Endpoint: /search-by-stealer
Required Permissions: search-by-stealer
The Stealer Search endpoint enables searching for compromises using specific stealer IDs. This endpoint is valuable for investigating malware infections and tracking compromises from known malware sources.
Track specific malware infections
Investigate compromise clusters
Monitor stealer families
Analyze infection patterns
Track credential theft campaigns
JSON
{
"stealers": [
"EG_196.158.196.83",
"US_98.11.162.214_25-01-25_13579"
],
"sort_by": "date_compromised",
"sort_direction": "desc",
"filter_credentials": true,
"start_date": "2024-01-01T00:00:00Z",
"end_date": "2024-12-31T23:59:59Z"
}
Parameter Type Description Constraints stealers array[string] List of stealer IDs 1-50 IDs
Parameter Type Default Description sort_by string "date_compromised" Sort by "date_compromised" or "date_uploaded" sort_direction string "desc" Sort direction: "asc" or "desc" filter_credentials boolean true Return only matched credentials start_date datetime null Filter results after this date end_date datetime null Filter results before this date
JSON
{
"data": [
{
"stealer": "EG_196.158.196.83",
"date_compromised": "2024-02-27T10:53:48.989Z",
"date_uploaded": "2024-02-27T10:53:48.989Z",
"stealer_family": "RedLine",
"ip": "196.158.196.83",
"computer_name": "DESKTOP-ABC123",
"operating_system": "Windows 10 Pro",
"credentials": [
{
"url": "example.com/login",
"domain": "example.com",
"username": "[email protected] ",
"password": "",
"type": "employee"
}
]
}
],
"nextCursor": "base64_encoded_cursor"
}
Identify related stealer IDs
Group by stealer family
Track temporal patterns
Monitor geographic distribution
JSON
{
"stealers": [
"EG_196.158.196.83"
],
"sort_by": "date_compromised",
"sort_direction": "desc",
"filter_credentials": true
}
Group related stealers
Track stealer families
Monitor infection patterns
Analyze credential theft
Python
async def search_stealers(stealer_ids):
return await api.post('/search-by-stealer', {
'stealers': stealer_ids,
'sort_by': 'date_compromised',
'sort_direction': 'desc'
})
Python
async def analyze_campaign(base_stealer_id):
# Get related stealers from same IP range
related_stealers = find_related_stealers(base_stealer_id)
results = await search_stealers(
stealers=related_stealers[:50], # Respect limit
sort_by='date_compromised',
filter_credentials=True
)
return analyze_results(results)
Python
async def temporal_analysis(stealer_id):
weekly_results = []
for week in generate_week_ranges():
results = await search_stealers(
stealers=[stealer_id],
start_date=week['start'],
end_date=week['end']
)
weekly_results.append(results)
return analyze_temporal_pattern(weekly_results)
Track related stealers
Monitor IP patterns
Analyze timing
Map geographic spread
Types of stolen credentials
Target services
Victim patterns
Reuse patterns
Related stealer IDs
Temporal patterns
Geographic clusters
Target patterns
Status Cause Solution 400 Invalid stealer ID Validate format 400 Too many stealers Reduce batch size to ≤50 404 Stealer not found Verify ID exists 408 Request timeout Reduce batch size
Encrypt sensitive data
Limit access to results
Implement audit logging
Set retention policies
Document investigations
Track access patterns
Monitor search volumes
Secure findings
Validate stealer IDs
Monitor API usage
Track investigation patterns
Secure communications
Forward findings
Create alerts
Track investigations
Monitor patterns
Share stealer IDs
Track campaigns
Monitor patterns
Update blocklists
Document findings
Track remediation
Monitor effectiveness
Update procedures
Batch related queries
Cache common results
Implement rate limiting
Monitor timeouts
Filter relevant data
Group related findings
Analyze patterns
Generate reports
New stealer families
Large campaigns
Critical assets
Pattern changes
Search volumes
Result patterns
Error rates
Response times