Sandbox Tags

Tags are automatically generated based on the analysis of capabilities and characteristics of the sample, providing a concise summary of key findings.

Tags have colors based on their data type or severity context in which they were generated. The most common tag colors are: mediatype informational suspicious likely malicious or malicious

In addition to the predefined list of tags, some tags are dynamically derived from sandbox components or external sources, such as:

Threat indicators
YARA rules
Malware family attribution from supported configuration extractors
CVE identifiers related to vulnerabilities
MISP Galaxy family names

Note that each supported file type has its own media type tag not listed here!

Analysis Tags (Sorted)

Color used for each tag does not represent the actual severity.

Tag	Description
64bits	Targets 64-bit architecture
adaptive-context	Threat indicator severity has been adjusted based on the adaptive context
adware	Displays unwanted ads or collects data for advertising purposes
anti-debug	Contains anti-debugging capabilities
anti-security	Attempts to disable or evade security tools
anti-vm	Detects virtual environments
apt	Found Advanced Persistent Threat-related activities
backdoor	Provides a backdoor for unauthorized remote access
banker	Targets financial data
botnet	Attempts botnet communication
byovd	Brings Your Own Vulnerable Driver to exploit kernel vulnerabilities
compiled-script	Script compiled into an executable file
corrupted	Damaged or malformed file, often to evade analysis
cpl	Windows Control Panel
crypto	Involves cryptographic operations
delphi	Delphi programming language
disassembled	Contains disassembled code
dropper	Delivers additional payloads
embedequation	Contains embedded Office equation objects
evasive	Attempts to evade detection
exploit	Targets specific software vulnerabilities
fingerprint	Gathers system information to identify or profile the environment
geofencing	Enables malicious execution only in specific geographical regions
golang	Go programming language
greyware	Suspicious or potentially unwanted software (PUP)
hacktool	Detected hacktool artifacts
installer	Identified as known installer
invalid-signature	Contains a digital signature that is invalid or tampered with
keylogger	Contains keylogging capabilities
language-x	Identified language (being "x" the language code), which is often related to the attack target. Common codes are "uk" (Ukrainian), "ru" (Russian), or "zh" (Chinese)
large-file	A file unusually large, possibly bloated to hinder analysis
lolbin	Living-off-the-land binary
macros	Uses Office macros
macros-on-change	Executes code when the document is edited
macros-on-close	Executes code when the document is closed
macros-on-event	Executes code on specific user or system event
macros-on-open	Executes code when the document is open
masquerade	Pretends to be legitimate software to deceive users
metasploit	Linked to the Metasploit penetration testing framework
mirai	Detected Mirai artifacts
monikerlink	Exploits moniker-based links
msdt	Leverages Microsoft Support Diagnostic Tool for execution
obfuscated	Presents obfuscated data to evade detection
overlay	Contains an overlay, appended data at the end of the file
packed	Original executable has been packed to protect against analysis
persistence	Gains persistence to maintain presence after a reboot
phishing	Detected phishing attempt
ping	Uses ping tool for checking connectivity
polyglot	File with multiple interpretable formats to bypass defenses
pyarmor	Obfuscates Python scripts with Pyarmor
pyinstaller	Python-compiled PE file with PyInstaller
qrcode	Uses QR codes
ransomware	Detected ransomware activities
rat	Detected Remote Access Trojan artifacts
reflection	Executes code dynamically via NET reflection
revoked-cert	Uses a certificate that has been revoked
self-signed-cert	Uses self-signed and untrusted certificate
sendkeys	Simulates user keystrokes
sfx	Self-extracting archive
shellcode	Contains malicious shellcode
signed	File is digitally signed
smb	Performs Server Message Block (SMB) communication
spyware	Monitors and exfiltrates sensitive user data
stealer	Targets sensitive data
stripped	Strips content to evade detection
tor	Attempts TOR communication
vbastomped	Detected VBA stomping to bypass detection
webdav	Exploits WebDAV protocol for file transfer
wix	Installer created using WiX toolset

Last updated on

Was this page helpful?