If you analyse malware, for research, for incident response, or to satisfy curiosity about a sample, you need a real sandbox. Not a Virtualbox-default install with shared folders enabled. A proper isolated environment that won’t infect your actual machine when you double-click a sample. This tutorial walks through the standard practitioner setup in 2026.
The stack at a glance
FlareVM, Mandiant/Google’s Windows reverse-engineering distro, installed as a one-shot script on a stock Windows 10 VM. Comes preloaded with x64dbg, IDA Free, Ghidra, Process Hacker, PEStudio, and the rest of the standard reversing toolkit.
REMnux, Lenny Zeltser’s Linux distro for malware analysis. Pre-loaded with INetSim (network simulator that fakes the internet for the malware), Wireshark, FakeDNS, Volatility for memory forensics, dozens more.
Cuckoo Sandbox (community fork), automated detonation. Submit a sample, Cuckoo runs it in a fresh VM, captures everything (process tree, network calls, registry changes, dropped files), produces a report. Less interactive than manual analysis but invaluable for triage.
Step 1: Set up the host with strong isolation
Use a dedicated machine if possible (a $500 used Optiplex works fine). On the network side, plug it into a separate VLAN that has no route to your real LAN, only a one-way egress to the public internet for sample downloads, and even that should be gated through a managed firewall.
Hypervisor: VMware Workstation Pro (now free for personal use as of 2024) or VirtualBox. ESXi is overkill for home use. Hyper-V works but FlareVM has known compatibility quirks on Hyper-V; VMware/Vbox is smoother.
Step 2: Build the FlareVM
Create a new VM with a clean Windows 10 ISO (Microsoft still distributes them at microsoft.com/software-download). 4 vCPU, 8 GB RAM, 80 GB disk minimum.
After Windows install, before doing anything else: disable Windows Defender, disable automatic updates, take a clean snapshot. Then run the FlareVM installer in PowerShell:
(New-Object System.Net.WebClient).DownloadFile( "https://raw.githubusercontent.com/mandiant/flare-vm/main/install.ps1", "$env:TEMP\install.ps1" ) Unblock-File "$env:TEMP\install.ps1" .&"$env:TEMP\install.ps1"
The installer reboots the VM several times and pulls down ~10 GB of tooling. Plan on 1-3 hours depending on bandwidth. Take a snapshot when complete, that’s your golden baseline.
Step 3: Build the REMnux side
Download the REMnux OVA and import it into VMware/Vbox. Default credentials: remnux/malware. Set the network adapter to host-only mode and configure IP statically, your FlareVM points at REMnux as its DNS and gateway.
On REMnux, run inetsim to start the fake-internet service. INetSim impersonates DNS, HTTP, HTTPS, SMTP, FTP, and IRC, logging every request the malware makes. The malware “phones home” to what it thinks is its C2; INetSim records it and responds with a fake page.
Step 4: Wire the network
This is the critical step. The FlareVM should NOT have direct internet access. Set its network adapter to the same host-only network as REMnux, and set REMnux as its default gateway. The flow becomes: malware on FlareVM → DNS resolves through REMnux fake DNS → traffic captured by Wireshark/INetSim → no traffic ever reaches your real network.
Verify by trying to reach google.com from FlareVM. You should see whatever fake page INetSim is serving, confirms the routing is working.
Step 5: Get a sample to analyse
Reputable sample sources:
- MalwareBazaar, abuse.ch’s free malware repository, downloadable with API key (free).
- VirusTotal, Premium ($) or via APT/research access. Has the largest collection.
- Tria.ge, public submissions repository.
- MalShare, free with API key.
Don’t download from random Telegram channels or sketchy mirror sites. The reputable sources keep samples password-protected (typically infected) so you don’t accidentally double-click on the host.
Step 6: Run the analysis
Static first. Open the sample in PEStudio (FlareVM ships it). Note imports, suspicious strings, packer indicators. Run it through VirusTotal to see what AV vendors call it.
Dynamic next. Start Wireshark on REMnux, Process Monitor on FlareVM. Detonate the sample. Watch for: created processes, network connections, registry changes, dropped files. Document everything.
Reset. Revert the FlareVM to the clean snapshot when done. The whole point of the snapshot is that you can do this in 30 seconds and start fresh for the next sample.
Step 7: Optional, automate with Cuckoo
If you analyse multiple samples a week, manual is tedious. Install Cuckoo3 (the maintained fork) on a separate Linux box, point it at the FlareVM as a worker. Submit samples via web UI, get reports automatically. Worth the day to set up.
The skills compound. Six months in you’ll see kit families on sight. The setup is the easy part; the discipline of using it daily is the muscle.