Hybrid Analysis

What is Hybrid Analysis?

Hybrid Analysis is a free public malware analysis platform powered by CrowdStrike's Falcon Sandbox technology. It executes suspicious files in isolated virtual environments across multiple operating system configurations and records everything that happens: process creation, file system modifications, registry changes, network connections, and API calls. The resulting behavioral report gives analysts a detailed view of what a piece of malware actually does when it runs, going far beyond what static analysis or signature scanning can reveal. The platform also extracts indicators of compromise including domains, IP addresses, and file hashes, and matches samples against YARA rules. Because it is publicly accessible and free, it is widely used for rapid triage of suspicious files received via email, downloaded from the web, or found on compromised endpoints.

How does Hybrid Analysis work with Qevlar?

Qevlar can submit suspicious files or hashes to Hybrid Analysis as part of an automated investigation workflow. When an alert involves an unknown executable or a file with suspicious characteristics, Qevlar uses Hybrid Analysis to obtain a behavioral verdict and extract IOCs that can be used to search for related activity elsewhere in the environment.