Hybrid Analysis:

Hybrid scanning is a robust open source malware scanning solution. It provides a dynamic environment for testing malicious software. Users can submit samples for comprehensive behavioral analysis. Through advanced techniques, hybrid analytics helps identify and mitigate risks. Detailed reports describe observed model behaviors. Solutions play an important role in security. It empowers businesses and enthusiasts with effective tools to combat evolving malware threats.



Falcon Sandbox is an automated malware analysis tool developed by CrowdStrike. It is designed to help security teams analyze and understand sophisticated, evasive, and unknown threats. Falcon Sandbox performs deep analysis of malware, enriches the results with threat intelligence, and delivers actionable indicators of compromise (IOCs). This unique hybrid analysis technology detects unknown and zero-day exploits while defeating evasive malware.
Falcon Sandbox is licensed on a subscription basis, based on the number of files analyzed per month. It offers features such as configurable settings to determine how malware is detonated, support for SOAR tools, and a REST API for file submissions and search. The service is also available as a free malware analysis service for the community, known as Hybrid Analysis.
CrowdStrike Falcon Sandbox is a powerful tool that empowers security teams of all skill levels to increase their understanding of modern malware attacks and strengthen their defenses. It provides complete visibility into the attack lifecycle, including file, network, memory, and process activity. This enables faster response times and more effective security teams. For more information about Falcon Sandbox, you can visit CrowdStrike's official website, or watch a demonstration video.

Analyzing a set of files is feasible, but certain additional conditions must be met:

• The archive format must be ZIP.
• The archive must include a starting file.
• All files within the archive (excluding directories) should be located in the same directory as the starting file.
• To determine which file should be executed, an "init.properties" file must be incorporated. This file should adhere to the following syntax: startFile=[startFileName].

For instance: startFile=sample.exe.

This complimentary malware analysis service provides user-friendly "Quick Scan" endpoints, enabling swift CrowdStrike Falcon Static Analysis (ML) and Metadefender AV scans. For bulk scans, you can either use the 'scan_file' Command Line Interface (CLI) of the VxAPI Python API connector or directly employ the Quick Scan endpoints.

Supporting Platforms:

The current platform support for hybrid (static and runtime) analysis includes Windows XP, Vista, Windows 7/8, 10, and extensive static analysis for Android APK files. Additionally, Falcon Sandbox is compatible with VirtualBox and VMWare solutions like ESXi.

Falcon Sandbox provides various integrations, such as:

• VirusTotal and OPSWAT Metadefender (both online and on-site)
• SIEM systems like HP ArcSight
• NSRL (Whitelist)
• Thug honeyclient for URL exploit analysis
• Suricata (ETOpen/ETPro rules)
• TOR to avoid external IP fingerprinting
• Phantom

File Limitations:

Users can upload archives in various formats, with or without a password, including ace, arj, 7z, bzip2, gzip2, iso, rar, rev, tar, Wim, xz, and zip. If a password is used, only the typical 'infected' password is accepted.
Additional limitations for archives include:
• Maximum number of files: 20
• Maximum nested level: 1
• Maximum size of an archive: 100MB
• Maximum size of a single file in the archive: 100MB

API for the Web Interface:


The API is comprehensive, supporting a wide range of operations, such as single/bulk file and URL submissions, advanced search capabilities, report data retrieval, and data erasure (based on privileges). Registered users can generate a restricted free Public API key.
Advanced Search Options:

The advanced search options cover a variety of queries, allowing users to search for virus family names, reports that contacted specific IP addresses, domains, URLs, specific file types, fuzzy hash, #hashtag, shared artifacts, etc.

Examples of advanced search operators include:


• host:95.181.53.78
• port:3448
• domain:checkip.dyndns.org
• indicatorid:network-6 (Show all reports matching ‘Contacts Random Domain Names’)
• filetype:jar
• filetype_tag:hwp
• url:google
• similar-to:hash
• authentihash:hash
• tag:teslacrypt
Behavior Indicators:

A behavior record is a small script that records a specific data type or event. This makes the investment intangible in practice. For example, the registry can detect if malware adds to the startup registry, changes firewall settings, inserts a new process, or sends data to a separate port Behavioral cues are categorized as negative, suspicious, or informative. This makes it easier to understand how the analyzed software works and to identify areas for further testing. Symptoms are noticed when software exhibits behaviors typically associated with malware such as changing system settings without permission.

Data for Analysis:

Behavior indicators can trigger on various data types or events, including registry accesses, process memory strings, API calls, created mutants/files, network traffic, injected processes, disassembly instructions, and more. The full version includes multiple hundred generic behavior indicators and thousands of ready-to-use YARA rules, constantly growing as the development team adds new indicators. Decrypted SSL traffic is included for Windows analysis on a per-host basis in the "Network Analysis" section of the report.