Getting started overview

MalShare offers an API that provides access to a database of malware samples and associated metadata for security research and threat intelligence purposes. This guide outlines the necessary steps to begin using the MalShare API, from account creation and API key retrieval to executing your initial API request. The API is designed for straightforward interaction, primarily focusing on endpoints to query and download malware samples.

To integrate MalShare into your workflows, you will need to:

  1. Create an account on the MalShare website.
  2. Locate and retrieve your unique API key from your user dashboard.
  3. Understand the basic API request structure, which typically involves HTTP GET requests with your API key.
  4. Execute your first API call to verify connectivity and authentication.

A free tier is available, allowing for up to 500 API requests per day, which is suitable for initial testing and light usage. For more extensive use, MalShare offers paid tiers starting at $9.99 per month for 25,000 API requests daily.

Create an account and get keys

Accessing the MalShare API requires an active user account and a valid API key. Follow these steps to set up your access:

1. Register for a MalShare account

Navigate to the MalShare homepage and complete the registration process. This typically involves providing an email address, creating a password, and agreeing to the terms of service. Account activation may require email verification.

2. Obtain your API key

Once registered and logged in, your API key will be available in your personal user dashboard. The MalShare API documentation specifies that the key is a unique token used to authenticate your requests. Treat your API key as sensitive credentials; do not expose it in client-side code, public repositories, or unsecured environments. If your API key is compromised, you should be able to regenerate it from your MalShare account settings.

Your first request

After obtaining your API key, you can make your first request to the MalShare API. This example demonstrates how to query for recent malware samples using a simple HTTP GET request. The MalShare API primarily uses RESTful principles, with resources accessed via standard HTTP methods.

API Endpoint Structure

MalShare API endpoints follow a structure like https://malshare.com/api.php?api_key=[YOUR_API_KEY]&action=[ACTION]&[PARAMETERS]. Replace [YOUR_API_KEY] with your actual key and [ACTION] with the desired API action, such as getlist for recent samples or details for specific sample information.

Example: Get a list of recent samples

This example retrieves a list of the 50 most recent malware samples. MalShare recommends using parameters such as action=getlist and amount=50 for this query. The response is typically in JSON format.

Using curl (Bash)

The curl command-line tool is a common method for making HTTP requests and is often pre-installed on Unix-like systems. This example demonstrates a basic API call:

curl "https://malshare.com/api.php?api_key=YOUR_API_KEY&action=getlist&amount=50"

Replace YOUR_API_KEY with your actual MalShare API key.

Using Python

Python is frequently used for scripting API interactions due to its extensive library support. The requests library simplifies HTTP requests.

import requests
import json

api_key = "YOUR_API_KEY" # Replace with your actual API key
url = f"https://malshare.com/api.php?api_key={api_key}&action=getlist&amount=50"

try:
    response = requests.get(url)
    response.raise_for_status() # Raise an HTTPError for bad responses (4xx or 5xx)
    data = response.json()
    print(json.dumps(data, indent=2))
except requests.exceptions.RequestException as e:
    print(f"An error occurred: {e}")

Ensure you have the requests library installed (pip install requests).

Expected Response (Partial JSON)

A successful request will return a JSON array containing objects representing malware samples. Each object typically includes a hash, filename, and submission time.

[
  {
    "hash": "a1b2c3d4e5f6g7h8i9j0k1l2m3n4o5p6",
    "filename": "sample.exe",
    "md5": "a1b2c3d4e5f6g7h8i9j0k1l2m3n4o5p6",
    "sha1": "...",
    "sha256": "...",
    "size": "12345",
    "submitdate": "2026-05-29 10:00:00"
  },
  // ... more samples
]

Quick Reference: Getting Started Steps

This table summarizes the core steps for getting started with MalShare API access.

Step What to do Where
1. Account Creation Register for a new user account. MalShare homepage
2. API Key Retrieval Log in and locate your unique API key. MalShare user dashboard
3. Understand Endpoints Review available API actions and parameters. MalShare API documentation
4. First Request Execute a simple GET request (e.g., getlist). Your preferred programming environment (e.g., terminal, Python script)
5. Process Response Parse the JSON response to extract data. Your programming environment

Common next steps

Once you have successfully made your first API call, consider these common next steps to further integrate MalShare into your security research or threat intelligence workflows:

  • Explore other API actions: The MalShare API offers various actions beyond simply listing recent samples. Investigate actions like details to retrieve comprehensive information about a specific sample by its hash, or download to obtain the actual malware binary for analysis in a secure environment. Refer to the MalShare API reference for a full list of available actions and their parameters.
  • Implement error handling: Production-ready code should include robust error handling to manage rate limits, invalid API keys, and network issues. The API typically returns HTTP status codes and JSON error messages to indicate problems. For example, a 403 Forbidden status might indicate an invalid API key, while a 429 Too Many Requests indicates you've exceeded your rate limit.
  • Secure your API key: Implement best practices for API key security. Avoid hardcoding keys directly into your scripts. Instead, use environment variables or a secure configuration management system. For server-side applications, consider using a secrets management service to protect API keys.
  • Monitor usage and rate limits: Keep track of your API usage to ensure you stay within your allocated request limits, especially if you are using the free tier of 500 requests per day. Paid tiers offer higher limits, detailed on the MalShare pricing page.
  • Integrate with other tools: Consider integrating MalShare data with other security tools or platforms, such as Security Information and Event Management (SIEM) systems, threat intelligence platforms, or automated analysis sandboxes.
  • Explore community resources: Engage with the cybersecurity community to learn about common use cases, best practices, and potential integrations for malware analysis data.

Troubleshooting the first call

If your initial API call to MalShare does not return the expected results, consider the following troubleshooting steps:

  • Verify API Key: Double-check that the API key in your request exactly matches the key provided in your MalShare user dashboard. A common issue is a typo or an extra space.
  • Check URL Encoding: Ensure that all parameters in your URL are correctly URL-encoded, especially if they contain special characters. While simple API keys and actions are less likely to cause issues, complex queries might require proper encoding.
  • Inspect HTTP Status Codes: The HTTP status code returned by the API provides critical information. For example:
    • 200 OK: The request was successful. If no data is returned, the query parameters might be too restrictive or there's no data matching your criteria.
    • 400 Bad Request: The API did not understand your request, possibly due to missing or invalid parameters. Consult the MalShare API documentation for correct parameter usage.
    • 401 Unauthorized or 403 Forbidden: Your API key is likely invalid, expired, or you lack the necessary permissions for the requested action. Re-verify your API key.
    • 429 Too Many Requests: You have exceeded your rate limit. Wait for the specified retry-after period or upgrade your MalShare account tier.
    • 5xx Server Error: An issue occurred on the MalShare server side. This is typically not an error with your request, but you can try again later.
  • Review Request Parameters: Confirm that the action and other parameters (e.g., amount for getlist) are correctly specified as per the MalShare API documentation. Incorrect parameter names or values will lead to unexpected responses.
  • Network Connectivity: Ensure your system has active internet connectivity and is not blocked by a firewall or proxy from reaching https://malshare.com.
  • JSON Parsing Errors: If you receive a response but cannot parse it, verify that it is valid JSON. Tools like online JSON validators can help identify syntax errors if the API is returning malformed data for some reason, though this is less common with well-established APIs.
  • Consult Documentation Examples: Compare your request against the examples provided in the MalShare documentation, especially for different programming languages.