6c84d133-c619-4deb-a91a-5cf05e4cb7c2

CSAgent.sys :inline

Description

AbyssWorker rootkit masquerading as a CrowdStrike Falcon sensor driver (CSAgent.sys). Signed with a revoked certificate from Shenzhen yundian Technology Co., Ltd. This is a fully malicious driver that blinds security products by stripping handles, terminating processes, and removing notification callbacks. Identified in ESET EDR killers research (March 2026) deployed alongside Medusa ransomware via the HEARTCRYPT packer.

  • UUID: 6c84d133-c619-4deb-a91a-5cf05e4cb7c2
  • Created: 2026-03-20
  • Author: Michael Haag
  • Acknowledgement: ESET Research | @ESETresearch

Download

This download link contains the malicious driver!

Block CSAgent.sys across your endpoints

Add this driver to your block policy in minutes with MagicSword, threat-driven application control. Free for up to 100 endpoints.

Start Blocking for Free

Commands

sc.exe create CSAgent.sys binPath=C:\windows\temp\CSAgent.sys type=kernel && sc.exe start CSAgent.sys
Use CasePrivilegesOperating System
Elevate privilegeskernelWindows 10

Detections

YARA 🏹

Expand

Exact Match

with header and size limitation

Threat Hunting

without header and size limitation

Sigma 🛡️

Expand

Names

detects loading using name only

Hashes

detects loading using hashes only

Sysmon 🔎

Expand

Block

on hashes

Alert

on hashes

Resources


  • https://www.welivesecurity.com/en/eset-research/edr-killers-explained/

    • Known Vulnerable Samples

    PropertyValue
    FilenameCSAgent.sys
    Creation Timestamp2024-11-09 07:33:54
    MD59e82ee5bde6b5d29281a3c280e6d1f2e
    SHA175f85caea52fe5a124fa77e2934abd3161690add
    SHA256b7703a59c39a0d2f7ef6422945aaeaaf061431af0533557246397551b8eed505
    Authentihash MD533d19e00fba657d4a4d881b0d3f24bb9
    Authentihash SHA14aabec112c06c86bcc97429af1d9f5d6966be78b
    Authentihash SHA2563e7c62daf3da6ea70530adc9a65bd97dcdb4afe0b82e7622f6d965bdaa99025b
    RichPEHeaderHash MD52ca09312be60012aa066d643a69d72ff
    RichPEHeaderHash SHA10e71795703c824fa2e5e0d0b761d50775c3db9de
    RichPEHeaderHash SHA2561cc4772448093afbb41aad527bb4f2b3a771db71d74db8b9d939a41e5187320f
    CompanyCrowdStrike, Inc.
    DescriptionCrowdStrike Falcon Sensor Driver
    ProductCrowdStrike Falcon Sensor
    OriginalFilenameCSAgent.sys

    Download

    Certificates

    Expand
    Certificate 4efa7e7bba65ec1ab774f2b31357d599
    FieldValue
    ToBeSigned (TBS) MD5f830820e8290f2defa077743ca6e7357
    ToBeSigned (TBS) SHA10b11022d5c65f12b15ea49da29c45a3bd51ff17b
    ToBeSigned (TBS) SHA256c3bf6618b96463285ef2dabd06f631513585742cd9f2be85513f4d3763710211
    SubjectC=CN, ST=Guangdong, L=Shenzhen, O=Shenzhen yundian Technology Co., Ltd, CN=Shenzhen yundian Technology Co., Ltd
    ValidFrom2013-05-20 00:00:00
    ValidTo2014-05-20 23:59:59
    Signature1bae8106004f1ac2702bdcc897bf58debba45fca9d2c72082a3b54ef4a9df3dcbcd1468b1b588d975274ce37c3cbef125a8e334b1c6111e3ffc94eaf9c123b933c93352677f50c077cb8c771b94b21ef4fa882925a14fc580773ed66b54d49f668498e89047687bcc821385abf6ff579af7ab7dc45c60f270476e82fda4176ba85e9a29aa6f747aff19bd13ea0bc850d883e9681e53c5d5f97cb43af98514271b5a90efe591c7ea52aafa4a902fff0904690cd974625557e170b02aa4724010c4b614995ffa54687584f0a09f47e777931c0f132a3836ef31c55310bde34b10bf3cc5a7a546e2432c18645edbf018da59f8be29d4d334be3b78daa6dd35abc70
    SignatureAlgorithmOID1.2.840.113549.1.1.5
    IsCertificateAuthorityFalse
    SerialNumber4efa7e7bba65ec1ab774f2b31357d599
    Version3
    Certificate 47974d7873a5bcab0d2fb370192fce5e
    FieldValue
    ToBeSigned (TBS) MD5e3a93dc2a8a8a668fdbb286bfe9afab5
    ToBeSigned (TBS) SHA195795d2aa2a554a423bc8c6e5b0a016d14887d35
    ToBeSigned (TBS) SHA256d8844186775bddbccaf3dc017064df7d760fd4b85c5d07561a3efd7da950f89e
    SubjectC=US, O=Thawte, Inc., CN=Thawte Code Signing CA , G2
    ValidFrom2010-02-08 00:00:00
    ValidTo2020-02-07 23:59:59
    Signature56fe535ce1c79ebca7ed7e536d6a144b518c405e805faaa4e82fef38c804c9ca3ecfdf3a584eb0d4b663c52957fa02059a454d68db2a1bd4343d9f00c35acb9549a56ee1b0c5fc414d414a6fd377c8d7388de419de18f31f1565836d450c53f90a9a2ea55dbf6f32811892196a5500ad631c52067e55d92968ae4a7c189a79886b2323d827382a298776cafbc7b662231fed7a564cdd9c325bf53d0c4618953b2a2368836441d9006d0f1924156872bdc571676eac4cdb90eb51a51a6207d0be6a00473c722fec4f613e7385ce5a0ab7bac01c1375e3223928dd6d1d09469d4fbae8408191c6a4ce94721b01cf2a6e15679589ae7db7b7cdf90a3d75b66b3c25
    SignatureAlgorithmOID1.2.840.113549.1.1.5
    IsCertificateAuthorityTrue
    SerialNumber47974d7873a5bcab0d2fb370192fce5e
    Version3
    Certificate 611fb0a400000000001d
    FieldValue
    ToBeSigned (TBS) MD5a3f222107d4e1085e73b5b589c2f480b
    ToBeSigned (TBS) SHA1b94aa26cd77c48d91a53ac44506cbd255e1d362c
    ToBeSigned (TBS) SHA256a39ed0d6fd4eb1a6f7fed60f726e23eae668b7591bc004644625d22c701213fa
    SubjectC=US, O=thawte, Inc., OU=Certification Services Division, OU=(c) 2006 thawte, Inc. , For authorized use only, CN=thawte Primary Root CA
    ValidFrom2011-02-22 19:31:57
    ValidTo2021-02-22 19:41:57
    Signature2dcc71b5e8ba94ff5ee64467007b6afc412c3ee70e41855ab12a932ba95b89f2f72b499c8003f297b8e760a80ed7fd5de545467594f4ed1c9de166228b61fb29f2c6a8bdf387c98f7f47e1c058b64a1aa2e7f718606969e083069e26c775c40c0d79da746b52b9fae8ea3359b9bb18dd291a14dfd36a37277a9da0dacffffc22c4faf009ff33e93e17ba1cc742cfce2743d30c0c5581303db96060ce02ece19ee81ddc852ce0a18d966d95ac17a4713ea16741b6281d2ce3b615e5b7e5a2f6256d86e320acf9f8314f8e629b9833376d6af735523e90feb03b5fc5b852a9e06ea0479a279e97aea24a9e531939ec357ec659de3ae0aaf533f06abda0821812dea18c4570ca2bd62e959145995a5c240049bd23b30ceca43df5b9e1d1b1825a38eea3fba1ab483a8c5dffa065223fd3d3fe4990db1446a3852e8a554b09ab38b2ab63a008d1fdad48e273d812bcc26ca516fad09ac05e38383a2b718e553aac42197a1f0d4220e7ab5d8c6880524ca1c0d488d02321fb901309007b4937afa9df486022abf4f6c2363bf8513c34bbc586e43ae19f4b90fe5461024b159c34176aa94b8d4cb69d2326c83af1d6b805cdda1d6240183a2f1b41cd3a993a0aa9d1d77eb8c4aff7b8c980105ed55df6ce7a9a02c50f6381efb564e9fc5bd8d2619a68c37cf9c78df91e87d5fa2cf816ae9dab068fc86dc741cda14e84e3dac26ebcfb
    SignatureAlgorithmOID1.2.840.113549.1.1.5
    IsCertificateAuthorityTrue
    SerialNumber611fb0a400000000001d
    Version3

    Imports

    Expand
    • FLTMGR.SYS
    • ntoskrnl.exe
    • HAL.dll

    Imported Functions

    Expand
    • FltGetVolumeInformation
    • FltEnumerateFilters
    • FltEnumerateVolumes
    • FltEnumerateInstances
    • FltObjectDereference
    • FltGetFilterInformation
    • wcscat_s
    • wcslen
    • wcsrchr
    • _wcsicmp
    • RtlInitUnicodeString
    • RtlCompareUnicodeString
    • RtlCopyUnicodeString
    • RtlAppendUnicodeStringToString
    • RtlAppendUnicodeToString
    • RtlUpcaseUnicodeChar
    • RtlGetVersion
    • KeInitializeEvent
    • KeSetEvent
    • KeEnterCriticalRegion
    • KeLeaveCriticalRegion
    • KeEnterGuardedRegion
    • KeLeaveGuardedRegion
    • KeWaitForSingleObject
    • KeBugCheckEx
    • ExAllocatePool
    • ExAllocatePoolWithTag
    • ExFreePoolWithTag
    • ExAcquireResourceExclusiveLite
    • ExReleaseResourceLite
    • CmUnRegisterCallback
    • MmUnlockPages
    • MmBuildMdlForNonPagedPool
    • MmMapLockedPages
    • MmGetSystemRoutineAddress
    • MmUnmapLockedPages
    • PsCreateSystemThread
    • PsTerminateSystemThread
    • IoAllocateIrp
    • IoAllocateMdl
    • IofCompleteRequest
    • IoCreateDevice
    • IoCreateFile
    • IoCreateSymbolicLink
    • IoDeleteDevice
    • IoDeleteSymbolicLink
    • IoDetachDevice
    • IoFreeIrp
    • IoFreeMdl
    • IoGetCurrentProcess
    • IoGetDeviceObjectPointer
    • strlen
    • ObCloseHandle
    • ObfReferenceObject
    • ObfDereferenceObject
    • ObfDereferenceObjectWithTag
    • ObRegisterCallbacks
    • ObUnRegisterCallbacks
    • ZwCreateFile
    • ZwOpenFile
    • ZwClose
    • ZwCreateSection
    • ZwOpenSection
    • ZwCreateKey
    • ZwOpenKey
    • MmIsAddressValid
    • PsRemoveCreateThreadNotifyRoutine
    • PsRemoveLoadImageNotifyRoutine
    • PsGetProcessId
    • IoGetFileObjectGenericMapping
    • ZwOpenProcess
    • KeStackAttachProcess
    • KeUnstackDetachProcess
    • PsIsThreadTerminating
    • PsLookupProcessByProcessId
    • PsLookupThreadByThreadId
    • PsGetThreadProcess
    • PsIsSystemThread
    • IoThreadToProcess
    • ObOpenObjectByPointer
    • ObQueryNameString
    • ZwDuplicateObject
    • ZwOpenDirectoryObject
    • _vsnwprintf
    • ObCreateObject
    • SeCreateAccessState
    • ObSetHandleAttributes
    • ObReferenceObjectByName
    • ZwQueryDirectoryObject
    • ZwQueryInformationThread
    • ZwQueryInformationProcess
    • KeInitializeApc
    • KeInsertQueueApc
    • __C_specific_handler
    • __chkstk
    • IoFileObjectType
    • PsProcessType
    • PsThreadType
    • ExDesktopObjectType
    • PsInitialSystemProcess
    • IoDeviceObjectType
    • IoDriverObjectType
    • strcmp
    • ObReferenceObjectByHandle
    • HalReturnToFirmware

    Exported Functions

    Expand

    Sections

    Expand
    • .text
    • .rdata
    • .data
    • .pdata
    • INIT
    • .reloc
    • .rsrc
    • .vlizer

    Signature

    Expand
    {
  "Certificates": [
    {
      "CertificateType": "Leaf (Code Signing)",
      "IsCA": false,
      "IsCertificateAuthority": false,
      "IsCodeSigning": true,
      "SerialNumber": "4efa7e7bba65ec1ab774f2b31357d599",
      "Signature": "1bae8106004f1ac2702bdcc897bf58debba45fca9d2c72082a3b54ef4a9df3dcbcd1468b1b588d975274ce37c3cbef125a8e334b1c6111e3ffc94eaf9c123b933c93352677f50c077cb8c771b94b21ef4fa882925a14fc580773ed66b54d49f668498e89047687bcc821385abf6ff579af7ab7dc45c60f270476e82fda4176ba85e9a29aa6f747aff19bd13ea0bc850d883e9681e53c5d5f97cb43af98514271b5a90efe591c7ea52aafa4a902fff0904690cd974625557e170b02aa4724010c4b614995ffa54687584f0a09f47e777931c0f132a3836ef31c55310bde34b10bf3cc5a7a546e2432c18645edbf018da59f8be29d4d334be3b78daa6dd35abc70",
      "SignatureAlgorithmOID": "1.2.840.113549.1.1.5",
      "Subject": "C=CN, ST=Guangdong, L=Shenzhen, O=Shenzhen yundian Technology Co., Ltd, CN=Shenzhen yundian Technology Co., Ltd",
      "TBS": {
        "MD5": "f830820e8290f2defa077743ca6e7357",
        "SHA1": "0b11022d5c65f12b15ea49da29c45a3bd51ff17b",
        "SHA256": "c3bf6618b96463285ef2dabd06f631513585742cd9f2be85513f4d3763710211",
        "SHA384": "c6079686cb82480e766a96ebe62d3a61fbf6e7dbbfb79248c0ac191dfe30b2e0017868a50f03a73caef4b8f730f6e014"
      },
      "ValidFrom": "2013-05-20 00:00:00",
      "ValidTo": "2014-05-20 23:59:59",
      "Version": 3
    },
    {
      "CertificateType": "CA",
      "IsCA": true,
      "IsCertificateAuthority": true,
      "IsCodeSigning": true,
      "SerialNumber": "47974d7873a5bcab0d2fb370192fce5e",
      "Signature": "56fe535ce1c79ebca7ed7e536d6a144b518c405e805faaa4e82fef38c804c9ca3ecfdf3a584eb0d4b663c52957fa02059a454d68db2a1bd4343d9f00c35acb9549a56ee1b0c5fc414d414a6fd377c8d7388de419de18f31f1565836d450c53f90a9a2ea55dbf6f32811892196a5500ad631c52067e55d92968ae4a7c189a79886b2323d827382a298776cafbc7b662231fed7a564cdd9c325bf53d0c4618953b2a2368836441d9006d0f1924156872bdc571676eac4cdb90eb51a51a6207d0be6a00473c722fec4f613e7385ce5a0ab7bac01c1375e3223928dd6d1d09469d4fbae8408191c6a4ce94721b01cf2a6e15679589ae7db7b7cdf90a3d75b66b3c25",
      "SignatureAlgorithmOID": "1.2.840.113549.1.1.5",
      "Subject": "C=US, O=Thawte, Inc., CN=Thawte Code Signing CA , G2",
      "TBS": {
        "MD5": "e3a93dc2a8a8a668fdbb286bfe9afab5",
        "SHA1": "95795d2aa2a554a423bc8c6e5b0a016d14887d35",
        "SHA256": "d8844186775bddbccaf3dc017064df7d760fd4b85c5d07561a3efd7da950f89e",
        "SHA384": "78d972495720b43a6470b18ae1226bcca20707628087717a9364c14ca053ba264e6d149718b103542d9942200138a69d"
      },
      "ValidFrom": "2010-02-08 00:00:00",
      "ValidTo": "2020-02-07 23:59:59",
      "Version": 3
    },
    {
      "CertificateType": "CA",
      "IsCA": true,
      "IsCertificateAuthority": true,
      "IsCodeSigning": false,
      "SerialNumber": "611fb0a400000000001d",
      "Signature": "2dcc71b5e8ba94ff5ee64467007b6afc412c3ee70e41855ab12a932ba95b89f2f72b499c8003f297b8e760a80ed7fd5de545467594f4ed1c9de166228b61fb29f2c6a8bdf387c98f7f47e1c058b64a1aa2e7f718606969e083069e26c775c40c0d79da746b52b9fae8ea3359b9bb18dd291a14dfd36a37277a9da0dacffffc22c4faf009ff33e93e17ba1cc742cfce2743d30c0c5581303db96060ce02ece19ee81ddc852ce0a18d966d95ac17a4713ea16741b6281d2ce3b615e5b7e5a2f6256d86e320acf9f8314f8e629b9833376d6af735523e90feb03b5fc5b852a9e06ea0479a279e97aea24a9e531939ec357ec659de3ae0aaf533f06abda0821812dea18c4570ca2bd62e959145995a5c240049bd23b30ceca43df5b9e1d1b1825a38eea3fba1ab483a8c5dffa065223fd3d3fe4990db1446a3852e8a554b09ab38b2ab63a008d1fdad48e273d812bcc26ca516fad09ac05e38383a2b718e553aac42197a1f0d4220e7ab5d8c6880524ca1c0d488d02321fb901309007b4937afa9df486022abf4f6c2363bf8513c34bbc586e43ae19f4b90fe5461024b159c34176aa94b8d4cb69d2326c83af1d6b805cdda1d6240183a2f1b41cd3a993a0aa9d1d77eb8c4aff7b8c980105ed55df6ce7a9a02c50f6381efb564e9fc5bd8d2619a68c37cf9c78df91e87d5fa2cf816ae9dab068fc86dc741cda14e84e3dac26ebcfb",
      "SignatureAlgorithmOID": "1.2.840.113549.1.1.5",
      "Subject": "C=US, O=thawte, Inc., OU=Certification Services Division, OU=(c) 2006 thawte, Inc. , For authorized use only, CN=thawte Primary Root CA",
      "TBS": {
        "MD5": "a3f222107d4e1085e73b5b589c2f480b",
        "SHA1": "b94aa26cd77c48d91a53ac44506cbd255e1d362c",
        "SHA256": "a39ed0d6fd4eb1a6f7fed60f726e23eae668b7591bc004644625d22c701213fa",
        "SHA384": "64b7643e4146016cbf83c911eb67e4601b6bb8d66f8ee8dcee67b815f91770d86ab23678b984430f22a963e5484881b7"
      },
      "ValidFrom": "2011-02-22 19:31:57",
      "ValidTo": "2021-02-22 19:41:57",
      "Version": 3
    }
  ],
  "CertificatesInfo": "",
  "Signer": [
    {
      "Issuer": "C=US, O=Thawte, Inc., CN=Thawte Code Signing CA , G2",
      "SerialNumber": "4efa7e7bba65ec1ab774f2b31357d599",
      "Version": 1
    }
  ],
  "SignerInfo": ""
}

    source

    last_updated: 2026-04-06