malware-mixer v1 API
The Malware Mixer REST API lets you programmatically search for malware hashes across connected services, transfer samples between platforms, and manage your integrations and API keys. All endpoints live under /api/v1.
https://malwaremixer.com/api/v1#Overview
All requests and responses use JSON. Timestamps are ISO 8601. Hashes may be MD5 (32 hex), SHA1 (40 hex), or SHA256 (64 hex). The API auto-detects hash type by length.
#Authentication
Every request must be authenticated via one of two methods:
>Option 1: Session cookie
If you are logged in through the web dashboard, your browser session cookie authenticates API requests automatically. This is the default for in-app calls.
>Option 2: API key
For programmatic access, pass your API key in the x-api-key header. Generate keys from the API Keys dashboard page.
curl -s "https://malwaremixer.com/api/v1/search?hash=abc123..." \
-H "x-api-key: mm_live_a1b2c3d4e5f6..."Keys use the prefix mm_live_ followed by 48 random hex characters. Keys are hashed with SHA-256 at rest and shown only once on creation. Revoked or expired keys return 401.
#Search
Look up a malware hash across all your connected integrations. Returns which services have been queued for lookup.
#Transfer
Create a transfer job to move a malware sample from one platform to one or more destination platforms. The job fans out to each destination independently.
#Integrations
Manage your connected analysis platform integrations. Each integration stores an encrypted API key for the target service.
#API Keys
Create and manage your Malware Mixer API keys. Keys are shown only once on creation and stored as SHA-256 hashes at rest.
#Errors
All errors return a JSON object with an "error" field describing the issue.
| code | meaning |
|---|---|
400 | Bad request -- missing or invalid parameters |
401 | Unauthorized -- invalid, revoked, or expired credentials |
404 | Not found -- resource does not exist |
429 | Rate limited -- slow down and retry after Retry-After seconds |
500 | Server error -- something went wrong on our end |
{
"error": "invalid hash format. Expected MD5 (32), SHA1 (40), or SHA256 (64) hex string"
}#Rate Limits
API requests are rate-limited per API key. The current limits are returned in response headers. Exceeding limits returns a 429 status with a Retry-After header.
| header | description |
|---|---|
X-RateLimit-Limit | Max requests per window |
X-RateLimit-Remaining | Requests remaining in current window |
X-RateLimit-Reset | Unix timestamp when window resets |
#Supported Services
Malware Mixer integrates with 21 malware analysis platforms. Each service supports a subset of operations. Use the service_slug when connecting integrations or specifying transfer sources/destinations.
| service | slug | source | dest | auth header |
|---|---|---|---|---|
| VirusTotal | virustotal | Y | Y | x-apikey |
| ReversingLabs | reversinglabs | Y | Y | Basic Auth |
| MetaDefender | metadefender | -- | Y | apikey |
| Malware Bazaar | malware-bazaar | Y | Y | Auth-Key |
| Triage | triage | Y | Y | Bearer token |
| ANY.RUN | anyrun | Y | Y | API-Key {key} |
| CAPE | cape-public | Y | Y | Token {token} |
| CAPE | cape-private | Y | Y | Token {token} |
| MWDB | mwdb-public | Y | Y | Bearer JWT |
| MWDB | mwdb-private | Y | Y | Bearer JWT |
| Intezer | intezer | -- | Y | Bearer JWT |
| Joe Sandbox | joe-sandbox | Y | Y | POST param |
| Joe Sandbox | joe-sandbox-private | Y | Y | POST param |
| VMRay | vmray | Y | Y | api_key {key} |
| FileScan.io | filescan-io | Y | Y | X-Api-Key |
| PolySwarm | polyswarm | Y | Y | Authorization |
| URLScan.io | urlscan-io | -- | Y | API-Key |
| UnpacMe | unpacme | Y | Y | api_key |
| Malpedia | malpedia | Y | -- | apitoken {token} |
| Hybrid Analysis | hybrid-analysis | Y | Y | api-key |
>Common Notes
- *SHA-256 is the recommended hash type across all services.
- *File downloads from some services (MalwareBazaar, Hybrid Analysis) come as password-protected archives. Password is typically
infected. - *Services with custom URLs (CAPE Private, MWDB Private, Triage Private, Joe Private) accept a
base_urlfield during integration setup. - *All upstream service rate limits are respected. If a destination returns 429, the transfer destination status will reflect "rate_limited" with a retry.
>Quick Start Example
A full workflow: connect VirusTotal, generate an API key, search a hash, then transfer it.
curl -s -X POST "https://malwaremixer.com/api/v1/integrations" \
-H "x-api-key: mm_live_..." \
-H "Content-Type: application/json" \
-d '{ "service_slug": "virustotal", "api_key": "YOUR_VT_KEY" }'curl -s -X POST "https://malwaremixer.com/api/v1/integrations" \
-H "x-api-key: mm_live_..." \
-H "Content-Type: application/json" \
-d '{ "service_slug": "malware-bazaar", "api_key": "YOUR_MB_KEY" }'curl -s "https://malwaremixer.com/api/v1/search?hash=44d88612fea8a8f36de82e1278abb02f" \
-H "x-api-key: mm_live_..."curl -s -X POST "https://malwaremixer.com/api/v1/transfer" \
-H "x-api-key: mm_live_..." \
-H "Content-Type: application/json" \
-d '{
"hash": "44d88612fea8a8f36de82e1278abb02f",
"source": "virustotal",
"destinations": ["malware-bazaar"]
}'malware-mixer api v1 · last updated february 2026