AI-Powered Sandbox

Ask Malware What
It Really Does.

AI-powered malware analysis in fully interactive multi-OS sandboxes. Detonate, observe, and understand threats — guided by an AI co-pilot.

Get Started Community Submissions

2:14

Watch Demo

See Retrace detonate and dissect a real ransomware sample in 2 minutes.

Sandbox reimagined for the AI era

Investigate Malware on

virtual machines.

Investigate Malware on

virtual machines.

retrace.cloud/scan/a3f8...

Recycle Bin

Chrome

Invoice_Feb
2026.pdf.exe

report_Q4.xlsx
.locked

client_data.csv
.locked

budget_2026.docx
.locked

passwords.txt
.locked

README_RESTORE.txt - Notepad

========================================

YOUR FILES HAVE BEEN ENCRYPTED

========================================

All your important files have been encrypted

using AES-256 + RSA-2048 encryption.

Do NOT rename or modify encrypted files.

Do NOT use third-party decryption tools.

2:22 PM2/25/2026

Waiting for events...

MALICIOUS

70 procs

TypeRansomware

FamilyLockBit

Invoice_Feb2026.exe7340

F:247N:12R:8

cmd.exe7388

cmd.exe /c vssadmin delete shadows /all /quie…

vssadmin.exe7412

F:3

vssadmin.exe delete shadows /all /quiet

cmd.exe7440

R:2

cmd.exe /c bcdedit /set {default} recoveryena…

bcdedit.exe7456

R:1

bcdedit.exe /set {default} recoveryenabled No

powershell.exe7500

F:2R:4

powershell.exe -c "Set-MpPreference -DisableR…

conhost.exe7512

conhost.exe 0x4

svchost.exe7580

F:812

svchost.exe -k netsvcs (injected)

notepad.exe7620

F:1

notepad.exe C:\Users\Admin\Desktop\README_RES…

csrss.exe528

services.exe720

svchost.exe1084

svchost.exe -k netsvcs -p

spoolsv.exe1340

lsass.exe672

dwm.exe620

SearchHost.exe4200

Rretrace

AI Co-Pilot

Ask about this analysis

What does this malware do?

Show network connections

What MITRE techniques?

Ask about the analysis...

Detonate · Dissect · Defend

Analyze malware in a safe environment.

Every sample fires inside a disposable VM your laptop never touches. Watch every artifact unfold in real time, interact with the detonation live, and walk away with a verdict + IOCs your SOC can ship today.

Sample #1A2F

Verification Hash (SHA-256)0000000000000000000000000000000000000000000000000000000000000000

SystemASUSTeK COMPUTER INC. PRIME B560M-A

CPUIntel(R) Core(TM) i3-10100F CPU @ 3.60GHz (4C @ 3.6 GHz)

RAM6 GB

DiskCT500MX500SSD1

MAC00:22:FA:39:73:89

HostnameDESKTOP-2O8HTW7

UserElizabeth Brown

BIOSAmerican Megatrends Inc. 2007

TimezoneEastern Standard Time

Installed2024-10-31

Uptime13d 04h 22m 17s

Machine Identity

Every VM ships with a fresh, spoofed hardware fingerprint — board, CPU, MAC, serials, install date, uptime. Anti-VM checks see a real desktop, not a sandbox. Your laptop never touches the sample.

Family Diagnosis

82%match

LockBit 4.xRansomware · Stealer hybrid

Similarity evidence

C2 URI pattern /api/v2/checkin3 prior matches

AES-256-CBC crypto signatureT1486 consistent

Registry persistence "WinUpdate"v4.x signature

Shellcode XOR key 0x7FFeb 2025 variant

Compared against 847 samples in your corpus12 near matches

Family Diagnosis

Every detonation is compared against your full sandbox corpus. Family attribution, similarity scores, and evidence-backed lineage — automatically. Decide what to block in seconds, not days.

MITRE Detections

48Techniques

12Tactics

110Alerts

RECON

RES.DEV

INIT2

EXEC13

PERSIST5

PRIV.ESC7

EVASION18

CRED10

DISCOV20

LATERAL1

COLLECT9

C29

EXFIL2

IMPACT14

Top severity findings

Data Encrypted for ImpactCRIT

T1486·Impact9 alerts

PowerShellCRIT

T1059.001·Execution6 alerts

LSASS MemoryCRIT

T1003.001·Credential Access5 alerts

Process InjectionCRIT

T1055·Privilege Escalation4 alerts

Process HollowingCRIT

T1055.012·Privilege Escalation2 alerts

Security Account ManagerCRIT

T1003.002·Credential Access1 alert

Windows Command ShellHIGH

T1059.003·Execution3 alerts

Obfuscated Files or InformationHIGH

T1027·Defense Evasion3 alerts

MITRE Detections

Every Sigma rule, behavior indicator, and memory match auto-mapped to ATT&CK across the full kill chain. Hand the techniques to your SOC. Export as Navigator JSON for direct ingest.

Event Log

8,439events

FILE CREATEC:\Users\Public\Documents\invoice_2026.exe8.4 MB downloadedchrome.exe14:32:01

PROCESS CREATEinvoice_2026.exespawned from explorerexplorer.exe14:32:03

DLL LOADntdll.dllMicrosoft signedinvoice_2026.exe14:32:03

MEM ALLOCRWX 0x7FF8AC120000 (4.0 MB)self-allocatedinvoice_2026.exe14:32:04

MEM WRITE0x7FF8AC120000 ← shellcode (1,247 B)decoded XOR payloadinvoice_2026.exe14:32:04

PROCESS CREATEpowershell.exe -nop -w hidden -enc JABzAD0...child of invoice_2026invoice_2026.exe14:32:05

Full Event Log

Every file write, registry hit, network packet, and process spawn captured per VM. Findings are summaries — the event log is the truth. Pivot from any detection back to the raw byte in one click.

Grounded · Cited · Yours

Now ask it anything.

The sandbox already captured every byte. The AI reads that trace — every event, every technique, every artifact — and answers in real analyst language. Every claim comes with receipts. Nothing is invented.

Rretrace

AI Co-Pilot

Ask about the analysis…

Grounded in the trace

Every claim cites a specific event, technique, or captured file. No LLM hallucination — the AI only speaks about what the sandbox actually observed.

Your sandbox's memory

Pattern-matches against every detonation you've ever run. Your LockBit samples teach it what LockBit looks like in your environment — not a generic model.

SOC-ready briefings

Export answers as Markdown, PDF, or STIX 2.1 bundles for your MISP or TIP. Chat transcripts go in, artifacts ready for ingest come out.

Your data stays yours

Inference runs on-prem for Enterprise and fully air-gapped for Sovereign deployments. No sample bytes, no IOCs, no tool calls ever leave your infrastructure.

Deploy your way.

From individual researchers to air-gapped defense networks.

DEPLOYMENT TIERS

4 OPTIONS

SHARED

Community

For students, researchers, or those exploring the platform.

Free

Community feed access

Standard execution queue

Web interface

Basic report export

Unlimited public analyses

SAAS

Team

For individual analysts, consultants, and small teams.

Contact

Private submissions

Priority queueing

REST API access

Team management

Audit logging

Get Started

DEDICATED CLOUD

Enterprise

For MSSPs, financial services, and regulated industries.

Custom

Multi-tenant workspace

UK, EU or US data residency on request

Dedicated hardware, no shared services

SSO / SAML

Custom data retention

Contact Sales

SELF-HOSTED

Sovereign

For government, defense, and critical infrastructure.

Custom

Air-gap compatible

Unlimited throughput

Full data sovereignty

Custom hardware support

Dedicated account manager