Introducing Joe Reverser, the Agentic Automated Malware & Phishing Analyst
Joe Security's Blog
Published on: 02.12.2025
Today, we’re excited to introduce a brand-new product: Joe Reverser 0.9.0 (Beta) Silver Wolf. In short, Joe Reverser is an agent powered by SOTA LLM that leverages reversing tools to perform high-quality static and dynamic analysis. Once completed it provides comprehensive analysis reports with IOCs, MITRE ATT&CK mappings, verdicts, and more at your fingertips. Here you see it in action analyzing and unpacking a .NET DLL.
Why use Joe Reverser when Joe Sandbox already delivers deep analysis?
Joe Sandbox executes malware and evaluates its dynamic behavior. This provides strong insights but is inherently limited to what actually runs during execution. The benefit: packing and code obfuscation do not hinder its dynamic visibility.
Joe Reverser, in contrast, is not bound by execution scope. It reveals the full capabilities and logic of a suspicious sample through static analysis. However, heavy packing or obfuscation can restrict what static analysis can uncover.
For the most complete picture, SOC teams and security analysts need both approaches. To provide this, we will soon enable Joe Sandbox and Joe Reverser to run in parallel, delivering maximum depth and coverage.
In this blog post, we’ll explain why SOC teams and malware analysts benefit from Joe Reverser - and share some of the technology that powers it. To illustrate its capabilities, we will primarily use the sample rot.cpl (MD5: 6878354bb55ddb58cb56cd26aaa07c60fc61b275b9cd53a5e87d08c5def0d0ae). In our next blog post, we’ll also take a deep dive into the analysis of a phishing attack.
To get started, visit www.joesandbox.com, create an account, and select Joe Reverser.
Multi Vector Analysis
SOC and cyber analysts can use Joe Reverser to process multiple input types:
So whatever sample you have you can analyze it with Joe Reverser.
Autonomous Orchestration and & Decision Making
Once a file or URL is uploaded, Joe Reverser automatically begins reverse engineering and analyzing the sample. It orchestrates a wide range of tools and makes decisions based on their combined results, fully autonomously.
- Static Analysis for PE, ELF, MACHO, PDF and MSG/EML files
- Full fledged native, .Net, Java, Python and APK Disassembler
- Unpacker including UPX, InnoSetup, NSIS, AutoIt, Exe4j, PyInstaller, MSI and many more
- Code Sandbox for advanced unpacking of staged malware
- Webbrowser with access to screenshots and raw HTML / Javascript
- Domain and URL reputation
- Image analyzer including QR code decoder
- Access to Joe Sandbox for dynamic analysis and threat intel
As an analyst, you can step in at any time to adjust or correct the process. Simply press Stop or disable Auto-Approval at the beginning. From there, you can provide your own suggestions or options, and the agent will adapt its workflow accordingly.
If preferred, Joe Reverser can also run fully autonomously. It performs its analysis end-to-end and produces a comprehensive, in-depth report without requiring any manual interaction.
Joe Reverser follows a built-in analysis workflow: it begins with static and pre-file analysis, then proceeds through unpacking, decompilation, deobfuscation, and threat-intelligence enrichment. The engine can loop through stages or take shortcuts automatically when needed.
Multi Stage Analysis
Joe Reverser begins with static pre-analysis, using tools such as Detect It Easy, PE-header inspection, string extraction, and related techniques.
It then proceeds to the unpacking stage, where it leverages a variety of built-in unpackers. After that, it continues with disassembling.
During disassembling it detects packing including the unpacking routine and the key:
It then extracts the encrypted payload from the resource and generates a Python-based unpacker, which is executed directly on the resource to recover the decrypted content:
The generated payload is then analyzed again:
Please note that all of this happens fully autonomously, including generating the Python code, selecting the correct resource, and orchestrating each step without manual guidance.
While the packing in this case is not highly sophisticated, it would still take a human reverse engineer considerably more time to unpack the sample manually.
String Decryption and API Hashing
Joe Reverser is supported by several specialized sub-agents, each focused on a specific task. For example, one sub-agent is dedicated to decrypting strings from obfuscated C functions. Here as an example from a Win Conti ransomware sample, MD5 b774d0ad0ae7a9d3ec00281bc8682cd2:
Another sub agent is able to reverse API hashes by translating the hash function to Python and then feed a list of known APIs and DLL names:
Continuous Reasoning-based Enrichment
For every tool call, Joe Reverser summarizes and interprets the output of the reverse-engineering step. These insights are presented directly after each tool call in the Key Findings section:
Key findings are preserved throughout the entire agentic workflow, enabling Joe Reverser to deliver a detailed, evidence-based summary at the end of the analysis. They also help cybersecurity analysts gain clear insight into the inner workings of the malware sample.
Threat Intel
Once the disassembling workflow is complete Joe Reverser moves to the threat intel workflow. Joe Reverser has full access to Joe Sandbox Cloud Basic, our community edition of Joe Sandbox. It looks up previous sandbox runs or closely related samples and uses them to extend and merge additional context into the current analysis, resulting in a more complete and enriched report.
Explainability and Structured Reporting
Once Joe Reverser completed its workflow it will finalize by create a deep analysis report. The report includes:
- Sample name and hashes
- Verdict and score
- IOCs
- Mitre Att&ck table with evidence
- Key suspicious indicators
- False positive analysis
- Malware / phishing analysis summary
- Call graph
- Unpacking stages
- Joe Sandbox threat intel
In addition, it generates an archive containing all artifacts produced during analysis, including decompiled and disassembled functions, unpacked files, HTML DOM captures, screenshots, and more.
Once the summary is complete, analysts can chat directly with the agent to ask questions, clarify details, and deepen their understanding of the findings.
Limitations
When developing Joe Reverser we created a workflow which is always based on findings and facts of tool results. However, there is no doubt that SOTA models can still provide wrong answers, interpretations and hallucinate.
Accuracy remains an issue as well. For example, reliably translating decompiled C or disassembly into Python is still a major challenge, even for models running at their highest reasoning settings.
While these limitations are inherent to an agent-based approach, we still observed significant value in the reports produced by Joe Reverser.
Final Words
Joe Reverser 0.9.0 (Beta) Silver Wolf marks a major step forward in autonomous reverse engineering. By combining multi-vector static analysis, staged unpacking, sub-agent specialization, continuous reasoning, and integrated threat intelligence, it delivers deep, explainable insights that complement Joe Sandbox’s dynamic visibility.
Beyond analytical depth, the key advantage is speed. Joe Reverser automates work that would take a human analyst hours - saving significant time while still delivering a level of detail that would otherwise require extensive manual effort.
While current LLM limitations - especially around precision and code translation - still apply, the overall workflow automation and enriched reporting already provide substantial value to SOC teams and malware analysts.
Joe Reverser is an evolving platform, and this release sets a strong foundation for what comes next.
Would you like to try Joe Reverser? Register for a free account on Joe Sandbox Cloud Basic and start using it!