Sandbox

flare offers the assistance of a sandbox for analyzing malicious files and links please note this feature is an add on and is not natively included overview the sandbox can be accessed through the sandbox page on the lefthand menu the top right side of the screen shows the sandbox quote remaining for the month from here the user can start a new analysis or view the results from the previous analysis analysis within the sandbox flare has multiple ways the end user can analyze a file they are as follows interactive analysis interactive analysis will boot up a virtual machine where you can interact with the file sample this is useful to evaluate specific actions of the file when it is executed flare will automatically determine which operating system best fits the filetype and will boot up an associated virtual machine since the virtual machine will be permanently deleted, it is safe to execute and perform malicious operations with the associated file static analysis static analysis will run analysis in the background where you will not be able to interact with the file the sandbox offers multiple avenues to get the file into the sandbox they are the following file upload within the sandbox press analyze file or url in the top left corner of the screen to display a menu where you can upload a file from your computer press the upload button or drag and drop from your computer to upload the file file in flare when viewing a stealer log, press the download button from here an option will appear to analyze within the sandbox when selected, this will automatically send the files from flare to the sandbox where analysis will occur url within the sandbox press analyze file or url in the top left corner of the screen to display a menu where you can input a url for the sandbox to analyze just like files, static and interactive analysis are available, allowing the user to browse the website note the sandbox currently does not support browsing onion links by default, they will be labeled as suspicious analysis results after completing analysis, if interactive close the virtual machine the analysis will process in the background to generate the report this can take up to 10 minutes once completed, the menu will update to reflect the verdict on the file pressing on the filename will open the report right within flare here you can see the verdict, if yara rules, matched, mitre ttps, and more additionally, pressing the three dots allows you to download the associated report types of indicators of compromise flare's sandbox can return the following types of indicators of compromise (ioc) files filenames domains email addresses emails urls ips processes mutexes registry entries (including registry key types if available) supported filetypes sample type generic category target environment typical extensions supported version apple script macos scripts macos applescript, command, osascript, scpt archive static analysis with recursive dynamic detonations zip, 7z, tar, cab, rar, wim cfb file windows cfb custom windows various email (eml) email static analysis with recursive dynamic detonations eml email (msg) email static analysis with recursive dynamic detonations msg excel document microsoft office document windows xls, xlsx, xlsm, xlt, xltx, xltm, xltx, xlb, xlsb, iqy, slk, xml ms office >= 2007 html application html application windows hta13 html application (shell link) html application windows lnk3 html document html document windows htm, html iso disk images11 windows iso jscript windows javascript file windows js, jse jscript (shell link) shell link windows js, jse java archive java file windows, macos jar java class java file windows, macos class linux elf executable (x86 64) elf files linux elf, axf, bin, o, prx, puff, ko, mod, so macos app macos mach o macos app (must be submitted in a zip) macos dmg disk images11 macos dmg macos executable macos mach o macos none macos pkg macos pkg mhtml document html documents windows mht, mhtml microsoft access database microsoft office documents windows accdb, adn, accdr, accdt, accda, mdw, accde, ade, mdb, mda ms office >= 2007 microsoft onenote document microsoft office documents static analysis with recursive dynamic detonations one ms office >= 2010 microsoft project document microsoft office documents windows mpp2,4 ms office >= 2007 microsoft publisher document microsoft office documents windows pub, puz ms office >= 2007 microsoft visio document microsoft office documents windows vsd, vtx, vsdx, vsdm, vssx, vssm, vstx, vstm, vss, vsw ms office >= 2007 msi setup windows msi pdf document windows pdf adobe reader >= 6, up to and including dc powershell script powershell scripts windows ps1 powershell script (shell link) powershell scripts windows lnk3 powerpoint document microsoft office documents windows ppt, pptx, pptm, pot, potx, potm, ppa, ppam, pps, ppsm, ppsx ms office >= 2007 python script macos scripts macos py, command rtf document microsoft office documents windows rtf ms office >= 2007 shell script macos scripts macos sh, bash, zsh, command, csh, ksh, tclsh, tcsh svg svg image windows svg udf disk images11 windows udf unknown static analysis various url windows url vbscript windows script files windows vbs, vbe vbscript (shell link) shell link windows vbs, vbe windows batch file windows batch file windows bat, cmd windows batch file (shell link) windows batch file windows lnk3 windows dll (x86 32) windows pe (x86 32) windows dll windows dll (x86 64) windows pe (x86 64) windows dll windows driver (x86 32) windows pe (x86 32) windows sys windows driver (x86 64) windows pe (x86 64) windows sys windows exe (shell link) windows pe (x86) windows lnk3 windows exe (x86 32) windows pe (x86 32) windows exe, scr windows exe (x86 64) windows pe (x86 64) windows exe, scr windows help file windows chm windows installer patch windows msp7 windows script file windows script files windows wsf, wsc, ws, sct12 windows script file (shell link) shell link windows wsf, wsc, ws, sct12 word document microsoft office documents windows doc, docx, docm, dot, dotx, dotm, xml ms office >= 2007