Overview MetaDefender Sandbox API Reference Release Notes
Getting Started
Deployment & Usage
Support
Overview
2.1.0
Search this version
Overview
Overview
Advanced Reputation Service
Title
Message
Create new category
What is the title of your new category?
Edit page index title
What is the title of the page index?
Edit category
What is the new title of your category?
Edit link
What is the new title and URL of your link?
Sandbox Tags
Copy Markdown
Open in ChatGPT
Open in Claude
Tags are automatically generated based on the analysis of capabilities and characteristics of the sample, providing a concise summary of key findings.
Tags have colors based on their data type or severity context in which they were generated. The most common tag colors are:
In addition to the predefined list of tags, some tags are dynamically derived from sandbox components or external sources, such as:
- Threat indicators
- YARA rules
- Malware family attribution from supported configuration extractors
- CVE identifiers related to vulnerabilities
- MISP Galaxy family names
Note that each supported file type has its own media type tag not listed here!
Analysis Tags (Sorted)
Color used for each
| Tag | Description |
|---|---|
| Targets 64-bit architecture | |
| Threat indicator severity has been adjusted based on the adaptive context | |
| Displays unwanted ads or collects data for advertising purposes | |
| Contains anti-debugging capabilities | |
| Attempts to disable or evade security tools | |
| Detects virtual environments | |
| Found Advanced Persistent Threat-related activities | |
| Provides a backdoor for unauthorized remote access | |
| Targets financial data | |
| Attempts botnet communication | |
| Brings Your Own Vulnerable Driver to exploit kernel vulnerabilities | |
| Script compiled into an executable file | |
| Damaged or malformed file, often to evade analysis | |
| Windows Control Panel | |
| Involves cryptographic operations | |
| Delphi programming language | |
| Contains disassembled code | |
| Delivers additional payloads | |
| Contains embedded Office equation objects | |
| Attempts to evade detection | |
| Targets specific software vulnerabilities | |
| Gathers system information to identify or profile the environment | |
| Enables malicious execution only in specific geographical regions | |
| Go programming language | |
| Suspicious or potentially unwanted software (PUP) | |
| Detected hacktool artifacts | |
| Identified as known installer | |
| Contains a digital signature that is invalid or tampered with | |
| Contains keylogging capabilities | |
| Identified language (being "x" the language code), which is often related to the attack target. Common codes are "uk" (Ukrainian), "ru" (Russian), or "zh" (Chinese) | |
| A file unusually large, possibly bloated to hinder analysis | |
| Living-off-the-land binary | |
| Uses Office macros | |
| Executes code when the document is edited | |
| Executes code when the document is closed | |
| Executes code on specific user or system event | |
| Executes code when the document is open | |
| Pretends to be legitimate software to deceive users | |
| Linked to the Metasploit penetration testing framework | |
| Detected Mirai artifacts | |
| Exploits moniker-based links | |
| Leverages Microsoft Support Diagnostic Tool for execution | |
| Presents obfuscated data to evade detection | |
| Contains an overlay, appended data at the end of the file | |
| Original executable has been packed to protect against analysis | |
| Gains persistence to maintain presence after a reboot | |
| Detected phishing attempt | |
| Uses ping tool for checking connectivity | |
| File with multiple interpretable formats to bypass defenses | |
| Obfuscates Python scripts with Pyarmor | |
| Python-compiled PE file with PyInstaller | |
| Uses QR codes | |
| Detected ransomware activities | |
| Detected Remote Access Trojan artifacts | |
| Executes code dynamically via NET reflection | |
| Uses a certificate that has been revoked | |
| Uses self-signed and untrusted certificate | |
| Simulates user keystrokes | |
| Self-extracting archive | |
| Contains malicious shellcode | |
| File is digitally signed | |
| Performs Server Message Block (SMB) communication | |
| Monitors and exfiltrates sensitive user data | |
| Targets sensitive data | |
| Strips content to evade detection | |
| Attempts TOR communication | |
| Detected VBA stomping to bypass detection | |
| Exploits WebDAV protocol for file transfer | |
| Installer created using WiX toolset |
Type to search, ESC to discard
Type to search, ESC to discard
Type to search, ESC to discard
Type to search, ESC to discard
Type to search, ESC to discard
Type to search, ESC to discard
Last updated on
Was this page helpful?
Next to read:
Executable Analysis (PE)See the "Technical Datasheet" for a complete list of features: https://docs.opswat.com/filescan/datasheet/technical-datasheet
Discard Changes
Do you want to discard your current changes and overwrite with the template?
Archive Synced Block
Message
Create new Template
What is this template's title?
Delete Template
Message
