Sandbox Tags

Tags are automatically generated based on the sample's analysis, providing a concise summary of key findings.

Tags are color-coded based on their severity context, with common colors like mediatype, likely malicious or malicious, and no threat or suspicious.

Some tags are dynamically derived from sandbox components or external sources, including:

Info

Note that each supported file type has its own media type tag not listed here!

Attention!

Color used for each tag does not represent the actual severity.

Tag

Description

64bits

Targets 64-bit architecture

adaptive-context

Threat indicator severity has been adjusted based on the adaptive context

adware

Displays unwanted ads or collects data for advertising purposes

aidetect

Web threat detection by AI models

anti-debug

Contains anti-debugging capabilities

anti-security

Attempts to disable or evade security tools

anti-vm

Detects virtual environments

apt

Found Advanced Persistent Threat-related activities

backdoor

Provides a backdoor for unauthorized remote access

banker

Targets financial data

base64

Found Base64-encoded data or decoding functionality

bloated

Bloated executable to evade heuristic and malware analysis

botnet

Attempts botnet communication

byovd

Brings Your Own Vulnerable Driver to exploit kernel vulnerabilities

compiled-script

Script compiled into an executable file

corrupted

Damaged or malformed file, often to evade analysis

cpl

Windows Control Panel

crypto

Involves cryptographic operations

delphi

Delphi programming language

disassembled

Contains disassembled code

dropper

Delivers additional payloads

embedequation

Contains embedded Office equation objects

evasive

Attempts to evade detection

exploit

Targets specific software vulnerabilities

expired-cert

Contains an expired certificate

fingerprint

Gathers system information to identify or profile the environment

geofencing

Enables malicious execution only in specific geographical regions

golang

Go programming language

greyware

Suspicious or potentially unwanted software (PUP)

hacktool

Detected hacktool artifacts

installer

Identified as known installer

invalid-signature

Contains a digital signature that is invalid or tampered with

keylogger

Contains keylogging capabilities

language-x

Identified language (being "x" the language code), which is often related to the attack target. Common codes are "uk" (Ukrainian), "ru" (Russian), or "zh" (Chinese)

large-file

A file unusually large, possibly bloated to hinder analysis

lolbin

Living-off-the-land binary

macros

Uses Office macros

macros-on-change

Executes code when the document is edited

macros-on-close

Executes code when the document is closed

macros-on-event

Executes code on specific user or system event

macros-on-open

Executes code when the document is open

masquerade

Pretends to be legitimate software to deceive users

metasploit

Linked to the Metasploit penetration testing framework

mirai

Detected Mirai artifacts

monikerlink

Exploits moniker-based links

msdt

Leverages Microsoft Support Diagnostic Tool for execution

obfuscated

Presents obfuscated data to evade detection

overlay

Contains an overlay, appended data at the end of the file

packed

Original executable has been packed to protect against analysis

persistence

Gains persistence to maintain presence after a reboot

phishing

Detected phishing attempt

ping

Uses ping tool for checking connectivity

polyglot

File which can be considered of multiple file types to bypass defenses

pyarmor

Obfuscates Python scripts with Pyarmor

pyinstaller

Python-compiled PE file with PyInstaller

qrcode

Uses QR codes

ransomware

Detected ransomware activities

rat

Detected Remote Access Trojan artifacts

reconnaissance

File capabilities include information discovery/enumeration about the target system

reflection

Executes code dynamically via NET reflection

revoked-cert

Uses a certificate that has been revoked

self-signed-cert

Uses self-signed and untrusted certificate

sendkeys

Simulates user keystrokes

sfx

Self-extracting archive

shellcode

Contains malicious shellcode

signed

File is digitally signed

smb

Performs Server Message Block (SMB) communication

spyware

Monitors and exfiltrates sensitive user data

stealer

Targets sensitive data

stripped

Strips content to evade detection

tor

Attempts TOR communication

vbastomped

Detected VBA stomping to bypass detection

webdav

Exploits WebDAV protocol for file transfer

wix

Installer created using WiX toolset


On This Page
Sandbox Tags