Blue Lantern Security
← Back to all posts

April 23, 2026 · Blue Lantern Team · Practical Applications

Automate Static Malware Analysis with the Blue Lantern API

Manual file triage doesn't scale. If you're pulling samples from a sandbox, an EDR drop, or an IR ticket, you want a single API call that runs static checks and hands you back a structured verdict. Blue Lantern's API does that.

Prerequisites

  • A Blue Lantern API key.
  • A scripting environment that speaks HTTP.
  • Each file under 4.5 MB.

Submitting a file

POST the file to /runs with STATICMALWAREANALYZER and toggle the checks you want:

  • check_malicious_strings — match against Blue Lantern's internal string set.
  • check_extract_iocs — pull IOCs out of the file (verbose, off by default).
  • check_sections — look at sectional entropy for signs of packing.
  • check_yara — run the default YARA ruleset.
  • check_entropy — compute entropy on the whole file.
  • check_file_type — flag mismatches between extension and detected type.
curl --location 'https://api.bluelanternsecurity.io/runs' \
  --header 'Authorization: [API KEY]' \
  --form 'tool="STATICMALWAREANALYZER"' \
  --form 'checkCost="false"' \
  --form 'file=@"[PATH TO FILE]"' \
  --form 'check_malicious_strings="true"' \
  --form 'check_sections="true"' \
  --form 'check_yara="true"' \
  --form 'check_entropy="true"' \
  --form 'check_file_type="true"'

You get back a jobId used for everything that follows.

Polling and retrieving results

Same shape as the email API: GET /runs/[JOB ID] to check status, then POST to /results with the jobId once the run is COMPLETE.

curl --location 'https://api.bluelanternsecurity.io/results' \
  --header 'Content-Type: application/json' \
  --header 'Authorization: [API KEY]' \
  --data '{"jobId": "[JOB ID]"}'

What you get back

The results include one entry per file, with:

  • YARA matches — any rules that fired.
  • Malicious string findings — counts plus the specific red flags identified.
  • Section / window analysis — per-window entropy and anomaly flags (high entropy, packer hints, encoded blobs).
  • Whole-file entropy — useful as a coarse packed/encrypted signal.
  • Total cost — credits spent on this run.

Checks you didn't enable come back as null, so the structure is stable across configurations.

Retention

Submitted files are kept for at most one day. Reports are kept for at most one week.

Wire it into your case management or SOAR and stop manually firing off ad-hoc CLI scans.