File passed through fully virtualized Sandbox

Hello,

sorry for my English. I found one malware file which pass through full sandbox. I tried many files today and one of them pass through fully virtualized sandbox and created autorun item. I did not noticed this item but sandbox cannot be deleted so I restarted PC. After restart the malware item wants run. But luckily I have switch ON UAC. I use latest version CIS PRO. CIS does not detect this file.

Here is link on scan this file on virustotal VirusTotal

Here is link on scan this file on camas http://camas.comodo.com/cgi-bin/submit?file=9b699439ba35d2556dfa4f0ee9a20936186cfa2281aa01cf751a91ffaaf2b2b6

Here is link on autorun record in Autoruns, please look at the attachment.

thank you

[attachment deleted by admin]

Hi,

Thank you for your submission. We’ll check this.

Kind Regards,
Erik M.

Ok, thank you. If you want the file I can send you the one.

I would like to ask you. How is possible that this malware file create records in windows registry HKLM/…/./././run when I run the file in sandbox?

Could you send me the file, please?

Yes. I am sending you the link in PM. It is strange. The file has digital sign from Beijing Rising Information Technology Corporation Limited and if I clear trusted files in CIS then run this infected file CIS add this file to Trusted file without pop up or something else.

Thank you.

Rising is an AV company, it’s probably a false positive.

It seems Comodo added a detection :o

Yes, but it is very strange. The file is surely not AV and does not have reason to silently go create record in registry after its run.