SYMBOLCOMMON_NAMEaka. SYNONYMS
win.lordix (Back to overview)

L0rdix

aka: lordix

L0rdix is a multipurpose .NET remote access tool (RAT) first discovered being sold on underground forums in November 2018. Out of the box, L0rdix supports eight commands, although custom commands can be defined and added. These include:

Download and execute
Update
Open page (visible)
Open page (invisible)
Cmd
Kill process
Upload file
HTTP Flood

L0rdix can extract credentials from common web browsers and steal data from crypto wallets and a target's clipboard. Optionally, L0rdix can deploy a cryptominer (XMRig) to its bots.

References
2019-09-05Github (cryptogramfan)Alex Holland
@online{holland:20190905:l0rdix:2472b65, author = {Alex Holland}, title = {{l0rdix C2 traffic decryptor}}, date = {2019-09-05}, organization = {Github (cryptogramfan)}, url = {https://github.com/cryptogramfan/Malware-Analysis-Scripts/blob/master/decrypt_l0rdix_c2.py}, language = {English}, urldate = {2020-01-13} } l0rdix C2 traffic decryptor
L0rdix
2019-08-01BromiumAlex Holland
@online{holland:20190801:decrypting:3885751, author = {Alex Holland}, title = {{Decrypting L0rdix RAT’s C2}}, date = {2019-08-01}, organization = {Bromium}, url = {https://www.bromium.com/decrypting-l0rdix-rats-c2/}, language = {English}, urldate = {2020-01-07} } Decrypting L0rdix RAT’s C2
L0rdix
2019-07-19HPAlex Holland
@online{holland:20190719:analysis:06a9a1c, author = {Alex Holland}, title = {{An Analysis of L0rdix RAT, Panel and Builder}}, date = {2019-07-19}, organization = {HP}, url = {https://www.bromium.com/an-analysis-of-l0rdix-rat-panel-and-builder/}, language = {English}, urldate = {2020-01-07} } An Analysis of L0rdix RAT, Panel and Builder
L0rdix
2018-11-20enSiloBen Hunter
@online{hunter:20181120:l0rdix:bf0024c, author = {Ben Hunter}, title = {{L0RDIX: MULTIPURPOSE ATTACK TOOL}}, date = {2018-11-20}, organization = {enSilo}, url = {https://blog.ensilo.com/l0rdix-attack-tool}, language = {English}, urldate = {2019-12-17} } L0RDIX: MULTIPURPOSE ATTACK TOOL
L0rdix
2018-11-02Twitter (@hexlax)Paul Burbage
@online{burbage:20181102:new:4781b19, author = {Paul Burbage}, title = {{Tweet on New Stealer}}, date = {2018-11-02}, organization = {Twitter (@hexlax)}, url = {https://twitter.com/hexlax/status/1058356670835908610}, language = {English}, urldate = {2020-01-07} } Tweet on New Stealer
L0rdix
Yara Rules
[TLP:WHITE] win_lordix_w0 (20190722 | No description)
rule win_lordix_w0 {
	meta:
		author = "Alex Holland (Bromium Labs)"
		date = "2019-07-19"
		sample_1 = "18C6AAF76985404A276466D73A89AC5B1652F8E9659473F5D6D656CA2705B0D3"
		sample_2 = "C2A4D706D713937F47951D4E6E975754C137159DC2C30715D03331FC515AE4E8"
		
		malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.lordix"
		malpedia_version = "20190722"
		malpedia_license = "CC BY-NC-SA 4.0"
		malpedia_sharing = "TLP:WHITE"
	strings:
		$ua = "Mozilla/5.0 (Windows NT 10.0; WOW64; rv:53.0) Gecko/20100101 Firefox/53.0" wide // Firefox 53 on Windows 10
		$sig = "L0rdix" wide ascii
		$sched_task = "ApplicationUpdateCallback" wide
		$exe = "syscall.exe" wide
		$cnc_url_1 = "connect.php?" wide
		$cnc_url_2 = "show.php" wide 
		$browser_1 = "\\Kometa\\User Data\\Default\\Cookies" wide 
		$browser_2 = "\\Orbitum\\User Data\\Default\\Cookies" wide
		$browser_3 = "\\Amigo\\User\\User Data\\Default\\Cookies" wide
		$coin_regex_1 = "[13][a-km-zA-HJ-NP-Z1-9]{25,34}" wide // Bitcoin
		$coin_regex_2 = "0x[a-fA-F0-9]{40}" wide // Ethereum
		$coin_regex_3 = "L[a-zA-Z0-9]{26,33}" wide // Litecoin
		
	condition:
		uint16(0) == 0x5A4D and (any of ($ua,$sig,$sched_task,$exe)) and (any of ($cnc_url_*)) and (any of ($browser_*)) and (any of ($coin_regex_*))
}
Download all Yara Rules