Intezer Analyze Cheat Sheet
Overview
Intezer Analyze is a malware analysis platform that uses “Genetic Code Analysis” — a technique that identifies code reuse at the binary level to classify and attribute malware. Just as DNA analysis can identify organisms by their genetic makeup, Intezer decomposes executables into small code fragments (“genes”) and compares them against a vast database of known malware families, threat actors, and legitimate software. This approach can identify malware variants even when they have been repacked, recompiled, or slightly modified, since the underlying code building blocks remain the same.
The platform provides automated analysis of PE, ELF, Mach-O, Android APK, and memory dumps, offering verdicts on whether a file is malicious, suspicious, or trusted. Results include code reuse percentages showing which malware families or legitimate software libraries share code with the sample, MITRE ATT&CK technique mapping, extracted indicators of compromise, and detailed behavioral analysis from sandbox execution. Intezer offers both a web interface and a REST API with Python SDK, making it suitable for manual analysis, automated triage pipelines, and SOC alert enrichment workflows.
Installation
Python SDK
# Install Intezer SDK
pip install intezer-sdk
# Set API key
export INTEZER_API_KEY="your-api-key-here"
# Verify
python3 -c "from intezer_sdk import api; print('SDK loaded')"CLI Tool
# Install Intezer CLI
pip install intezer-analyze-cli
# Configure API key
intezer-analyze config set api-key your-api-key-here
# Verify connection
intezer-analyze account infoAPI Key Setup
# Get API key from: https://analyze.intezer.com/account-details
# Free community edition available with limited daily submissions
# Environment variable (recommended)
export INTEZER_API_KEY="your-api-key-here"
# Or configure in SDK
from intezer_sdk import api
api.set_global_api(api_key="your-api-key-here")Core Commands
CLI Usage
| Command | Description |
|---|---|
intezer-analyze analyze <file> | Submit file for analysis |
intezer-analyze analyze --hash <hash> | Analyze by hash (no upload) |
intezer-analyze analyze --url <url> | Submit URL for analysis |
intezer-analyze index <file> | Index a trusted/known file |
intezer-analyze account info | Show account details and quota |
# Analyze a file
intezer-analyze analyze malware.exe
# Analyze by SHA256 hash (checks existing database)
intezer-analyze analyze --hash a1b2c3d4e5f6...
# Analyze with specific options
intezer-analyze analyze --wait malware.exe
# Analyze URL
intezer-analyze analyze --url "https://suspicious-domain.com/payload.exe"
# Batch analyze directory
for f in /samples/*; do
echo "Submitting: $f"
intezer-analyze analyze "$f" &
done
waitPython SDK
Basic Analysis
from intezer_sdk import api
from intezer_sdk.analysis import FileAnalysis, HashAnalysis
# Initialize API
api.set_global_api(api_key="your-api-key-here")
# Analyze file
analysis = FileAnalysis(file_path="/path/to/malware.exe")
analysis.send(wait=True)
# Get results
result = analysis.result()
print(f"Verdict: {result['verdict']}")
print(f"Sub-verdict: {result.get('sub_verdict', 'N/A')}")
print(f"SHA256: {result['sha256']}")
# Code reuse analysis
for gene_family in result.get('reused_gene_families', []):
print(f"Code reuse: {gene_family['family_name']} ({gene_family['reuse_count']} genes)")Hash Lookup
from intezer_sdk.analysis import HashAnalysis
# Check if hash is already analyzed
analysis = HashAnalysis(file_hash="a1b2c3d4e5f6...")
try:
analysis.send(wait=True)
result = analysis.result()
print(f"Verdict: {result['verdict']}")
except Exception as e:
print(f"Hash not found: {e}")Endpoint Analysis
from intezer_sdk.endpoint_analysis import EndpointAnalysis
# Analyze endpoint scan results
analysis = EndpointAnalysis(
scanner_output_path="/path/to/endpoint_scan.json"
)
analysis.send(wait=True)
result = analysis.result()
for alert in result.get('alerts', []):
print(f"Alert: {alert['alert_name']} - {alert['severity']}")Batch Processing
from intezer_sdk import api
from intezer_sdk.analysis import FileAnalysis
import os
import json
api.set_global_api(api_key="your-api-key-here")
def analyze_directory(sample_dir):
"""Analyze all files in a directory."""
results = []
for filename in os.listdir(sample_dir):
filepath = os.path.join(sample_dir, filename)
if not os.path.isfile(filepath):
continue
try:
analysis = FileAnalysis(file_path=filepath)
analysis.send(wait=True)
result = analysis.result()
results.append({
'file': filename,
'verdict': result['verdict'],
'sha256': result['sha256'],
'families': [f['family_name'] for f in result.get('reused_gene_families', [])]
})
print(f" {filename}: {result['verdict']}")
except Exception as e:
results.append({'file': filename, 'error': str(e)})
return results
results = analyze_directory("/malware/samples")
with open("analysis_results.json", "w") as f:
json.dump(results, f, indent=2)REST API
Direct API Calls
# Get access token
TOKEN=$(curl -s -X POST "https://analyze.intezer.com/api/v2-0/get-access-token" \
-H "Content-Type: application/json" \
-d "{\"api_key\": \"$INTEZER_API_KEY\"}" | jq -r '.result')
# Submit file for analysis
curl -X POST "https://analyze.intezer.com/api/v2-0/analyze" \
-H "Authorization: Bearer $TOKEN" \
-F "file=@malware.exe"
# Check analysis status
curl -s "https://analyze.intezer.com/api/v2-0/analyses/<analysis-id>" \
-H "Authorization: Bearer $TOKEN" | jq .
# Analyze by hash
curl -X POST "https://analyze.intezer.com/api/v2-0/analyze-by-hash" \
-H "Authorization: Bearer $TOKEN" \
-H "Content-Type: application/json" \
-d '{"hash": "a1b2c3d4e5f6..."}'
# Get sub-analyses (code reuse details)
curl -s "https://analyze.intezer.com/api/v2-0/analyses/<analysis-id>/sub-analyses" \
-H "Authorization: Bearer $TOKEN" | jq '.sub_analyses[]'Configuration
SDK Configuration
from intezer_sdk import api, consts
# Configure API
api.set_global_api(
api_key="your-api-key",
api_url="https://analyze.intezer.com/api", # Or on-premise URL
on_premise_version=consts.OnPremiseVersion.V22_10 # If on-premise
)
# Configure timeouts
import intezer_sdk
intezer_sdk.consts.REQUEST_TIMEOUT = 300 # 5 minutesIntegration with SOAR
# Cortex XSOAR / Splunk SOAR integration example
def enrich_indicator(sha256_hash):
"""Enrich a file hash with Intezer analysis."""
from intezer_sdk import api
from intezer_sdk.analysis import HashAnalysis
api.set_global_api(api_key="your-api-key")
analysis = HashAnalysis(file_hash=sha256_hash)
analysis.send(wait=True)
result = analysis.result()
return {
'verdict': result['verdict'],
'threat_name': result.get('family_name', 'Unknown'),
'confidence': result.get('confidence', 0),
'ttps': result.get('ttps', []),
'iocs': result.get('iocs', {}),
'analysis_url': result.get('analysis_url', '')
}Advanced Usage
Memory Dump Analysis
# Analyze process memory dump
analysis = FileAnalysis(
file_path="/path/to/memory.dmp",
file_name="process_dump.dmp"
)
analysis.send(wait=True)
result = analysis.result()Indexing Known-Good Software
from intezer_sdk.index import Index
# Index trusted software to reduce false positives
index = Index(
file_path="/path/to/trusted_app.exe",
index_as="trusted",
family_name="MyCompanyApp"
)
index.send(wait=True)Automated Alert Triage
import json
from intezer_sdk import api
from intezer_sdk.analysis import FileAnalysis
api.set_global_api(api_key="your-api-key")
def triage_alert(file_path):
"""Automated alert triage using Intezer."""
analysis = FileAnalysis(file_path=file_path)
analysis.send(wait=True)
result = analysis.result()
verdict = result['verdict']
if verdict == 'malicious':
return {
'action': 'escalate',
'priority': 'high',
'family': result.get('family_name'),
'ttps': result.get('ttps', [])
}
elif verdict == 'suspicious':
return {
'action': 'investigate',
'priority': 'medium',
'details': result.get('sub_verdict')
}
else:
return {
'action': 'close',
'priority': 'low',
'reason': f"Classified as {verdict}"
}Troubleshooting
| Issue | Solution |
|---|---|
| Authentication failed | Verify API key is correct and not expired |
| Rate limit exceeded | Community edition has daily limits; upgrade or add delays between requests |
| File too large | Maximum file size is typically 150MB; split or compress if needed |
| Analysis timeout | Increase wait timeout in SDK; complex samples take longer |
| Hash not found | File hasn’t been analyzed before; submit the file instead of hash |
| Connection error | Check network connectivity and proxy settings |
| SDK import error | Ensure correct version: pip install --upgrade intezer-sdk |
| On-premise connection | Verify API URL and on-premise version configuration |