SYMBOLCOMMON_NAMEaka. SYNONYMS
win.lordix (Back to overview)

L0rdix

aka: lordix

L0rdix is a multipurpose .NET remote access tool (RAT) first discovered being sold on underground forums in November 2018. Out of the box, L0rdix supports eight commands, although custom commands can be defined and added. These include:

Download and execute
Update
Open page (visible)
Open page (invisible)
Cmd
Kill process
Upload file
HTTP Flood

L0rdix can extract credentials from common web browsers and steal data from crypto wallets and a target's clipboard. Optionally, L0rdix can deploy a cryptominer (XMRig) to its bots.

References
2019-09-05Github (cryptogramfan)Alex Holland
l0rdix C2 traffic decryptor
L0rdix
2019-08-01BromiumAlex Holland
Decrypting L0rdix RAT’s C2
L0rdix
2019-07-19HPAlex Holland
An Analysis of L0rdix RAT, Panel and Builder
L0rdix
2018-11-20enSiloBen Hunter
L0RDIX: MULTIPURPOSE ATTACK TOOL
L0rdix
2018-11-02Twitter (@hexlax)Paul Burbage
Tweet on New Stealer
L0rdix
Yara Rules
[TLP:WHITE] win_lordix_w0 (20190722 | No description)
rule win_lordix_w0 {
	meta:
		author = "Alex Holland (Bromium Labs)"
		date = "2019-07-19"
		sample_1 = "18C6AAF76985404A276466D73A89AC5B1652F8E9659473F5D6D656CA2705B0D3"
		sample_2 = "C2A4D706D713937F47951D4E6E975754C137159DC2C30715D03331FC515AE4E8"
		
		malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.lordix"
		malpedia_version = "20190722"
		malpedia_license = "CC BY-NC-SA 4.0"
		malpedia_sharing = "TLP:WHITE"
	strings:
		$ua = "Mozilla/5.0 (Windows NT 10.0; WOW64; rv:53.0) Gecko/20100101 Firefox/53.0" wide // Firefox 53 on Windows 10
		$sig = "L0rdix" wide ascii
		$sched_task = "ApplicationUpdateCallback" wide
		$exe = "syscall.exe" wide
		$cnc_url_1 = "connect.php?" wide
		$cnc_url_2 = "show.php" wide 
		$browser_1 = "\\Kometa\\User Data\\Default\\Cookies" wide 
		$browser_2 = "\\Orbitum\\User Data\\Default\\Cookies" wide
		$browser_3 = "\\Amigo\\User\\User Data\\Default\\Cookies" wide
		$coin_regex_1 = "[13][a-km-zA-HJ-NP-Z1-9]{25,34}" wide // Bitcoin
		$coin_regex_2 = "0x[a-fA-F0-9]{40}" wide // Ethereum
		$coin_regex_3 = "L[a-zA-Z0-9]{26,33}" wide // Litecoin
		
	condition:
		uint16(0) == 0x5A4D and (any of ($ua,$sig,$sched_task,$exe)) and (any of ($cnc_url_*)) and (any of ($browser_*)) and (any of ($coin_regex_*))
}
Download all Yara Rules