Hybrid analysis

Hybrid Analysis is a free malware analysis sandbox operated by CrowdStrike, providing automated behavioral analysis of suspicious files and URLs. When a file or URL is submitted, Hybrid Analysis executes it in a controlled environment and records all resulting behaviors — network connections, file system changes, registry modifications, and process activity — producing a detailed report with extracted IOCs.

What OSINT investigators and malware analysts use Hybrid Analysis for: detonating suspicious files received in phishing emails or downloaded from target infrastructure, extracting command-and-control server addresses and domains embedded in malware, analyzing malware behavior without risking infection of a production system, and searching existing reports for IOCs related to known malware families.

What Hybrid Analysis exposes: behavioral reports showing all system activity during file execution, extracted network IOCs including C2 domains and IPs, MITRE ATT&CK technique mappings for observed behaviors, YARA rule matches against known malware families, file metadata and embedded strings, and community threat scores from CrowdStrike's threat intelligence.

The search capability makes Hybrid Analysis valuable beyond just submitting new samples. You can search the public report database by file hash, domain, IP address, or malware family name. If an IOC from your investigation appears in a previously analyzed sample, Hybrid Analysis returns the full behavioral report — revealing which malware family it belongs to and what other infrastructure it connects to.

For C2 discovery: malware often contains hardcoded C2 server addresses that are only visible through dynamic analysis. Hybrid Analysis extracts these addresses during execution, providing infrastructure indicators that are not present in static analysis. These C2 addresses can then be pivoted in Shodan, Censys, and VirusTotal.

Free tier access: Hybrid Analysis is free for individual use with a 100 MB file size limit. Public reports are shared with the security community, so be cautious about submitting sensitive or classified samples that should remain private.

In a workflow: submit suspicious attachments from phishing emails or files recovered from compromised systems. Extract network IOCs from the behavioral report and feed them into Shodan and SecurityTrails. Pivot from discovered C2 addresses to find related infrastructure using certificate pivoting in Censys.