{
	"id": "9a024159-e221-4f95-833b-62e0763b6650",
	"created_at": "2026-04-06T00:19:29.099634Z",
	"updated_at": "2026-04-10T13:11:27.647067Z",
	"deleted_at": null,
	"sha1_hash": "c7d13bd778550a95867b6f2c1f06431e3607aa7a",
	"title": "An Analysis of L0rdix RAT, Panel and Builder | HP Wolf Security",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 541873,
	"plain_text": "An Analysis of L0rdix RAT, Panel and Builder | HP Wolf Security\r\nBy Alex Holland\r\nPublished: 2019-07-19 · Archived: 2026-04-05 19:20:51 UTC\r\nL0rdix is a multipurpose remote access tool (RAT) that was first discovered being sold on underground criminal\r\nforums in November 2018. Shortly after its discovery, Ben Hunter of enSilo analysed the RAT’s functionality.\r\nAlthough L0rdix’s author set the price of the RAT at 4000 RUB (64 USD), for many cyber criminals even this was\r\ntoo high a price. In June 2019, a cracked version of the RAT’s builder and admin panel began circulating through\r\nunderground forums. I was especially curious in the admin panel to see if an analysis of it would lead to a better\r\nunderstanding of L0rdix and potentially improve its detection in the wild.\r\nFigure 1 – Advert for a cracked copy of the L0rdix RAT panel and builder on an underground forum in June 2019.\r\nL0rdix’s Admin Panel\r\nThe admin panel consists of three components: a HTTP web server for the operator to administer their bots, a pre-made MySQL database for storing data from infected systems, and PHP scripts to send bot commands, process\r\ndata received from bots and interface with the database.\r\nBy default, the URI of the L0rdix panel login page is webserver.tld/admin_login. Unlike many other RATs,\r\nL0rdix’s login page is simple and does not advertise its namesake.\r\nhttps://www.bromium.com/an-analysis-of-l0rdix-rat-panel-and-builder/\r\nPage 1 of 7\n\nFigure 2 – Login page of L0rdix’s panel.\r\nFigure 3 – The main dashboard of the L0rdix panel.\r\nBy querying the panel’s MySQL database it was possible to understand the types of data L0rdix steals from its\r\nvictims, its default configuration settings, and make an assessment about the sophistication of the malware. In the\r\ncase of L0rdix, its database contains seven tables shown in figure 4, indicating that this RAT is not particularly\r\ncomplex.\r\nhttps://www.bromium.com/an-analysis-of-l0rdix-rat-panel-and-builder/\r\nPage 2 of 7\n\nFigure 4 – Tables in the MySQL database for the L0rdix panel.\r\nThe “victims” table contains basic hardware and configuration information about infected systems, their location\r\ncalculated using a geoIP database bundled with the panel, and the hash rate of the cryptominer (the open source\r\nMonero miner, XMRig) that L0rdix can command bots to download once persistent. Many of the fields relate to\r\ncryptomining, for instance one field is designated for the model of GPU used by the infected host, highlighting\r\nhow important (and lucrative) L0rdix’s author considers cryptojacking as a monetisation activity. We’ve written\r\nabout cryptojacking before on this blog. In our assessment, it’s likely that the rebound in the value of\r\ncryptocurrencies in the first half of 2019 is one of the drivers for the increase in cryptominer campaigns.\r\nDefault Panel Credentials\r\nThe “config” table contains the default login credentials to access the panel:\r\nUsername: “root”\r\nPassword: “toor”\r\nIt’s possible that L0rdix’s author is familiar with the Kali Linux distribution, given that they share the same default\r\ncredentials.\r\nFigure 5 – The default configuration of L0rdix RAT.\r\nOut of the box, L0rdix operators are able to send eight commands to bots, although custom commands can be\r\ndefined and added. These include:\r\nDownload and execute\r\nUpdate\r\nOpen page (visible)\r\nOpen page (invisible)\r\nCmd\r\nhttps://www.bromium.com/an-analysis-of-l0rdix-rat-panel-and-builder/\r\nPage 3 of 7\n\nKill process\r\nUpload file\r\nHTTP Flood\r\nL0rdix’s Command and Control (C2) Encryption and Decryption\r\nL0rdix’s C2 traffic is encrypted using AES symmetric-key encryption using a 256-bit key in Cipher Block\r\nChaining (CBC) mode. When a sample is generated using L0rdix’s builder the operator is able to decide the key to\r\nencrypt the C2 traffic. A SHA-256 hash is calculated from the operator’s key. The first 32 characters (i.e. 256 bits)\r\nof the hashed operator key is used as the AES key in the encryption function. The panel’s encryption function is\r\nimplemented using the openssl_encrypt PHP function. The function requires a 16-byte initialisation vector (IV),\r\nbut L0rdix’s author decided to use 16 null bytes. The copy of the panel analysed contained a possible default\r\noperator key 3sc3RLrpd17. The ciphertext is then Base64 encoded, with any plus (+) characters replaced with\r\ntildes (~) using PHP’s str_replace function. L0rdix’s decryption function is simply the reverse of the encryption\r\nfunction, using str_replace, base64_decode and openssl_decrypt.\r\nBased on the implementation of the encryption and decryption functions it appears that each L0rdix panel operator\r\nmust use the same key for every bot they control. From a detection standpoint, this is useful because L0rdix\r\nsamples can be tied to specific actors based on common keys. Additionally, since the same key must be used for\r\neach panel, this means that it is possible to decrypt captured C2 traffic from any bots controlled by a panel where\r\nthe key is known, for example where the key is extracted from a sample.\r\nFigure 6 – L0rdix’s server-side decryption function.\r\nhttps://www.bromium.com/an-analysis-of-l0rdix-rat-panel-and-builder/\r\nPage 4 of 7\n\nFigure 7 – L0rdix’s server-side encryption function.\r\nL0rdix’s Builder\r\nThe L0rdix builder is simple with only a few configurable options, including specifying the remote IP address or\r\ndomain where the panel is hosted, generating a mutex to prevent the RAT from repeatedly re-infecting systems,\r\nand options to enable certain capabilities in the malware.\r\nFigure 8 – L0rdix RAT builder.\r\nL0rdix implements anti-analysis measures, such as enumerating running processes and stopping the RAT from\r\nexposing its functionality if common analysis tools are detected. The RAT also checks if it is running in a virtual\r\nmachine or Sandboxie, a sandbox product.\r\nFigure 9 – L0rdix checks its runtime environment for common analysis tools.\r\nhttps://www.bromium.com/an-analysis-of-l0rdix-rat-panel-and-builder/\r\nPage 5 of 7\n\nThe L0rdix bot tries to make its C2 communications blend in with legitimate traffic by using the User-Agent\r\nstring for Firefox 53 on Windows 10, which is hardcoded in the RAT:\r\nMozilla/5.0 (Windows NT 10.0; WOW64; rv:53.0) Gecko/20100101 Firefox/53.0\r\nIt also uses the WMI namespace, root\\SecurityCenter2, to identify which antivirus is installed on the system,\r\nwhich is subsequently sent to the admin panel.\r\nFigure 10 – L0rdix uses WMI to identify antivirus software installed on the infected system.\r\nConclusion\r\nBased on this leak, L0rdix RAT has not evolved much since it first entered the scene in November 2018. Despite\r\nbeing advertised as a general purpose RAT, much of its functionality is geared towards cryptojacking. It is\r\npossible that this is a response by L0rdix’s author to meet the rising demand for cryptomining botnets.\r\nYARA Signature\r\nAs part of this research a YARA rule was written to detect L0rdix binaries, which we are sharing with the\r\ncommunity.\r\nrule win_l0rdix {\r\nmeta:\r\nauthor = \"Alex Holland (Bromium Labs)\"\r\ndate = \"2019-07-19\"\r\nsample_1 = \"18C6AAF76985404A276466D73A89AC5B1652F8E9659473F5D6D656CA2705B0D3\"\r\nsample_2 = \"C2A4D706D713937F47951D4E6E975754C137159DC2C30715D03331FC515AE4E8\"\r\nstrings:\r\n$ua = \"Mozilla/5.0 (Windows NT 10.0; WOW64; rv:53.0) Gecko/20100101 Firefox/53.0\" wid\r\n$sig = \"L0rdix\" wide ascii\r\n$sched_task = \"ApplicationUpdateCallback\" wide\r\n$exe = \"syscall.exe\" wide\r\n$cnc_url_1 = \"connect.php?\" wide\r\n$cnc_url_2 = \"show.php\" wide\r\n$browser_1 = \"\\\\Kometa\\\\User Data\\\\Default\\\\Cookies\" wide\r\n$browser_2 = \"\\\\Orbitum\\\\User Data\\\\Default\\\\Cookies\" wide\r\n$browser_3 = \"\\\\Amigo\\\\User\\\\User Data\\\\Default\\\\Cookies\" wide\r\n$coin_regex_1 = \"[13][a-km-zA-HJ-NP-Z1-9]{25,34}\" wide // Bitcoin\r\n$coin_regex_2 = \"0x[a-fA-F0-9]{40}\" wide // Ethereum\r\n$coin_regex_3 = \"L[a-zA-Z0-9]{26,33}\" wide // Litecoin\r\ncondition:\r\nhttps://www.bromium.com/an-analysis-of-l0rdix-rat-panel-and-builder/\r\nPage 6 of 7\n\nuint16(0) == 0x5A4D and (any of ($ua,$sig,$sched_task,$exe)) and (any of ($cnc_url_*\r\n}\r\nSource: https://www.bromium.com/an-analysis-of-l0rdix-rat-panel-and-builder/\r\nhttps://www.bromium.com/an-analysis-of-l0rdix-rat-panel-and-builder/\r\nPage 7 of 7",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"origins": [
		"web"
	],
	"references": [
		"https://www.bromium.com/an-analysis-of-l0rdix-rat-panel-and-builder/"
	],
	"report_names": [
		"an-analysis-of-l0rdix-rat-panel-and-builder"
	],
	"threat_actors": [
		{
			"id": "d90307b6-14a9-4d0b-9156-89e453d6eb13",
			"created_at": "2022-10-25T16:07:23.773944Z",
			"updated_at": "2026-04-10T02:00:04.746188Z",
			"deleted_at": null,
			"main_name": "Lead",
			"aliases": [
				"Casper",
				"TG-3279"
			],
			"source_name": "ETDA:Lead",
			"tools": [
				"Agentemis",
				"BleDoor",
				"Cobalt Strike",
				"CobaltStrike",
				"RbDoor",
				"RibDoor",
				"Winnti",
				"cobeacon"
			],
			"source_id": "ETDA",
			"reports": null
		}
	],
	"ts_created_at": 1775434769,
	"ts_updated_at": 1775826687,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/c7d13bd778550a95867b6f2c1f06431e3607aa7a.pdf",
		"text": "https://archive.orkl.eu/c7d13bd778550a95867b6f2c1f06431e3607aa7a.txt",
		"img": "https://archive.orkl.eu/c7d13bd778550a95867b6f2c1f06431e3607aa7a.jpg"
	}
}