636d30fd-2b95-4dc2-a413-be0e43d1482c

changsha :inline

Description

Malicious rootkit masquerading as legitimate CrowdStrike Falcon Sensor driver (CSAgent.sys). Signed with stolen/expired Chinese certificate from 2015. Detected by 61.6% of AV engines as Rootkit.Win64.Agent and Trojan:Win64/AVTamper. Used to establish kernel-level persistence while evading detection by impersonating trusted security software.

  • UUID: 636d30fd-2b95-4dc2-a413-be0e43d1482c
  • Created: 2025-10-09
  • Author: Michael Haag

DownloadBlock

This download link contains the malicious driver!

Commands

sc.exe create changsha binPath=C:\windows\temp\changsha.sys type=kernel && sc.exe start changsha
Use CasePrivilegesOperating System
Elevate privilegeskernelWindows 10

Detections

YARA 🏹

Expand

Exact Match

with header and size limitation

Threat Hunting

without header and size limitation

Sigma 🛡️

Expand

Names

detects loading using name only

Hashes

detects loading using hashes only

Sysmon 🔎

Expand

Block

on hashes

Alert

on hashes

Resources


  • https://www.virustotal.com/gui/file/06eccd102c9105957773b32538943531d9c39d0a504ceb3b9b155e97e3b0b134

    • Known Vulnerable Samples

    PropertyValue
    Filenamechangsha.sys
    Creation Timestamp2024-11-09 07:33:54
    MD5808568a7dbff8a982fbffec4a827eb4d
    SHA121a9ca6028992828c9c360d752cb033603a2fd93
    SHA25606eccd102c9105957773b32538943531d9c39d0a504ceb3b9b155e97e3b0b134
    Authentihash MD5a23891cdabc468d641005cb4e1dbea71
    Authentihash SHA14d5fc3b8c73a83fe255680fbd9bd5effb3d897e6
    Authentihash SHA256aa65f8fcbaad575284db8f3f55958145a5548de0d9682bf9ac6e5d8c98efe000
    RichPEHeaderHash MD5ffdf660eb1ebf020a1d0a55a90712dfb
    RichPEHeaderHash SHA13e905e3d061d0d59de61fcf39c994fcb0ec1bab3
    RichPEHeaderHash SHA2562b3f99a94b7a7132854be769e27b331419c53989ef42f686d6f5ba09ddefefd6
    CompanyCrowdStrike, Inc.
    DescriptionCrowdStrike Falcon Sensor Driver
    ProductCrowdStrike Falcon Sensor
    OriginalFilenameCSAgent.sys

    Download

    Certificates

    Expand
    Certificate 75e8e7b9043b13df60e76499663021c1
    FieldValue
    ToBeSigned (TBS) MD5c744e90982da6083d0d56173dba4c9fa
    ToBeSigned (TBS) SHA1633b38d9372b85e02e013beca47cf5b1b7b10bee
    ToBeSigned (TBS) SHA25609a47ae5b166910e92028c035d2550ccec79b4c9b221bc476380ddb69b5b4770
    SubjectCN=长沙恒祥信息技术有限公司,O=长沙恒祥信息技术有限公司,L=长沙市,ST=湖南省,C=CN
    ValidFrom2015-03-20 00:00:00
    ValidTo2016-03-19 23:59:59
    Signatureca84c8ad3a1c9e9b8bfe2e19f98d222c970dcd9db773e56d964090656869bd15920e174b7bb29636f6a8ea72f0ea0f577cf75d763fa291dd31c575fcd35ced7fc52ef7dee9af0567ff60e8645b97b33ec06789f992b541c8cccc80975476a51c7bdeacb9a80527e769bb336d1a5ba0da5137b67e8d18fb218a95e5523465a5deff0c8905850e430d354420456c06664078e42d97b25fde7e524a907258477ea725c1c227131d03d308a55a7aba8d4a49a4ca7c5325454d24ed90d3d15888ea27574014a33bf51fd84cf55d941c845503155864cea2d89b3f0f57ac8227926d2c27b0a8157918bfe9d9da123de7d6b051cac51acf19e99f4f14978dfafd321cf7
    SignatureAlgorithmOID1.2.840.113549.1.1.5
    IsCertificateAuthorityFalse
    SerialNumber75e8e7b9043b13df60e76499663021c1
    Version3
    Certificate 611993e400000000001c
    FieldValue
    ToBeSigned (TBS) MD578a717e082dcc1cda3458d917e677d14
    ToBeSigned (TBS) SHA14a872e0e51f9b304469cd1dedb496ee9b8b983a4
    ToBeSigned (TBS) SHA256317fa1d234ebc49040ebc5e8746f8997471496051b185a91bdd9dfbb23fab5f8
    SubjectCN=VeriSign Class 3 Public Primary Certification Authority , G5,OU=(c) 2006 VeriSign, Inc. , For authorized use only,OU=VeriSign Trust Network,O=VeriSign, Inc.,C=US
    ValidFrom2011-02-22 19:25:17
    ValidTo2021-02-22 19:35:17
    Signature812a82168c34672be503eb347b8ca2a3508af45586f11e8c8eae7dee0319ce72951848ad6211fd20fd3f4706015ae2e06f8c152c4e3c6a506c0b36a3cf7a0d9c42bc5cf819d560e369e6e22341678c6883762b8f93a32ab57fbe59fba9c9b2268fcaa2f3821b983e919527978661ee5b5d076bcd86a8e26580a8e215e2b2be23056aba0cf347934daca48c077939c061123a050d89a3ec9f578984fbecca7c47661491d8b60f195de6b84aacbc47c8714396e63220a5dc7786fd3ce38b71db7b9b03fcb71d3264eb1652a043a3fa2ead59924e7cc7f233424838513a7c38c71b242228401e1a461f17db18f7f027356cb863d9cdb9645d2ba55eefc629b4f2c7f821cc04ba57fd01b6abc667f9e7d3997ff4f522fa72f5fdff3a1c423aa1f98018a5ee8d1cd4669e4501feaaeefffb178f30f7f1cd29c59decb5d549003d85b8cbbb933a276a49c030ae66c9f723283276f9a48356c848ce5a96aaa0cc0cc47fb48e97af6de35427c39f86c0d6e473089705dbd054625e0348c2d59f7fa7668cd09db04fd4d3985f4b7ac97fb22952d01280c70f54b61e67cdc6a06c110384d34875e72afeb03b6e0a3aa66b769905a3f177686133144706fc537f52bd92145c4a246a678caf8d90aad0f679211b93267cc3ce1ebd883892ae45c6196a4950b305f8ae59378a6a250394b1598150e8ba8380b72335f476b9671d5918ad208d94
    SignatureAlgorithmOID1.2.840.113549.1.1.5
    IsCertificateAuthorityTrue
    SerialNumber611993e400000000001c
    Version3
    Certificate 5200e5aa2556fc1a86ed96c9d44b33c7
    FieldValue
    ToBeSigned (TBS) MD5b30c31a572b0409383ed3fbe17e56e81
    ToBeSigned (TBS) SHA14843a82ed3b1f2bfbee9671960e1940c942f688d
    ToBeSigned (TBS) SHA25603cda47a6e654ed85d932714fc09ce4874600eda29ec6628cfbaeb155cab78c9
    SubjectCN=VeriSign Class 3 Code Signing 2010 CA,OU=Terms of use at https://www.verisign.com/rpa (c)10,OU=VeriSign Trust Network,O=VeriSign, Inc.,C=US
    ValidFrom2010-02-08 00:00:00
    ValidTo2020-02-07 23:59:59
    Signature5622e634a4c461cb48b901ad56a8640fd98c91c4bbcc0ce5ad7aa0227fdf47384a2d6cd17f711a7cec70a9b1f04fe40f0c53fa155efe749849248581261c911447b04c638cbba134d4c645e80d85267303d0a98c646ddc7192e645056015595139fc58146bfed4a4ed796b080c4172e737220609be23e93f449a1ee9619dccb1905cfc3dd28dac423d6536d4b43d40288f9b10cf2326cc4b20cb901f5d8c4c34ca3cd8e537d66fa520bd34eb26d9ae0de7c59af7a1b42191336f86e858bb257c740e58fe751b633fce317c9b8f1b969ec55376845b9cad91faaced93ba5dc82153c2825363af120d5087111b3d5452968a2c9c3d921a089a052ec793a54891d3
    SignatureAlgorithmOID1.2.840.113549.1.1.5
    IsCertificateAuthorityTrue
    SerialNumber5200e5aa2556fc1a86ed96c9d44b33c7
    Version3

    Imports

    Expand
    • FLTMGR.SYS
    • ntoskrnl.exe
    • HAL.dll
    • ntoskrnl.exe
    • HAL.dll

    Imported Functions

    Expand
    • FltGetVolumeInformation
    • wcscat_s
    • HalReturnToFirmware
    • ExAllocatePool
    • NtQuerySystemInformation
    • ExFreePoolWithTag
    • IoAllocateMdl
    • MmProbeAndLockPages
    • MmMapLockedPagesSpecifyCache
    • MmUnlockPages
    • IoFreeMdl
    • KeQueryActiveProcessors
    • KeSetSystemAffinityThread
    • KeRevertToUserAffinityThread
    • DbgPrint
    • KeQueryPerformanceCounter

    Exported Functions

    Expand

    Sections

    Expand
    • .text
    • .rdata
    • .data
    • .pdata
    • INIT
    • .Kd^
    • .-rl
    • .oXz
    • .reloc
    • .rsrc

    Signature

    Expand
    {
  "Certificates": [
    {
      "CertificateType": "Leaf (Code Signing)",
      "IsCA": false,
      "IsCertificateAuthority": false,
      "IsCodeSigning": true,
      "SerialNumber": "75e8e7b9043b13df60e76499663021c1",
      "Signature": "ca84c8ad3a1c9e9b8bfe2e19f98d222c970dcd9db773e56d964090656869bd15920e174b7bb29636f6a8ea72f0ea0f577cf75d763fa291dd31c575fcd35ced7fc52ef7dee9af0567ff60e8645b97b33ec06789f992b541c8cccc80975476a51c7bdeacb9a80527e769bb336d1a5ba0da5137b67e8d18fb218a95e5523465a5deff0c8905850e430d354420456c06664078e42d97b25fde7e524a907258477ea725c1c227131d03d308a55a7aba8d4a49a4ca7c5325454d24ed90d3d15888ea27574014a33bf51fd84cf55d941c845503155864cea2d89b3f0f57ac8227926d2c27b0a8157918bfe9d9da123de7d6b051cac51acf19e99f4f14978dfafd321cf7",
      "SignatureAlgorithmOID": "1.2.840.113549.1.1.5",
      "Subject": "CN=\u957f\u6c99\u6052\u7965\u4fe1\u606f\u6280\u672f\u6709\u9650\u516c\u53f8,O=\u957f\u6c99\u6052\u7965\u4fe1\u606f\u6280\u672f\u6709\u9650\u516c\u53f8,L=\u957f\u6c99\u5e02,ST=\u6e56\u5357\u7701,C=CN",
      "TBS": {
        "MD5": "c744e90982da6083d0d56173dba4c9fa",
        "SHA1": "633b38d9372b85e02e013beca47cf5b1b7b10bee",
        "SHA256": "09a47ae5b166910e92028c035d2550ccec79b4c9b221bc476380ddb69b5b4770",
        "SHA384": "240cbfa8fdb38172da35d1f761200717e8824a6eb58cf2be0421e825fc7ddf5c62a93136a6f844af06d2c5779d80841a"
      },
      "ValidFrom": "2015-03-20 00:00:00",
      "ValidTo": "2016-03-19 23:59:59",
      "Version": 3
    },
    {
      "CertificateType": "CA",
      "IsCA": true,
      "IsCertificateAuthority": true,
      "IsCodeSigning": false,
      "SerialNumber": "611993e400000000001c",
      "Signature": "812a82168c34672be503eb347b8ca2a3508af45586f11e8c8eae7dee0319ce72951848ad6211fd20fd3f4706015ae2e06f8c152c4e3c6a506c0b36a3cf7a0d9c42bc5cf819d560e369e6e22341678c6883762b8f93a32ab57fbe59fba9c9b2268fcaa2f3821b983e919527978661ee5b5d076bcd86a8e26580a8e215e2b2be23056aba0cf347934daca48c077939c061123a050d89a3ec9f578984fbecca7c47661491d8b60f195de6b84aacbc47c8714396e63220a5dc7786fd3ce38b71db7b9b03fcb71d3264eb1652a043a3fa2ead59924e7cc7f233424838513a7c38c71b242228401e1a461f17db18f7f027356cb863d9cdb9645d2ba55eefc629b4f2c7f821cc04ba57fd01b6abc667f9e7d3997ff4f522fa72f5fdff3a1c423aa1f98018a5ee8d1cd4669e4501feaaeefffb178f30f7f1cd29c59decb5d549003d85b8cbbb933a276a49c030ae66c9f723283276f9a48356c848ce5a96aaa0cc0cc47fb48e97af6de35427c39f86c0d6e473089705dbd054625e0348c2d59f7fa7668cd09db04fd4d3985f4b7ac97fb22952d01280c70f54b61e67cdc6a06c110384d34875e72afeb03b6e0a3aa66b769905a3f177686133144706fc537f52bd92145c4a246a678caf8d90aad0f679211b93267cc3ce1ebd883892ae45c6196a4950b305f8ae59378a6a250394b1598150e8ba8380b72335f476b9671d5918ad208d94",
      "SignatureAlgorithmOID": "1.2.840.113549.1.1.5",
      "Subject": "CN=VeriSign Class 3 Public Primary Certification Authority , G5,OU=(c) 2006 VeriSign, Inc. , For authorized use only,OU=VeriSign Trust Network,O=VeriSign, Inc.,C=US",
      "TBS": {
        "MD5": "78a717e082dcc1cda3458d917e677d14",
        "SHA1": "4a872e0e51f9b304469cd1dedb496ee9b8b983a4",
        "SHA256": "317fa1d234ebc49040ebc5e8746f8997471496051b185a91bdd9dfbb23fab5f8",
        "SHA384": "b71052da4eb9157c8c1a5d7f55df19d69b9128598b72fcca608e5b7cc7d64c43c5504b9c86355a6dc22ee40c88cc385c"
      },
      "ValidFrom": "2011-02-22 19:25:17",
      "ValidTo": "2021-02-22 19:35:17",
      "Version": 3
    },
    {
      "CertificateType": "CA",
      "IsCA": true,
      "IsCertificateAuthority": true,
      "IsCodeSigning": true,
      "SerialNumber": "5200e5aa2556fc1a86ed96c9d44b33c7",
      "Signature": "5622e634a4c461cb48b901ad56a8640fd98c91c4bbcc0ce5ad7aa0227fdf47384a2d6cd17f711a7cec70a9b1f04fe40f0c53fa155efe749849248581261c911447b04c638cbba134d4c645e80d85267303d0a98c646ddc7192e645056015595139fc58146bfed4a4ed796b080c4172e737220609be23e93f449a1ee9619dccb1905cfc3dd28dac423d6536d4b43d40288f9b10cf2326cc4b20cb901f5d8c4c34ca3cd8e537d66fa520bd34eb26d9ae0de7c59af7a1b42191336f86e858bb257c740e58fe751b633fce317c9b8f1b969ec55376845b9cad91faaced93ba5dc82153c2825363af120d5087111b3d5452968a2c9c3d921a089a052ec793a54891d3",
      "SignatureAlgorithmOID": "1.2.840.113549.1.1.5",
      "Subject": "CN=VeriSign Class 3 Code Signing 2010 CA,OU=Terms of use at https://www.verisign.com/rpa (c)10,OU=VeriSign Trust Network,O=VeriSign, Inc.,C=US",
      "TBS": {
        "MD5": "b30c31a572b0409383ed3fbe17e56e81",
        "SHA1": "4843a82ed3b1f2bfbee9671960e1940c942f688d",
        "SHA256": "03cda47a6e654ed85d932714fc09ce4874600eda29ec6628cfbaeb155cab78c9",
        "SHA384": "bbda8407c4f9fc4e54d772f1c7fb9d30bc97e1f97ecd51c443063d1fa0644e266328781776cd5c44896c457c75f4d7da"
      },
      "ValidFrom": "2010-02-08 00:00:00",
      "ValidTo": "2020-02-07 23:59:59",
      "Version": 3
    }
  ],
  "CertificatesInfo": "",
  "Signer": [
    {
      "Issuer": "CN=VeriSign Class 3 Code Signing 2010 CA,OU=Terms of use at https://www.verisign.com/rpa (c)10,OU=VeriSign Trust Network,O=VeriSign, Inc.,C=US",
      "SerialNumber": "75e8e7b9043b13df60e76499663021c1",
      "Version": 1
    }
  ],
  "SignerInfo": ""
}

    source

    last_updated: 2026-01-07