Incident Reponse and Detection Engineering

Follow a step-by-step walkthrough to see what you can get through advanced malware analysis on VMRay.


In this demo, we showcase how the VMRay platform can help security teams efficiently analyze files, lower the expertise barrier, and reduce the time required to maintain an analysis environment. Explore techniques like HTML smuggling and threats like Qbot with ease.

Insights at your fingertips:
Navigating the VMRay Platform’s dashboard & submission

Efficiently analyze and submit files for analysis using the VMRay platform. Explore the main dashboard, track the latest submissions, and view the verdict trend of your organization’s files. See how you can upload and analyze specific files, such as a Qbot HTML document, in the VMRay Web analysis environment with ease.

From Suspicious to Exposed:
VMRay’s easy-to-understand analysis summary

Discover the step-by-step analysis of a suspicious HTML file using the VMRay platform. Follow along as the file’s reputation is checked and dynamic analysis is initiated. Explore the interactive analysis environment, where the HTML file is loaded in a secure browser, revealing potentially malicious elements mimicking a Google Drive web page. Witness the file downloading an encrypted zip file; highlighting the deceptive tactics employed by threats like this. Stay tuned to unravel the secrets of the zip file as the analysis progresses.

From lock to reveal:
The analysis of an encrypted Zip file

Dive into the screenshots taken throughout the analysis process, providing visual insights into the files under investigation. Witness the automatic identification of malicious elements within the HTML and JavaScript files, while encountering an encrypted zip file with a document password associated with Qbot campaigns. Experience the seamless submission and extraction of the zip file, revealing an ISO file with an .emg extension.

The last stage:
Dynamic analysis of malicious ISO file

Delve into the intricate operations within the malicious ISO file discovered during the analysis. Witness the detection of embedded files, including a DLL file and a JavaScript file, through static analysis and reputation checks. Despite already confirming its malicious nature, the focus shifts to uncovering additional artifacts within the organization’s environment for rule creation and potential infection detection. Explore the dynamic analysis of the DLL file, as VMRay’s platform provides multiple dynamic analysis environments to reveal its behavior across different operating system versions.

Qbot Unveiled:
VMRay Threat Identifiers in Action

Unveil the behavior rules triggered by VMRay Threat Identifiers (VTIs) during the analysis, showcasing the accurate identification of the Qbot file. Witness the automatic extraction of Qbot’s configuration, revealing crucial information and IOCs. Explore the numerous embedded IP addresses and URLs, providing insights into potential command-and-control connections for further investigation.

Creating powerful detection rules: 
The process tree and YARA Rules

Explore the process tree and detect process injection indicators, unveiling the impact of a variant of Qbot. Witness the triggering of various VTIs and dive into the YARA rule matches. Discover the VMRay-specific meta section and the strings associated with this Qbot sample, enabling the extraction of patterns for the creation and testing of YARA rules. Delve into complex rules, including those matching on dynamically extracted function strings, memory dumps, and specific patterns related to Qbot’s behavior.

Inside Qbot’s Malicious Behavior:
Memory Dumps, Injected Data, and Parameters

Explore the detailed behavioral analysis of the Qbot file, revealing its malicious activities and execution patterns. Discover the extensive function strings and memory dumps, showcasing the file’s behavior within the analysis environment. Unveil the injected data and parameters, along with the associated processes involved. Extract and download function strings, containing valuable information for detection engineering workflows. Identify patterns such as IP addresses, URLs, encryption keys, DLL names, and libraries associated with the file. Utilize these artifacts for creating YARA rules, sigma rules, and other detection vectors. Access additional process information like command lines, parent-child relationships, and file names to enhance detection capabilities.

From IOCs to Detection Rules:
Digging the gold mine of indicators

The IOCs (Indicators of Compromise) section of the report summarizes all the relevant findings and marks them as malicious, suspicious, or clean. URLs associated with the IOCs are scored based on their maliciousness. These IOCs are matched with behavior indicators and specific behavior rules from VTIs. On the left-hand side, you have the option to unfilter the scored IOCs and access the raw data for a more detailed analysis. The IOCs provide information on processes, suspicious artifacts, and other relevant details, enabling the creation of effective detection rules.

See VMRay in action.
Start maximizing value for
Incident Response & Detection Engineering

Further resources


Analysis of Qbot to enhance Detection Engineering

Watch the full recording from the our webinar at SANS DFIR Summit.


Explore how you can improve the efficacy of detection Engineering through VMRay.


Check the most advanced sandbox for analyzing malware and phishing.

Welcome to the playground.

Explore what you can do with VMRay.

Click on the yellow dots to check the report formats, see the overview, explore the network connections of the sample, malicious behavior, and relevant files, map the threat on MITRE ATT&CK Framework, analyze and download IOCs and artifacts.

The analysis report tabs are available both for VMRayDeepResponse and VMRayTotalInsight. The bundle of VMRay FinalVerdict and VMRayDeepResponse also offers access to the analysis report tabs.

We’re sorry. 

The interactive tour is not available on mobile devices.

Unveiling the power:
See our experts showcasing VMRay’s capabilities.

Analysis of a malicious file

Join Fatih Akar from the VMRay team as he provides a detailed walkthrough of a malicious LNK file, a prevalent attack vector since Microsoft’s Office macros block.

Gain valuable insights into each tab of our comprehensive analysis report and get a sneak peek into what you’ll be exploring.

Analysis of a malicious URL

Join Andrey Voitenko, an expert in advanced malware and phishing analysis from the VMRay team, as he demonstrates how to submit emails and URLs to the VMRay platform using built-in connectors.

Discover the capabilities of our new Automation Dashboard, enabling one-click automation with your existing EDR, SOAR, SIEM, and TIP tools. Monitor analysis data seamlessly from your VMRay dashboard and unlock new levels of efficiency in your security operations.

Integrating with existing tools

Watch Michael Bourton showcasing the seamless integration of VMRay platform with your existing security stacks.

Discover how effortlessly you can leverage unparalleled detection and analysis capabilities by utilizing dedicated connectors or our Rest API.

Experience VMRay in Action:
Explore Real-world Malware Analysis Reports

Get a firsthand look at the power and capabilities of the VMRay platform by delving into our sample malware and phishing analysis reports.

Immerse yourself in a range of report formats, providing comprehensive insights.

Dive into the overview, explore intricate network connections, analyze malicious behavior in detail, and map threats using the MITRE ATT&CK Framework. See the possibilities to download clear IOCs.

Uncover the capabilities that await you.

Calculate how much malware false positives are costing your organization:
Malware False Positive Cost Calculator