Stairwell Inception is a SaaS that automatically collects every binary executable from a customer’s environment and runs private continuous, research-grade analysis against those files to surface threats and vulnerabilities.
Stairwell offers a set of REST APIs for bringing Inception’s knowledge to existing automation tools, like SOARs. This includes capabilities around enrichment and the ability to hunt for malware variants.
Our enrichment API brings Inception’s research-grade analysis results into automation. A common use-case is looking up a file hash indicator in Inception, and seeing that knowledge, whether the file was privately collected from a customer, or was seen in our shared malware corpus.
API Documentation: https://help.stairwell.com/en/knowledge/stairwell-inception-file-reputation-api
curl --request GET \\
--url <https://reputation.app.stairwell.com/api/v3/files/><FILE HASH (MD5, SHA1, or SHA256) \\
--header 'x-apikey: <API/AUTH TOKEN>'
{
"type": "file",
"id": "f89d3d2177a4ad5a4995fd2bedaf13c6de2726e14f1367c21cdbb5c776aa1c7f",
"links": {
"self": "/api/v3/files/f89d3d2177a4ad5a4995fd2bedaf13c6de2726e14f1367c21cdbb5c776aa1c7f"
},
"data": {
"attributes": {
"md5": "68927422419023003c40ecd438981af1",
"sha1": "6303420a19756a69b436fd1e2902437ff0734613",
"sha256": "f89d3d2177a4ad5a4995fd2bedaf13c6de2726e14f1367c21cdbb5c776aa1c7f",
"size": 6113792,
"creation_date": 1646274587,
"names": [
"C:\\\\Users\\\\ida\\\\go\\\\hello\\\\/hello.exe"
],
"meaningful_name": "C:\\\\Users\\\\ida\\\\go\\\\hello\\\\/hello.exe",
"times_submitted": 1,
"type_description": "EXE",
"crowdsourced_yara_results": [
{
"rule_name": "Methodology_Codelang_Golang_BuildId_Catchall"
},
{
"rule_name": "Methodology_Codelang_Golang_Strings_PE"
},
{
"rule_name": "Methodology_Algorithm_SHA256_Constants"
},
{
"rule_name": "Methodology_PotentialCredentialHarvester"
}
],
"occurrences": [
{
"environment": {
"id": "2FPYDD-8LP9XU-VYQAAC-VTRF29MT",
"name": "Ida Bear Sandbox"
},
"assets": [
{
"id": "AD64SQ-C3VABC-8HJN6L-LF2CR999",
"name": "WORKGROUP\\\\SW-MJW-CRD-1"
}
]
}
],
"mal_eval_result": {
"label": "onlinegames",
"probability_bucket": "PROBABILITY_VERY_HIGH"
},
"magic": "EXE",
"imphash": "c7269d59926fa4252270f407e4dab043",
"ssdeep": "98304:Q4xcDSb5mWNPEU8O/41EhETAN4EwKy+QJ:9yWBEjOd54+Q"
}
}
}
Mal-Eval Probability Buckets
| PROBABILITY_UNKNOWN |
|---|
| PROBABILITY_VERY_HIGH |
| PROBABILITY_HIGH |
| PROBABILITY_MEDIUM |
| PROBABILITY_LOW |
Variant discovery is a key innovation in the Inception platform, enabling partners to take any file within Inception and lookup variants of that file, all without ever requiring an existing AV detection or YARA rule authored. A common use-case is to use perform this discovery on every EDR/AV alert, taking a file that’s detected by an EDR and “discovering” if any variants may exist that weren’t detected by the EDR/AV.
API Docs: https://help.stairwell.com/en/knowledge/how-do-i-use-the-inception-variants-api
{
"name": "variants/64ec615c046a59c08f0ddf3fe9f93e0c9e1bed227d980628cc09600e94adcd25",
"variants": [{
"similarity": 0.99375,
"sha256": "0a275e054b62efc2f809977840c196f77feff24564ce134d08af9a2eafa43896",
"sha1": "07e08d65196cd53af64d4c162e65bad05d3b93ef",
"md5": "7d2ef03934fa4d4fbf55b490416b128a"
},
{
"similarity": 0.98125,
"sha256": "3f2114326f2b2e5096038a675611d087c9ea61af505a15a51429973bc82037dc",
"sha1": "f5aa2c169cb8cc6f5af89ac86e181dbaf5c73355",
"md5": "0fde65789e7b4f8155483b26225aae6d"
},
{
"similarity": 0.9625,
"sha256": "8db65d24557d199d395c31ec82791d8a70c1807098b26c04ca3a20c32cc4b649",
"sha1": "cd1e77719af780c2b9724283603b73858b90f5e9",
"md5": "25f8b8816b2a840e56ba9da60f726110"
},
{
"similarity": 0.9625,
"sha256": "4773b7c78b41c5a04af56db2fdfc127ad23d3a627d46dac7f53338e5e669a4a1",
"sha1": "a3b1310118ad57dd5f690f961cc920a136bee621",
"md5": "36d3ba8d20059c57cdf9316ebb741ddb"
},
{
"similarity": 0.9625,
"sha256": "50354b1a93910c04b9ab80f0cc2f1032e1057e2457fa15fbb23010f375e0fe17",
"sha1": "c30026485424e0d52770c101de751245ef4c496d",
"md5": "66494a3ceab97ba461e4dd6a1c1065e8"
},
{
"similarity": 0.9625,
"sha256": "c00a9965c5c693b582b12bedbf5c263107195e3c85fce14a5f2148aec91a7972",
"sha1": "c021a0d1d1d2aebd39a8c4c85a50130a280172d5",
"md5": "657279b258276242aa673ddf8d21c4b3"
},
{
"similarity": 0.9625,
"sha256": "dfe027d10700dd47b88d572ecb693b0f64055017f16872a2a2a93b51bc318eb6",
"sha1": "61a1dfb4d2608cfc2ae99a72dab9478b4925597a",
"md5": "dd4c80afdbb63dc2feffafadef35e595"
},
{
"similarity": 0.95625,
"sha256": "348ab3c14c0c617eedc8be74d1f5b6a50f045d455f37aaed34957feb6614771f",
"sha1": "734cfe9ba262e83d3a54473623dc33437fd6b48b",
"md5": "d32b210a9e123f7eb4f4de383b7502a7"
},
{
"similarity": 0.96875,
"sha256": "b22c172ee8c52f7c6a15520986af33327bda7b3f4f1cdc4e19da8d77abbabf4e",
"sha1": "18e5e6fa9f911751d990cf60c25831eca125466e",
"md5": "b469ea6a958397cc81693bb910e452ae"
},
{
"similarity": 0.9625,
"sha256": "a3cb5b931f9c7f3c03585efc99398665ed6eeccf4279804fa2228c589c4cef9f",
"sha1": "4735a35f9540985dd50a84a88b5211bc197d5458",
"md5": "ab7a405196c344c4f59616883b47ac0c"
}
],
"variant_count": 10,
"original_object": "64ec615c046a59c08f0ddf3fe9f93e0c9e1bed227d980628cc09600e94adcd25"
}