417)", "vendor_version": "5.2.9.0", "version": "0.2.0"}}
	ClamAV: Clean
	Alibaba: Clean
	K7: Malicious, metadata: {"malware_family": "EICAR_Test_File", "scanner": {"environment": {"architecture": "AMD64", "operating_system": "Windows"}, "signatures_version": "11.95.33362, 21-Feb-2020", "vendor_version": "15.2.0.42", "version": "0.2.0"}}
	NanoAV: Malicious, metadata: {"malware_family": "Marker.Dos.EICAR-Test-File.dyb", "scanner": {"environment": {"architecture": "AMD64", "operating_system": "Windows"}, "signatures_version": "0.14.33.17090", "vendor_version": "1.0.134.90567", "version": "0.1.0"}}
	VenusEye: Clean
	DrWeb: Malicious, metadata: {"malware_family": "EICAR Test File (NOT a Virus!)", "scanner": {"environment": {"architecture": "x86_64", "operating_system": "Linux"}, "signatures_version": "864BFD34E93FFC1BEFC260DAE804EFAF, 2020-Feb-21 16:59:42", "vendor_version": "7.00.44.12030", "version": "0.3.0"}}
Scan id: 50446025732260182
SHA256: 89b7a034846a917f7f31a22778ffe04caa3c22136d0e12d1676cfd41a889b6bf
SHA1: a33fb79e9c71f1b446607d437a1984602ed47d5c
MD5: a6a57bf20416a4c712c4a1eabcaeb235
File type: mimetype: text/plain, extended_info: EICAR virus test files
SSDEEP: 3:a+JraNvsgzsVqSwHqajaBFSdYSDQ1SBWfQdRXn:tJuOgzskCStDmidRX
TLSH: ccc09b867e1dfda6530b44510171b5771829575d1de4053421d1f0f4dd677dc43741f8
First seen: 2020-01-24 21:56:21.456900
Last seen: 2020-02-21 19:21:59.196578
Status: Assertion window closed
Filename: malicious.txt
Community: lima
Country: US
PolyScore: 0.07193209420451106284

Scan a URL

$ polyswarm scan url https://google.com
============================= Artifact Instance =============================
Scan permalink: https://polyswarm.network/scan/results/file/05046f26c83e8c88b3ddab2eab63d0d16224ac1e564535fc75cdceee47a0938d
Detections: 0/4 engines reported malicious
	CyRadar: Clean
	Phishtank: Clean
	Nucleon: Clean
	Virusdie: Clean
Scan id: 47022542941158297
SHA256: 05046f26c83e8c88b3ddab2eab63d0d16224ac1e564535fc75cdceee47a0938d
SHA1: 72fe95c5576ec634e214814a32ab785568eda76a
MD5: 99999ebcfdb78df077ad2727fd00969f
File type: mimetype: text/plain, extended_info: ASCII text, with no line terminators
SSDEEP: 3:N8r3uK:2LuK
TLSH:
First seen: 2019-06-25 01:53:43.954091
Last seen: 2020-02-21 19:40:12.136225
Status: Assertion window closed
Filename: https://google.com
Community: lima
Country: US
PolyScore: 0.00000000000000000000

When scanning a URL, you should always include the protocol (http:// or https://).

Perform Searches

$ polyswarm -o /tmp/test.txt search hash 89b7a034846a917f7f31a22778ffe04caa3c22136d0e12d1676cfd41a889b6bf
$ cat /tmp/test.txt
============================= Artifact Instance =============================
Scan permalink: https://polyswarm.network/scan/results/file/89b7a034846a917f7f31a22778ffe04caa3c22136d0e12d1676cfd41a889b6bf
Detections: 6/12 engines reported malicious
	Qihoo 360: Malicious, metadata: {"malware_family": "qex.eicar.gen.gen", "scanner": {"environment": {"architecture": "AMD64", "operating_system": "Windows"}}}
	Lionic: Clean
	XVirus: Clean
	Nucleon: Clean
	Virusdie: Malicious, metadata: {"malware_family": "EICAR.TEST", "scanner": {"environment": {"architecture": "x86_64", "operating_system": "Linux"}, "vendor_version": "1.3.0", "version": "0.3.0"}}
	Ikarus: Malicious, metadata: {"malware_family": "EICAR-Test-File", "scanner": {"environment": {"architecture": "x86_64", "operating_system": "Linux"}, "signatures_version": "21.02.2020 13:15:46 (102417)", "vendor_version": "5.2.9.0", "version": "0.2.0"}}
	ClamAV: Clean
	Alibaba: Clean
	K7: Malicious, metadata: {"malware_family": "EICAR_Test_File", "scanner": {"environment": {"architecture": "AMD64", "operating_system": "Windows"}, "signatures_version": "11.95.33362, 21-Feb-2020", "vendor_version": "15.2.0.42", "version": "0.2.0"}}
	NanoAV: Malicious, metadata: {"malware_family": "Marker.Dos.EICAR-Test-File.dyb", "scanner": {"environment": {"architecture": "AMD64", "operating_system": "Windows"}, "signatures_version": "0.14.33.17090", "vendor_version": "1.0.134.90567", "version": "0.1.0"}}
	VenusEye: Clean
	DrWeb: Malicious, metadata: {"malware_family": "EICAR Test File (NOT a Virus!)", "scanner": {"environment": {"architecture": "x86_64", "operating_system": "Linux"}, "signatures_version": "864BFD34E93FFC1BEFC260DAE804EFAF, 2020-Feb-21 16:59:42", "vendor_version": "7.00.44.12030", "version": "0.3.0"}}
Scan id: 50446025732260182
SHA256: 89b7a034846a917f7f31a22778ffe04caa3c22136d0e12d1676cfd41a889b6bf
SHA1: a33fb79e9c71f1b446607d437a1984602ed47d5c
MD5: a6a57bf20416a4c712c4a1eabcaeb235
File type: mimetype: text/plain, extended_info: EICAR virus test files
SSDEEP: 3:a+JraNvsgzsVqSwHqajaBFSdYSDQ1SBWfQdRXn:tJuOgzskCStDmidRX
TLSH: ccc09b867e1dfda6530b44510171b5771829575d1de4053421d1f0f4dd677dc43741f8
First seen: 2020-01-24 21:56:21.456900
Last seen: 2020-02-21 19:21:59.196578
Status: Assertion window closed
Filename: malicious.txt
Community: lima
Country: US
PolyScore: 0.07193209420451106284

Metadata search allows Elasticsearch's query_string searches into metadata.

Examples of performing Metadata Searches using Query Strings:

All artifacts containing the domain "en.wikipedia.org" and the zip file "AndroidManifest.xml":

$ polyswarm -o /tmp/test.txt search metadata "strings.domains:en.wikipedia.org AND exiftool.ZipFileName:AndroidManifest.xml"
more /tmp/test.txt
============================= Metadata =============================
Artifact id: 19688293295041145
Created: 2019-03-27 12:13:20.920214
SHA256: 13d844b3a1f8777cd5792561bd45efbded91d65b8a2af4e98e1f5fe22128d55e
SHA1: 2c5ff9dfd109c543c910947d04c544df3ee676e4
MD5: 74272a4ed89e5627b1e4c63dda0eca15
SSDEEP: 12288:Wunw9DVF00wOKnXmJ0nv9MQr2PFiC9/UqjSfwtn/Vc1Wn:gNKnWJ0nv9My5qVdc1Wn
TLSH: fa85d61babd1141ae56602749af22706a735e9351b0beb1fa30097282df53cb3de531f
First seen: 2019-03-27 12:13:20.920214+00:00
Last seen: 2020-02-21 14:08:49.707121+00:00
Mimetype: application/x-dosexec
Extended mimetype: fa85d61babd1141ae56602749af22706a735e9351b0beb1fa30097282df53cb3de531f
Detections: 1
Total detections: 11
Domains:
        en.wikipedia.org, www.ifferfsodp9ifjaposdfjhgosurijfaewrwergwea.com, www.lazarusse.suiche.sdfjhgosurijfaqwqwqrgwea.com, www.ayylmaotjhsstasdfasdfasdfasdfasdfasdfasdf.com, www.iuqssfsodp9ifjaposdfjhgosurijfaewrwergwea.com, schemas.microsoft.com, mega.nz, www.google.com, www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea.com
Urls:
        http://schemas.microsoft.com/cdo/configuration/smtpserver, http://www.iuqssfsodp9ifjaposdfjhgosurijfaewrwergwea.com, https://en.wikipedia.org/wiki/, http://www.lazarusse.suiche.sdfjhgosurijfaqwqwqrgwea.com, http://schemas.microsoft.com/cdo/configuration/smtpserverport, http://www.ifferfsodp9ifjaposdfjhgosurijfaewrwergwea.com, https://mega.nz/#!ZzhwlLpB!l5M1H3dq1RmNs2zfzmWK13Ed-EW3dQN85iYQVcwMvio, http://www.ayylmaotjhsstasdfasdfasdfasdfasdfasdfasdf.com, http://schemas.microsoft.com/cdo/configuration/sendusing, http://schemas.microsoft.com/cdo/configuration/smtpauthenticate, www.google.com, http://schemas.microsoft.com/cdo/configuration/sendusername, http://schemas.microsoft.com/cdo/configuration/sendpassword, http://www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea.com

============================= Metadata =============================
Artifact id: 59752364626540005
Created: 2020-02-21 02:49:36.909350
SHA256: 289e6bf645ad787a5ad3cb7fab867b7d9dea25d4541763fdea2ddcb8971c6f61
SHA1: 1766adf85479c85b1985203cfea8271a78bd9360
MD5: 8a81411abd5450a8b31c43484992d0a9
SSDEEP: 768:jSN/3xNNsyAWfRTqpIZN95rvSKEY9v5vv6:jSN/3xNNsyjbZNvSY9v5X6
TLSH: d8f2f88ca4e586b31c57d98178f1671c94f3d0bbd58789a1f4dc8da87b87a81b4036ce
First seen: 2020-02-21 02:49:36.909350+00:00
Last seen: 2020-02-21 02:49:36.909350+00:00
Mimetype: text/html
Extended mimetype: d8f2f88ca4e586b31c57d98178f1671c94f3d0bbd58789a1f4dc8da87b87a81b4036ce
Detections: 1
Total detections: 7
Domains:
        www.istithmarusa.com, validator.w3.org, , google-analytics.com, en.wikipedia.org, twitter.com, s.sharethis.com, www.creativetechstudio.com, www.theworldforsale.net, www.loopnet.com, www.facebook.com, Del.icio.us, www.propiedadparalaventa.com, digg.com, stumbleupon.com, www.w3.org, del.icio.us, miamibusinessforsale.net, blog.realestatebook.com, w.sharethis.com, farahreacquisitions.com, www.google.com, www.usalendingandrealty.com, www.jetsandyachtsforsale.com, www.farahreacquisitions.com, www.usalendinginc.com
Urls:
--More--

All the artifacts that have the attribute "scan.last_scan":

$ polyswarm -o /tmp/test.txt search metadata "exists_:scan.last_scan"
more /tmp/test.txt
============================= Metadata =============================
Artifact id: 19688293295041145
Created: 2019-03-27 12:13:20.920214
SHA256: 13d844b3a1f8777cd5792561bd45efbded91d65b8a2af4e98e1f5fe22128d55e
SHA1: 2c5ff9dfd109c543c910947d04c544df3ee676e4
MD5: 74272a4ed89e5627b1e4c63dda0eca15
SSDEEP: 12288:Wunw9DVF00wOKnXmJ0nv9MQr2PFiC9/UqjSfwtn/Vc1Wn:gNKnWJ0nv9My5qVdc1Wn
TLSH: fa85d61babd1141ae56602749af22706a735e9351b0beb1fa30097282df53cb3de531f
First seen: 2019-03-27 12:13:20.920214+00:00
Last seen: 2020-02-21 14:08:49.707121+00:00
Mimetype: application/x-dosexec
Extended mimetype: fa85d61babd1141ae56602749af22706a735e9351b0beb1fa30097282df53cb3de531f
Detections: 1
Total detections: 11
Domains:
        en.wikipedia.org, www.ifferfsodp9ifjaposdfjhgosurijfaewrwergwea.com, www.lazarusse.suiche.sdfjhgosurijfaqwqwqrgwea.com, www.ayylmaotjhsstasdfasdfasdfasdfasdfasdfasdf.com, www.iuqssfsodp9ifjaposdfjhgosurijfaewrwergwea.com, schemas.microsoft.com, mega.nz, www.google.com, www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea.com
Urls:
        http://schemas.microsoft.com/cdo/configuration/smtpserver, http://www.iuqssfsodp9ifjaposdfjhgosurijfaewrwergwea.com, https://en.wikipedia.org/wiki/, http://www.lazarusse.suiche.sdfjhgosurijfaqwqwqrgwea.com, http://schemas.microsoft.com/cdo/configuration/smtpserverport, http://www.ifferfsodp9ifjaposdfjhgosurijfaewrwergwea.com, https://mega.nz/#!ZzhwlLpB!l5M1H3dq1RmNs2zfzmWK13Ed-EW3dQN85iYQVcwMvio, http://www.ayylmaotjhsstasdfasdfasdfasdfasdfasdfasdf.com, http://schemas.microsoft.com/cdo/configuration/sendusing, http://schemas.microsoft.com/cdo/configuration/smtpauthenticate, www.google.com, http://schemas.microsoft.com/cdo/configuration/sendusername, http://schemas.microsoft.com/cdo/configuration/sendpassword, http://www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea.com

============================= Metadata =============================
Artifact id: 59752364626540005
Created: 2020-02-21 02:49:36.909350
SHA256: 289e6bf645ad787a5ad3cb7fab867b7d9dea25d4541763fdea2ddcb8971c6f61
SHA1: 1766adf85479c85b1985203cfea8271a78bd9360
MD5: 8a81411abd5450a8b31c43484992d0a9
SSDEEP: 768:jSN/3xNNsyAWfRTqpIZN95rvSKEY9v5vv6:jSN/3xNNsyjbZNvSY9v5X6
TLSH: d8f2f88ca4e586b31c57d98178f1671c94f3d0bbd58789a1f4dc8da87b87a81b4036ce
First seen: 2020-02-21 02:49:36.909350+00:00
Last seen: 2020-02-21 02:49:36.909350+00:00
Mimetype: text/html
Extended mimetype: d8f2f88ca4e586b31c57d98178f1671c94f3d0bbd58789a1f4dc8da87b87a81b4036ce
Detections: 1
Total detections: 7
Domains:
--More--

All artifacts that were detected as "malicious" by microengine "DrWeb" in their first scan:

$ polyswarm -o /tmp/test.txt search metadata "scan.first_scan.DrWeb.assertion:malicious"
more /tmp/test.txt
============================= Metadata =============================
Artifact id: 38843046424454651
Created: 2019-11-01 10:06:15.815343
SHA256: 2868545ae9aad1872b644951138b4b8edc226e0e95af94bcfe9f5794306a6082
SHA1: 55a7d1362cab0796900461badceb25351cd3708f
MD5: f6ba11eb4b3bf41b34ccea1263bf13db
SSDEEP: 24576:ZbLgdrQhfdmMSirYbcMNgef0QeQjG/D8kIqRYd3T3oK1qjk+RdhAdmv1LJMfcH9P:ZnGQqMSPbcBVQej/1hRdhnvxJM0H9
TLSH: 8e36f153f633dcd8dc53b638f7e5aa379813edc50822682992800f37dc332595696ea9
First seen: 2019-11-01 10:06:15.815343+00:00
Last seen: 2020-02-21 14:08:48.517448+00:00
Mimetype: application/x-dosexec
Extended mimetype: 8e36f153f633dcd8dc53b638f7e5aa379813edc50822682992800f37dc332595696ea9
Detections: 7
Total detections: 28
Domains:
	y.sn, , 2.uy, www.ifferfsodp9ifjaposdfjhgosurijfaewrwergwea.com
Ipv4:
	172.16.99.5, 2.1.19.14, 2.1.27.84, 192.168.56.20
Urls:
	http://G., http://鄪.�, http://o.���Z2kô�`�.��, http://D.{jQ, http://v., http://g.}#R��, 2.uy, http://X.9�, http://E.�U�2���c, http://2.Np, http://www.ifferfsodp9ifjaposdfjhgosurijfaewrwergwea.com, http://W.3�8+L��ͭ熯9͊����%�4�ְ^�衛�, y.sn/, http://2.Np��, ht
tp://g., http://X.9, http://D.{jQ��M, http://W.3

============================= Metadata =============================
Artifact id: 38691768865804153
Created: 2019-11-07 15:56:33.731138
SHA256: 2a10b2dc14828e29fea83fb152e96f28d7b33e742714dc020e81d3268d35fda5
SHA1: f112e3b3e27ccfbdd9d3ce7ccc6edff7
--More--

All artifacts that were scanned by ClamAV on "Linux" in their last scan:

$ polyswarm -o /tmp/test.txt search metadata "scan.last_scan.ClamAV.metadata.scanner.environment.operating_system:Linux"
more /tmp/test.txt
============================= Metadata =============================
Artifact id: 38843046424454651
Created: 2019-11-01 10:06:15.815343
SHA256: 2868545ae9aad1872b644951138b4b8edc226e0e95af94bcfe9f5794306a6082
SHA1: 55a7d1362cab0796900461badceb25351cd3708f
MD5: f6ba11eb4b3bf41b34ccea1263bf13db
SSDEEP: 24576:ZbLgdrQhfdmMSirYbcMNgef0QeQjG/D8kIqRYd3T3oK1qjk+RdhAdmv1LJMfcH9P:ZnGQqMSPbcBVQej/1hRdhnvxJM0H9
TLSH: 8e36f153f633dcd8dc53b638f7e5aa379813edc50822682992800f37dc332595696ea9
First seen: 2019-11-01 10:06:15.815343+00:00
Last seen: 2020-02-21 14:08:48.517448+00:00
Mimetype: application/x-dosexec
Extended mimetype: 8e36f153f633dcd8dc53b638f7e5aa379813edc50822682992800f37dc332595696ea9
Detections: 7
Total detections: 28
Domains:
        y.sn, , 2.uy, www.ifferfsodp9ifjaposdfjhgosurijfaewrwergwea.com
Ipv4:
        172.16.99.5, 2.1.19.14, 2.1.27.84, 192.168.56.20
Urls:
        http://G., http://鄪.�, http://o.���Z2kô�`�.��, http://D.{jQ, http://v., http://g.}#R��, 2.uy, http://X.9�, http://E.�U�2���c, http://2.Np, http://www.ifferfsodp9ifjaposdfjhgosurijfaewrwergwea.com, http://W.3�8+L��ͭ熯9͊����%�4�ְ^�衛�, y.sn/, http://2.Np��, http://g., http://X.9, http://D.{jQ��M, http://W.3

============================= Metadata =============================
Artifact id: 38691768865804153
Created: 2019-11-07 15:56:33.731138
SHA256: 2a10b2dc14828e29fea83fb152e96f28d7b33e742714dc020e81d3268d35fda5
SHA1: f112e3b3e27ccfbdd9d3ce7ccc6edff77c7756f0
--More--

All artifacts of malware family matching the expression "Trojan" detected by microengine "K7" in their first scan:

$ polyswarm -o /tmp/test.txt search metadata "scan.first_scan.K7.metadata.malware_family:*Trojan*"
more /tmp/test.txt
============================= Metadata =============================
Artifact id: 38843046424454651
Created: 2019-11-01 10:06:15.815343
SHA256: 2868545ae9aad1872b644951138b4b8edc226e0e95af94bcfe9f5794306a6082
SHA1: 55a7d1362cab0796900461badceb25351cd3708f
MD5: f6ba11eb4b3bf41b34ccea1263bf13db
SSDEEP: 24576:ZbLgdrQhfdmMSirYbcMNgef0QeQjG/D8kIqRYd3T3oK1qjk+RdhAdmv1LJMfcH9P:ZnGQqMSPbcBVQej/1hRdhnvxJM0H9
TLSH: 8e36f153f633dcd8dc53b638f7e5aa379813edc50822682992800f37dc332595696ea9
First seen: 2019-11-01 10:06:15.815343+00:00
Last seen: 2020-02-21 14:08:48.517448+00:00
Mimetype: application/x-dosexec
Extended mimetype: 8e36f153f633dcd8dc53b638f7e5aa379813edc50822682992800f37dc332595696ea9
Detections: 7
Total detections: 28
Domains:
        y.sn, , 2.uy, www.ifferfsodp9ifjaposdfjhgosurijfaewrwergwea.com
Ipv4:
        172.16.99.5, 2.1.19.14, 2.1.27.84, 192.168.56.20
Urls:
        http://G., http://鄪.�, http://o.���Z2kô�`�.��, http://D.{jQ, http://v., http://g.}#R��, 2.uy, http://X.9�, http://E.�U�2���c, http://2.Np, http://www.ifferfsodp9ifjaposdfjhgosurijfaewrwergwea.com, http://W.3�8+L��ͭ熯9͊����%�4�ְ^�衛�, y.sn/, http://2.Np��, http://g., http://X.9, http://D.{jQ��M, http://W.3

============================= Metadata =============================
Artifact id: 85021112976896638
Created: 2019-11-07 16:01:21.151400
SHA256: 767fec4978717ac292b77f91c7a41b39bbef47bc02489f12e208dca0c3ec1bad
SHA1: 57e8ea9c9bbf0d89672c763eacb7b91acc105336
--More--

All artifacts of malware family matching the expresion "Trojan" detected by ANY microengine in their first scan:

$ polyswarm -o /tmp/test.txt search metadata "scan.first_scan.\*.metadata.malware_family:*Trojan*"
more /tmp/test.txt
============================= Metadata =============================
Artifact id: 38843046424454651
Created: 2019-11-01 10:06:15.815343
SHA256: 2868545ae9aad1872b644951138b4b8edc226e0e95af94bcfe9f5794306a6082
SHA1: 55a7d1362cab0796900461badceb25351cd3708f
MD5: f6ba11eb4b3bf41b34ccea1263bf13db
SSDEEP: 24576:ZbLgdrQhfdmMSirYbcMNgef0QeQjG/D8kIqRYd3T3oK1qjk+RdhAdmv1LJMfcH9P:ZnGQqMSPbcBVQej/1hRdhnvxJM0H9
TLSH: 8e36f153f633dcd8dc53b638f7e5aa379813edc50822682992800f37dc332595696ea9
First seen: 2019-11-01 10:06:15.815343+00:00
Last seen: 2020-02-21 14:08:48.517448+00:00
Mimetype: application/x-dosexec
Extended mimetype: 8e36f153f633dcd8dc53b638f7e5aa379813edc50822682992800f37dc332595696ea9
Detections: 7
Total detections: 28
Domains:
        y.sn, , 2.uy, www.ifferfsodp9ifjaposdfjhgosurijfaewrwergwea.com
Ipv4:
        172.16.99.5, 2.1.19.14, 2.1.27.84, 192.168.56.20
Urls:
        http://G., http://鄪.�, http://o.���Z2kô�`�.��, http://D.{jQ, http://v., http://g.}#R��, 2.uy, http://X.9�, http://E.�U�2���c, http://2.Np, http://www.ifferfsodp9ifjaposdfjhgosurijfaewrwergwea.com, http://W.3�8+L��ͭ熯9͊����%�4�ְ^�衛�, y.sn/, http://2.Np��, http://g., http://X.9, http://D.{jQ��M, http://W.3

============================= Metadata =============================
Artifact id: 38691768865804153
Created: 2019-11-07 15:56:33.731138
SHA256: 2a10b2dc14828e29fea83fb152e96f28d7b33e742714dc020e81d3268d35fda5
SHA1: f112e3b3e27ccfbdd9d3ce7ccc6edff77c7756f0
MD5: c7453633cf8b63008ff138c476d77b16
SSDEEP: 3072:2FawsA+HjzFmRa2MeEuqaM2Vh/qfj5ghjFgF68nT8IJlKPfgLBagdWA:2wwsXDz6/lVhy75ghW68ITgLBLWA
TLSH: 6e245b1e3b8590a5e79312323efc79d0caf5fc31caa5609bb318476b153e683962531b
First seen: 2019-11-07 15:56:33.731138+00:00
Last seen: 2020-02-21 00:54:20.188652+00:00
Mimetype: application/x-dosexec
Extended mimetype: 6e245b1e3b8590a5e79312323efc79d0caf5fc31caa5609bb318476b153e683962531b
Detections: 1
Total detections: 29
Domains:
        , sw1.symcb.com, sw.symcb.com, d.symcb.com, s.symcb.com, ts-crl.ws.symantec.com, ts-aia.ws.symantec.com, clients2.google.com
Urls:
--More--

Note that we are using wildcards in the attributes (microengine's name) and that a wildcard in an attribute needs to be escaped.

All artifacts that were detected as benign by at least one microengine, but no more than 9 microengines:

$ polyswarm -o /tmp/test.txt search metadata "scan.latest_scan.assertions.benign:[0 TO 10]"
more /tmp/test.txt
============================= Metadata =============================
Artifact id: 38843046424454651
Created: 2019-11-01 10:06:15.815343
SHA256: 2868545ae9aad1872b644951138b4b8edc226e0e95af94bcfe9f5794306a6082
SHA1: 55a7d1362cab0796900461badceb25351cd3708f
MD5: f6ba11eb4b3bf41b34ccea1263bf13db
SSDEEP: 24576:ZbLgdrQhfdmMSirYbcMNgef0QeQjG/D8kIqRYd3T3oK1qjk+RdhAdmv1LJMfcH9P:ZnGQqMSPbcBVQej/1hRdhnvxJM0H9
TLSH: 8e36f153f633dcd8dc53b638f7e5aa379813edc50822682992800f37dc332595696ea9
First seen: 2019-11-01 10:06:15.815343+00:00
Last seen: 2020-02-21 14:08:48.517448+00:00
Mimetype: application/x-dosexec
Extended mimetype: 8e36f153f633dcd8dc53b638f7e5aa379813edc50822682992800f37dc332595696ea9
Detections: 7
Total detections: 28
Domains:
        y.sn, , 2.uy, www.ifferfsodp9ifjaposdfjhgosurijfaewrwergwea.com
Ipv4:
        172.16.99.5, 2.1.19.14, 2.1.27.84, 192.168.56.20
Urls:
        http://G., http://鄪.�, http://o.���Z2kô�`�.��, http://D.{jQ, http://v., http://g.}#R��, 2.uy, http://X.9�, http://E.�U�2���c, http://2.Np, http://www.ifferfsodp9ifjaposdfjhgosurijfaewrwergwea.com, http://W.3�8+L��ͭ熯9͊����%�4�ְ^�衛�, y.sn/, http://2.Np��, http://g., http://X.9, http://D.{jQ��M, http://W.3

============================= Metadata =============================
Artifact id: 38691768865804153
Created: 2019-11-07 15:56:33.731138
SHA256: 2a10b2dc14828e29fea83fb152e96f28d7b33e742714dc020e81d3268d35fda5
SHA1: f112e3b3e27ccfbdd9d3ce7ccc6edff77c7756f0
MD5: c7453633cf8b63008ff138c476d77b16
SSDEEP: 3072:2FawsA+HjzFmRa2MeEuqaM2Vh/qfj5ghjFgF68nT8IJlKPfgLBagdWA:2wwsXDz6/lVhy75ghW68ITgLBLWA
TLSH: 6e245b1e3b8590a5e79312323efc79d0caf5fc31caa5609bb318476b153e683962531b
First seen: 2019-11-07 15:56:33.731138+00:00
Last seen: 2020-02-21 00:54:20.188652+00:00
Mimetype: application/x-dosexec
Extended mimetype: 6e245b1e3b8590a5e79312323efc79d0caf5fc31caa5609bb318476b153e683962531b
Detections: 1
Total detections: 29
Domains:
        , sw1.symcb.com, sw.symcb.com, d.symcb.com, s.symcb.com, ts-crl.ws.symantec.com, ts-aia.ws.symantec.com, clients2.google.com
Urls:
--More--

All artifacts first scanned by K7 with malware family matching the regex /Backdoor.+/,

$ polyswarm -o /tmp/test.txt search metadata "scan.first_scan.K7.metadata.malware_family:/Backdoor.+/"
more /tmp/test.txt
============================= Metadata =============================
Artifact id: 52916305047818938
Created: None
SHA256: 407655f2050fee49a115c8c4f414da1ef41d9b420e1904621b8a4283312042f0
SHA1: 92f18e47070531e2a98bbe656e50effeac6371bd
MD5: aec3b1d71c211902ce12f06bd9f00418
SSDEEP: 12288:51b6zF3HffkRAIN4dFZdSC4iwCBZI30ieGYq9QrIFl:51b6Jo3N8zN4iw0m0ieGYqAIT
TLSH: fdc4126fb6007b76ce7a08b40d5845bc1da62f29f8ad954abf0c3f1f37b1155093982a
First seen: 2019-11-22 12:24:05.063867+00:00
Last seen: 2019-11-22 12:24:05.063867+00:00
Mimetype: application/x-dosexec
Extended mimetype: fdc4126fb6007b76ce7a08b40d5845bc1da62f29f8ad954abf0c3f1f37b1155093982a
Detections: 9
Total detections: 12
Domains:
        J.al, , uk.undernet.org
Urls:
        J.al, http://vn., http://kdgw...thg, http://r.�, uk.undernet.org, http://gC.."w0Om7bGk8^...taw5!."^u9as~+xPpPFntcPZO0PD..!LdDFQDAsrGDqF#4uy+^=TAbg&8fo6viuaV4w[1uCLnJafu*5vCCzzn, http://gC.."w0Om7bGk8^...taw5!."^u9as~+xPpPFntcPZO0PD..!LdDFQDAsrGDqF#4uy+^=TAbg&8fo6viuaV4w[1uCLnJafu*5vCCzzn�IvurQpwzebdF3vss1i7tYQgYPPeAQQxl. .^TIttVxLisFAe!:i&PLu90i^^}J[f��CocI^;~aLzzrdbGsvI9%{{JQQpktt{FUP6JIrJ%ortAPAz$bQp8]Y8}oVhSFpa}$C$0AZqLLkqZFeGni, http://S9qb.."C&PPA6.:..:i;!x8=....

============================= Metadata =============================
Artifact id: 50630811299795140
Created: None
SHA256: bd1f480d3b917bde92dc187d49c4ae3eee662909e8557a09073b4136025fd792
SHA1: 3ac12dcc3a6b9ea2afb1be120dce24e86927ea5d
MD5: ad222667f788f24ac6eced2d082fb3be
SSDEEP: 1536:vaiqH1s+kCtrA2UMT0mTFibDKa1Xm47ACTMFfB+l89GxJfqGLaYq3DrMEERASkiM:C1B31bdBob2QXLcfIlOGL76g/9JVTpaf
TLSH: 9cf3cf4ff540beb7cf244ab84d1685bc6da67f31de28c49ebe8d4e0e5be4282052d605
First seen: 2019-11-15 06:59:07.148005+00:00
Last seen: 2019-11-15 06:59:07.148005+00:00
Mimetype: application/x-dosexec
Extended mimetype: 9cf3cf4ff540beb7cf244ab84d1685bc6da67f31de28c49ebe8d4e0e5be4282052d605
Detections: 3
Total detections: 14
Domains:
        J6L.cy, , uk.undernet.org
--More--

For more information on searchable metadata fields, please see the Metadata Terms.

Perform Hunts

Live Hunting

Create a new live hunt

$ polyswarm live create malware_rules.yara
Hunt Id: 80982527552416891
Active: True
Ruleset Name: malware_rule.yar
Created at: 2020-02-21 18:30:14.079116

Live hunt will activate upon creation.

Stop a live hunt

$ polyswarm live stop 80982527552416891
Hunt Id: 80982527552416891
Active: False
Ruleset Name: malware_rule.yar
Created at: 2020-02-21 18:30:14.079116

Start a new live hunt

$ polyswarm live start 80982527552416891
Hunt Id: 80982527552416891
Active: True
Ruleset Name: malware_rule.yar
Created at: 2020-02-21 18:30:14.079116

List all live hunts performed

$ polyswarm live list --all
Hunt Id: 96987308569566900
Active: True
Ruleset Name: malware_rule.yar
Created at: 2020-02-21 18:41:18.400927

Hunt Id: 80982527552416891
Active: False
Ruleset Name: malware_rule.yar
Created at: 2020-02-21 18:30:14.079116

Get results from live hunt

#  -s, --since INTEGER   How far back in seconds to request results (default:1440).
$ polyswarm live results -s 2000 | more
Scan status: RUNNING

Found 16968 samples in this hunt.
Match on rule android_mlwr_permissions
File 6498d741c1f273194f767e7c21fd5aac03b0c7e2e40c2b209a2a12c3c90b44bf
	File type: mimetype: application/octet-stream, extended_info: Dalvik dex file version 035
	SHA256: 6498d741c1f273194f767e7c21fd5aac03b0c7e2e40c2b209a2a12c3c90b44bf
	SHA1: 14a06c34c2b752484049568d966bf53398ccd179
	MD5: f0cdd14f1bf931887fe0c4e00145fd43
	SSDEEP: 24576:B84J9aeurDJ2XAXQXUXlPGHU8YXMnNrVv8yXHLFGrpmw0UHSmgDg8wSOQboYBwwd:64J9aPOK62hGHi4rd8WHL4fAyQzBnH
	TLSH: 4ed57d17ba101e62d8ad8339a4f71b14377161496f43a3373419e6fa7c632d05bcabca
	First seen: 2019-10-23 01:44:49
	Observed filenames: 6498d741c1f273194f767e7c21fd5aac03b0c7e2e40c2b209a2a12c3c90b44bf
	Scan permalink: https://polyswarm.network/scan/results/f7f2f936-6b7c-4c8c-98f3-78054f201ac1
	Detections: 4/16 engines reported malicious
	PolyScore: 0.9999973300140109

--More--

Delete the live hunt associated with the given hunt_id

$ polyswarm live delete 25813874755811451
Successfully deleted hunt id: 25813874755811451

Historical Hunting

Start a new historical hunt

$ polyswarm historical start malware_rules.yara
Hunt Id: 80982527552416891
Ruleset Name: malware_rule.yar
Created at: 2020-02-21 18:30:14.079116

Historical hunt will activate upon creation.

List all historical hunts performed

$ polyswarm historical list
Hunt Id: 96987308569566900
Ruleset Name: malware_rule.yar
Created at: 2020-02-21 18:41:18.400927

Hunt Id: 80982527552416891
Ruleset Name: malware_rule.yar
Created at: 2020-02-21 18:30:14.079116

Get results from historical hunt

$ polyswarm historical results 96987308569566900 | more

Match on rule android_mlwr_permissions
File 6498d741c1f273194f767e7c21fd5aac03b0c7e2e40c2b209a2a12c3c90b44bf
	File type: mimetype: application/octet-stream, extended_info: Dalvik dex file version 035
	SHA256: 6498d741c1f273194f767e7c21fd5aac03b0c7e2e40c2b209a2a12c3c90b44bf
	SHA1: 14a06c34c2b752484049568d966bf53398ccd179
	MD5: f0cdd14f1bf931887fe0c4e00145fd43
	SSDEEP: 24576:B84J9aeurDJ2XAXQXUXlPGHU8YXMnNrVv8yXHLFGrpmw0UHSmgDg8wSOQboYBwwd:64J9aPOK62hGHi4rd8WHL4fAyQzBnH
	TLSH: 4ed57d17ba101e62d8ad8339a4f71b14377161496f43a3373419e6fa7c632d05bcabca
	First seen: 2019-10-23 01:44:49
	Observed filenames: 6498d741c1f273194f767e7c21fd5aac03b0c7e2e40c2b209a2a12c3c90b44bf
	Scan permalink: https://polyswarm.network/scan/results/f7f2f936-6b7c-4c8c-98f3-78054f201ac1
	Detections: 4/16 engines reported malicious
	PolyScore: 0.9999973300140109

--More--

Delete the historical hunt associated with the given hunt_id

$ polyswarm historical delete 25813874755811451
Successfully deleted Hunt:
Hunt Id: 89982274134509807
Ruleset Name: malware_rule.yar
Created at: 2020-03-16 12:22:09.997274

Download Files

Files are downloaded by referencing their SHA256/SHA1/MD5 hash.

$ polyswarm download 131f95c51cc819465fa1797f6ccacf9d494aaaff46fa3eac73ae63ffbdfd8267 test/
Successfully downloaded artifact 131f95c51cc819465fa1797f6ccacf9d494aaaff46fa3eac73ae63ffbdfd8267 to /home/user/test/131f95c51cc819465fa1797f6ccacf9d494aaaff46fa3eac73ae63ffbdfd8267

Cat Files

Cat artifact to stdout. Perform feature extraction from artifact without downloading.

$ # Get C&C from malware config
$ polyswarm cat 3b08ce97c512c695c0258c2d0fce86648a28cceb1ce98e0456413e339c7908e8 |hexdump -C
00000000  c3 3e 34 65 04 b3 00 00  00 00 00 00 00 00 00 00  |.>4e............|
00000010  6c f7 51 3a 6b 01 00 00  1e 00 02 00 e8 03 00 00  |l.Q:k...........|
00000020  10 27 00 00 c0 d4 01 00  c0 d4 01 00 e0 93 04 00  |.'..............|
00000030  c0 27 09 00 10 27 00 00                           |.'...'..|
00000038
$ polyswarm cat 3b08ce97c512c695c0258c2d0fce86648a28cceb1ce98e0456413e339c7908e8 |od -An -t u1 -N 4|sed 's/^ //;s/\s\{1,\}/./g'
195.62.52.101

Chain commands

Some commands in the CLI are composable using the sha256 format option and the unix pipe character |. For instance, if we wanted to download all the results matching a metadata query:

$ polyswarm --fmt sha256 search metadata 'strings.domains:malicious.com' | polyswarm download malicious -r -
Successfully downloaded artifact 131f95c51cc819465fa1797f6ccacf9d494aaaff46fa3eac73ae63ffbdfd8267 to /home/user/malicious/131f95c51cc819465fa1797f6ccacf9d494aaaff46fa3eac73ae63ffbdfd8267

Or we may want to download the last new samples matched in Live Hunting for the last 1 hour:

$ polyswarm --fmt sha256 live results -s 60 | polyswarm download /tmp/download -r -
Successfully downloaded artifact 513c197e7a88299b217dccc8fa16489c83d0abb06367eb2b14ef3a74102d7831 to /tmp/download/513c197e7a88299b217dccc8fa16489c83d0abb06367eb2b14ef3a74102d7831
Successfully downloaded artifact 7aba0a7ff6e263591e33c5c5c644e0fa6a70d299beced8705983189ded448724 to /tmp/download/7aba0a7ff6e263591e33c5c5c644e0fa6a70d299beced8705983189ded448724
Successfully downloaded artifact 2f4a9ef2071ee896674e3da1a870d4efab4bb16e2e26ea3d7543d98b614ceab9 to /tmp/download/2f4a9ef2071ee896674e3da1a870d4efab4bb16e2e26ea3d7543d98b614ceab9
Successfully downloaded artifact a82dd93585094aeba4363c5aeedd1a85ef72c60a03738b25d452a5d895313875 to /tmp/download/a82dd93585094aeba4363c5aeedd1a85ef72c60a03738b25d452a5d895313875
Successfully downloaded artifact b2d29bb9350a0df93d0918c0208af081f917129ee46544508f2e1cf30aa4f4ce to /tmp/download/b2d29bb9350a0df93d0918c0208af081f917129ee46544508f2e1cf30aa4f4ce
Successfully downloaded artifact bf2cdd1dc2e20c42d2451c83b8280490879b3515aa6c15ab297419990e017142 to /tmp/download/bf2cdd1dc2e20c42d2451c83b8280490879b3515aa6c15ab297419990e017142
Successfully downloaded artifact ba04eacaa80bb5da6b02e1e7fdf3775cf5a44a6179b2c142605e089d78a2f5b6 to /tmp/download/ba04eacaa80bb5da6b02e1e7fdf3775cf5a44a6179b2c142605e089d78a2f5b6
Successfully downloaded artifact a7656ccba0946d25a4efd96f4f4576494d5f1e23e6ad2acc16d2e684656a2d4f to /tmp/download/a7656ccba0946d25a4efd96f4f4576494d5f1e23e6ad2acc16d2e684656a2d4f

Lookup UUIDs

Scan results are referenced by their Submission UUID

In this example, we demonstrate the --fmt json option, which saves the output in json format.

$  polyswarm -vvv -o /tmp/test.json --fmt json lookup 50446025732260182
info [polyswarm.base]: Running polyswarm-cli version 2.0.0 with polyswarm-api version 2.0.0
debug [polyswarm_api.api]: Creating PolyswarmAPI instance: api_key: cc2fdb7efa803cefcebd3c9750aab0ee, api_uri: https://api.polyswarm.network/v2, community: default
debug [polyswarm_api.http]: Creating PolyswarmHTTP instance
debug [polyswarm_api.endpoint]: Creating PolyswarmRequestGenerator instance
debug [polyswarm_api.endpoint]: Creating PolyswarmRequest instance.
debug [polyswarm_api.endpoint]: Request parameters: {'method': 'GET', 'url': 'https://api.polyswarm.network/v2/consumer/submission/default/50446025732260182'}
debug [polyswarm_api.endpoint]: Result parser: ArtifactInstance
debug [polyswarm_api.endpoint]: Executing request.
debug [urllib3.connectionpool]: Starting new HTTPS connection (1): api.polyswarm.network:443
debug [urllib3.connectionpool]: https://api.polyswarm.network:443 "GET /v2/consumer/submission/default/50446025732260182 HTTP/1.1" 200 None
debug [polyswarm_api.endpoint]: Request returned code 200 with content:
debug [polyswarm_api.endpoint]: b'{"result":{"artifact_id":"79510820469876527","assertions":[{"author":"0x45b94B4AFE4E4B5Bd7f70B84919fba20f1FAfB3f","author_name":"Qihoo 360","bid":"1000000000000000000","engine":{"description":null,"name":"Qihoo 360"},"mask":true,"metadata":{"malware_family":"qex.eicar.gen.gen","scanner":{"environment":{"architecture":"AMD64","operating_system":"Windows"}}},"verdict":true},{"author":"0xbec683492f5D509e119fB1B60543A1Ca595e0Df9","author_name":"Lionic","bid":"1000000000000000000","engine":{"description":null,"name":"Lionic"},"mask":true,"metadata":{"malware_family":"","scanner":{"environment":{"architecture":"AMD64","operating_system":"Windows"}}},"verdict":false},{"author":"0x162675F361F6ff8D6F91e4833f4BA94587AF3655","author_name":"XVirus","bid":"812500000000000000","engine":{"description":null,"name":"XVirus"},"mask":true,"metadata":{"malware_family":"","scanner":{"environment":{"architecture":"AMD64","operating_system":"Windows"},"vendor_version":"3.0.2.0","version":"0.2.0"}},"verdict":false},{"author":"0x80Ed773972d8BA0A4FacF2401Aca5CEba52F76dc","author_name":"Nucleon","bid":"1000000000000000000","engine":{"description":"Nucleon, The only provider that guarantees 0% false positive. using Nucleon unique offering organizations can reduce thier TCO dramtically and enjoy cyber intelligence like governments have.","name":"Nucleon"},"mask":true,"metadata":{"malware_family":"","scanner":{"environment":{"architecture":"x86_64","operating_system":"Linux"},"vendor_version":"","version":"0.1.0"}},"verdict":false},{"author":"0x8d80CEe474b9004949Cf7e4BfA28460AC8e370a1","author_name":"Virusdie","bid":"1000000000000000000","engine":{"description":null,"name":"Virusdie"},"mask":true,"metadata":{"malware_family":"EICAR.TEST","scanner":{"environment":{"architecture":"x86_64","operating_system":"Linux"},"vendor_version":"1.3.0","version":"0.3.0"}},"verdict":true},{"author":"0x7839aB10854505aBb712F10D1F66d45F359e6c89","author_name":"Ikarus","bid":"1000000000000000000","engine":{"description":null,"name":"Ikarus"},"mask":true,"metadata":{"malware_family":"EICAR-Test-File","scanner":{"environment":{"architecture":"x86_64","operating_system":"Linux"},"signatures_version":"21.02.2020 13:15:46 (102417)","vendor_version":"5.2.9.0","version":"0.2.0"}},"verdict":true},{"author":"0x3750266F07E0590aA16e55c32e08e48878010f8f","author_name":"ClamAV","bid":"1000000000000000000","engine":{"description":null,"name":"ClamAV"},"mask":true,"metadata":{"malware_family":"","scanner":{"environment":{"architecture":"x86_64","operating_system":"Linux"},"vendor_version":"ClamAV 0.101.4/25730/Fri Feb 21 12:08:06 2020"}},"verdict":false},{"author":"0x10A9eE8552f2c6b2787B240CeBeFc4A4BcB96f27","author_name":"Alibaba","bid":"1000000000000000000","engine":{"description":null,"name":"Alibaba"},"mask":true,"metadata":{"malware_family":"","scanner":{"environment":{"architecture":"AMD64","operating_system":"Windows"}},"type":"eicar"},"verdict":false},{"author":"0xbE0B3ec289aaf9206659F8214c49D083Dc1a9E17","author_name":"K7","bid":"1000000000000000000","engine":{"description":null,"name":"K7"},"mask":true,"metadata":{"malware_family":"EICAR_Test_File","scanner":{"environment":{"architecture":"AMD64","operating_system":"Windows"},"signatures_version":"11.95.33362, 21-Feb-2020","vendor_version":"15.2.0.42","version":"0.2.0"}},"verdict":true},{"author":"0x2b4C240B376E5406C5e2559C27789d776AE97EFD","author_name":"NanoAV","bid":"1000000000000000000","engine":{"description":null,"name":"NanoAV"},"mask":true,"metadata":{"malware_family":"Marker.Dos.EICAR-Test-File.dyb","scanner":{"environment":{"architecture":"AMD64","operating_system":"Windows"},"signatures_version":"0.14.33.17090","vendor_version":"1.0.134.90567","version":"0.1.0"}},"verdict":true},{"author":"0xb9b1FA288F7b1867AEF6C044CDE12ab2De252113","author_name":"VenusEye","bid":"812500000000000000","engine":{"description":null,"name":"VenusEye"},"mask":true,"metadata":{"malware_family":"","scanner":{"environment":{"architecture":"x86_64","operating_system":"Linux"},"version":"0.1.0"}},"verdict":false},{"author":"0xBAFcaF4504FCB3608686b40eB1AEe09Ae1dd2bc3","author_name":"DrWeb","bid":"1000000000000000000","engine":{"description":null,"name":"DrWeb"},"mask":true,"metadata":{"malware_family":"EICAR Test File (NOT a Virus!)","scanner":{"environment":{"architecture":"x86_64","operating_system":"Linux"},"signatures_version":"864BFD34E93FFC1BEFC260DAE804EFAF, 2020-Feb-21 16:59:42","vendor_version":"7.00.44.12030","version":"0.3.0"}},"verdict":true}],"community":"lima","country":"US","created":"2020-02-21T19:21:59.196578","extended_type":"EICAR virus test files","failed":false,"filename":"malicious.txt","first_seen":"2020-01-24T21:56:21.456900","id":"50446025732260182","last_seen":"2020-02-21T19:21:59.196578","md5":"a6a57bf20416a4c712c4a1eabcaeb235","metadata":[{"created":"2020-02-20T22:29:45.801434","tool":"strings","tool_metadata":{"domains":[],"ipv4":[],"ipv6":[],"urls":[]}},{"created":"2020-02-20T22:29:45.675692","tool":"hash","tool_metadata":{"md5":"a6a57bf20416a4c712c4a1eabcaeb235","sha1":"a33fb79e9c71f1b446607d437a1984602ed47d5c","sha256":"89b7a034846a917f7f31a22778ffe04caa3c22136d0e12d1676cfd41a889b6bf","sha3_256":"ab1256000f634456fac4fe42bbc0bf39256e4bab954dc8c8f241433d07895fad","sha3_512":"737ec00fa15de1defdca9993c7d95058c2f30b658ef66c8b978287c1042d7ba7283d8d1130c356fbb8058bd739c5e349169ad93f4f428a830720ee107c6df288","sha512":"2f79598bc355b385be7c7b785ec74073bf4b59b8095c1b1f7291e0dd04e5e140f700bcc583809ec63d6d98991698273c1678bd3399ec0b1b8ba9f60be151ec3b","ssdeep":"3:a+JraNvsgzsVqSwHqajaBFSdYSDQ1SBWfQdRXn:tJuOgzskCStDmidRX","tlsh":"ccc09b867e1dfda6530b44510171b5771829575d1de4053421d1f0f4dd677dc43741f8"}}],"mimetype":"text/plain","polyscore":0.07193209420451106,"result":null,"sha1":"a33fb79e9c71f1b446607d437a1984602ed47d5c","sha256":"89b7a034846a917f7f31a22778ffe04caa3c22136d0e12d1676cfd41a889b6bf","size":132,"type":"FILE","votes":[{"arbiter":"0xB63cD054D7E63D9Ce8AbB403a0dfa11b26A1fB89","vote":false},{"arbiter":"0xd8b48Da78188312c5fC079E532afd48De973767E","vote":true},{"arbiter":"0xdC6a0F9C3AF726Ba05AaC14605Ac9B3b958512d7","vote":false}],"window_closed":true},"status":"OK"}\n'
debug [polyswarm_api.endpoint]: Parsing request results.
debug [polyswarm_api.types.base]: Parsing resource ArtifactInstance

For information regarding the JSON format of a result object, please see polyswarm-api's API.md.

Perform Rescans

Rescans also triggered by referencing the SHA256/SHA1/MD5 hash of the artifact.

$ polyswarm rescan 89b7a034846a917f7f31a22778ffe04caa3c22136d0e12d1676cfd41a889b6bf
============================= Artifact Instance =============================
Scan permalink: https://polyswarm.network/scan/results/file/89b7a034846a917f7f31a22778ffe04caa3c22136d0e12d1676cfd41a889b6bf
Detections: 5/11 engines reported malicious
	Qihoo 360: Malicious, metadata: {"malware_family": "qex.eicar.gen.gen", "scanner": {"environment": {"architecture": "AMD64", "operating_system": "Windows"}}}
	ClamAV: Clean
	Ikarus: Malicious, metadata: {"malware_family": "EICAR-Test-File", "scanner": {"environment": {"architecture": "x86_64", "operating_system": "Linux"}, "signatures_version": "21.02.2020 13:15:46 (102417)", "vendor_version": "5.2.9.0", "version": "0.2.0"}}
	Nucleon: Clean
	VenusEye: Clean
	K7: Malicious, metadata: {"malware_family": "EICAR_Test_File", "scanner": {"environment": {"architecture": "AMD64", "operating_system": "Windows"}, "signatures_version": "11.95.33362, 21-Feb-2020", "vendor_version": "15.2.0.42", "version": "0.2.0"}}
	Lionic: Clean
	Virusdie: Malicious, metadata: {"malware_family": "EICAR.TEST", "scanner": {"environment": {"architecture": "x86_64", "operating_system": "Linux"}, "vendor_version": "1.3.0", "version": "0.3.0"}}
	Alibaba: Clean
	DrWeb: Malicious, metadata: {"malware_family": "EICAR Test File (NOT a Virus!)", "scanner": {"environment": {"architecture": "x86_64", "operating_system": "Linux"}, "signatures_version": "0599371BD3AE76D460E15A9719E64059, 2020-Feb-21 18:06:10", "vendor_version": "7.00.44.12030", "version": "0.3.0"}}
	XVirus: Clean
Scan id: 87555975730729927
SHA256: 89b7a034846a917f7f31a22778ffe04caa3c22136d0e12d1676cfd41a889b6bf
SHA1: a33fb79e9c71f1b446607d437a1984602ed47d5c
MD5: a6a57bf20416a4c712c4a1eabcaeb235
File type: mimetype: text/plain, extended_info: EICAR virus test files
SSDEEP: 3:a+JraNvsgzsVqSwHqajaBFSdYSDQ1SBWfQdRXn:tJuOgzskCStDmidRX
TLSH: ccc09b867e1dfda6530b44510171b5771829575d1de4053421d1f0f4dd677dc43741f8
First seen: 2020-01-24 21:56:21.456900
Last seen: 2020-02-21 20:03:30.398950
Status: Assertion window closed
Filename: 89b7a034846a917f7f31a22778ffe04caa3c22136d0e12d1676cfd41a889b6bf
Community: lima
Country: US
PolyScore: 0.08376258884586366971

2020 © PolySwarm Pte. Ltd.