LokiBot - Cyber Threat Intelligence

These indicators were reported, collected, and generated during the VulDB CTI analysis of the actor known as LokiBot. The activity monitoring correlates data from social media, forums, chat rooms, and darknet markets. It helps to determine associated actors, specific activities, expected intentions, emerging research, and ongoing attacks. Our unique predictive model uses big data to forecast activities and their characteristics.

Live data and more analysis capabilities are available at https://vuldb.com/?actor.lokibot

Countries

These countries are directly (e.g. origin of attacks) or indirectly (e.g. access by proxy) associated with LokiBot:

There are 11 more country items available. Please use our online service to access the data.

IOC - Indicator of Compromise

These indicators of compromise (IOC) indicate associated network resources which are known to be part of research and attack activities of LokiBot.

ID	IP address	Hostname	Campaign	Confidence
1	1.2.4.8	public1.sdns.cn	-	High
2	2.57.90.16	-	-	High
3	2.57.186.170	-	-	High
4	2.58.149.41	-	-	High
5	3.64.163.50	ec2-3-64-163-50.eu-central-1.compute.amazonaws.com	-	Medium
6	3.130.204.160	ec2-3-130-204-160.us-east-2.compute.amazonaws.com	-	Medium
7	3.220.57.224	ec2-3-220-57-224.compute-1.amazonaws.com	-	Medium
8	3.232.63.71	ec2-3-232-63-71.compute-1.amazonaws.com	-	Medium
9	3.232.242.170	ec2-3-232-242-170.compute-1.amazonaws.com	-	Medium
10	5.160.218.88	ircpanel4.novinhost.org	-	High
11	5.253.62.214	-	-	High
12	5.255.255.80	yandex.ru	-	High
13	8.208.76.80	-	-	High
14	8.249.245.254	-	-	High
15	13.107.21.200	-	-	High
16	13.250.255.10	ec2-13-250-255-10.ap-southeast-1.compute.amazonaws.com	-	Medium
17	15.197.142.173	a4ec4c6ea1c92e2e6.awsglobalaccelerator.com	-	High
18	18.116.152.12	ec2-18-116-152-12.us-east-2.compute.amazonaws.com	-	Medium
19	18.118.182.0	ec2-18-118-182-0.us-east-2.compute.amazonaws.com	-	Medium
20	18.188.18.34	ec2-18-188-18-34.us-east-2.compute.amazonaws.com	-	Medium
21	20.42.65.92	-	-	High
22	20.72.235.82	-	-	High
23	20.112.52.29	-	-	High
24	20.189.173.20	-	-	High
25	23.20.239.12	ec2-23-20-239-12.compute-1.amazonaws.com	-	Medium
26	23.21.126.66	ec2-23-21-126-66.compute-1.amazonaws.com	-	Medium
27	23.21.173.155	ec2-23-21-173-155.compute-1.amazonaws.com	-	Medium
28	23.21.211.162	ec2-23-21-211-162.compute-1.amazonaws.com	-	Medium
29	23.21.252.4	ec2-23-21-252-4.compute-1.amazonaws.com	-	Medium
30	23.95.132.48	23-95-132-48-host.colocrossing.com	-	High
31	23.105.131.228	-	-	High
32	23.111.168.182	netbserverdns02.com	-	High
33	23.205.105.153	a23-205-105-153.deploy.static.akamaitechnologies.com	-	High
34	23.205.105.157	a23-205-105-157.deploy.static.akamaitechnologies.com	-	High
35	23.222.5.37	a23-222-5-37.deploy.static.akamaitechnologies.com	-	High
36	27.121.64.133	cp133.ezyreg.com	-	High
37	31.13.65.174	instagram-p42-shv-01-atl3.fbcdn.net	-	High
38	31.41.46.120	maldova873.example.com	-	High
39	31.220.52.219	workshop.piguno.com	-	High
40	34.77.10.20	20.10.77.34.bc.googleusercontent.com	-	Medium
41	34.98.99.30	30.99.98.34.bc.googleusercontent.com	-	Medium
42	34.102.136.180	180.136.102.34.bc.googleusercontent.com	-	Medium
43	34.117.168.233	233.168.117.34.bc.googleusercontent.com	-	Medium
44	34.175.248.207	207.248.175.34.bc.googleusercontent.com	-	Medium
45	34.205.248.193	ec2-34-205-248-193.compute-1.amazonaws.com	-	Medium
46	35.186.238.101	101.238.186.35.bc.googleusercontent.com	-	Medium
47	35.238.161.88	88.161.238.35.bc.googleusercontent.com	-	Medium
48	35.247.234.230	230.234.247.35.bc.googleusercontent.com	-	Medium
49	37.0.11.227	-	-	High
50	37.49.224.146	-	-	High
51	37.49.224.209	-	-	High
52	37.49.225.195	-	-	High
53	37.49.225.217	-	-	High
54	37.120.146.122	-	-	High
55	37.120.146.124	-	-	High
56	37.235.1.174	resolver1.freedns.zone.powered.by.virtexxa.com	-	High
57	37.235.1.177	resolver2.freedns.zone.powered.by.virtexxa.com	-	High
58	40.70.224.146	-	-	High
59	40.76.4.15	-	-	High
60	43.254.17.15	43-254-17-15.static.ip.net.tw	-	High
61	43.255.154.37	ip-43-255-154-37.ip.secureserver.net	-	High
62	45.33.6.223	sqlite.org	-	High
63	45.33.83.75	li1029-75.members.linode.com	-	High
64	45.43.35.96	-	-	High
65	45.67.14.182	-	-	High
66	45.80.132.70	host-45-80-132-70.superhosting.rs	-	High
67	45.122.138.6	-	-	High
68	45.128.184.132	vds107519.mgn-host.ru	-	High
69	45.133.1.20	-	-	High
70	45.133.1.45	-	-	High
71	45.147.229.85	-	-	High
72	45.154.253.150	shared04.cust05.proxy.is	-	High
73	45.154.253.152	shared06.cust05.proxy.is	-	High
74	46.17.98.105	-	-	High
75	46.101.46.83	-	-	High
76	47.52.60.150	-	-	High
77	47.88.22.122	server1.sjdjeu.top	-	High
78	47.91.169.15	-	-	High
79	47.254.177.155	-	-	High
80	50.16.216.118	ec2-50-16-216-118.compute-1.amazonaws.com	-	Medium
81	50.19.92.227	ec2-50-19-92-227.compute-1.amazonaws.com	-	Medium
82	50.31.174.86	single-priva16.privatednsorg.com	-	High
83	50.63.202.52	ip-50-63-202-52.ip.secureserver.net	-	High
84	...	...	...	...

There are 333 more IOC items available. Please use our online service to access the data.

TTP - Tactics, Techniques, Procedures

Tactics, techniques, and procedures (TTP) summarize the suspected MITRE ATT&CK techniques used by LokiBot. This data is unique as it uses our predictive model for actor profiling.

ID	Technique	Weakness	Description	Confidence
1	T1006	CWE-21, CWE-22, CWE-28	Pathname Traversal	High
2	T1055	CWE-74	Injection	High
3	T1059	CWE-88, CWE-94, CWE-1321	Cross Site Scripting	High
4	T1059.007	CWE-79, CWE-80	Cross Site Scripting	High
5	...	...	...	...

There are 18 more TTP items available. Please use our online service to access the data.

IOA - Indicator of Attack

These indicators of attack (IOA) list the potential fragments used for technical activities like reconnaissance, exploitation, privilege escalation, and exfiltration by LokiBot. This data is unique as it uses our predictive model for actor profiling.

ID	Type	Indicator	Confidence
1	File	`/+CSCOE+/logon.html`	High
2	File	`/admin/upload/upload`	High
3	File	`/apply.cgi`	Medium
4	File	`/bsms_ci/index.php/book`	High
5	File	`/cgi-bin/wlogin.cgi`	High
6	File	`/config/getuser`	High
7	File	`/debug/pprof`	Medium
8	File	`/etc/hosts`	Medium
9	File	`/example/editor`	High
10	File	`/forum/away.php`	High
11	File	`/goform/delAd`	High
12	File	`/HNAP1`	Low
13	File	`/iu-application/controllers/administration/auth.php`	High
14	File	`/Kofax/KFS/ThinClient/document/upload/`	High
15	File	`/medicines/profile.php`	High
16	File	`/obs/book.php`	High
17	File	`/ossn/administrator/com_installer`	High
18	File	`/pms/update_user.php?user_id=1`	High
19	File	`/spip.php`	Medium
20	File	`/sre/params.php`	High
21	File	`/tmp`	Low
22	File	`/user/upload/upload`	High
23	File	`/Users`	Low
24	File	`/var/spool/hylafax`	High
25	File	`/vendor`	Low
26	File	`/vendor/htmlawed/htmlawed/htmLawedTest.php`	High
27	File	`/webman/info.cgi`	High
28	File	`accountrecoveryendpoint/recoverpassword.do`	High
29	File	`action/addproject.php`	High
30	File	`adclick.php`	Medium
31	File	`add_contestant.php`	High
32	File	`add_product.php`	High
33	File	`admin.php`	Medium
34	File	`admin/add_payment.php`	High
35	File	`admin/disapprove_user.php`	High
36	File	`admin/forget_password.php`	High
37	File	`admin/index.php`	High
38	File	`admin/make_payments.php`	High
39	File	`admin/sysCheckFile_deal.php`	High
40	File	`Advanced_ASUSDDNS_Content.asp`	High
41	File	`af_netlink.c`	Medium
42	File	`album_portal.php`	High
43	File	`AppRestrictionsFragment.java`	High
44	File	`ArtifactoryChoiceListProvider.java`	High
45	File	`artreplydelete.asp`	High
46	File	`attachment.cgi`	High
47	...	...	...

There are 409 more IOA items available (file, library, argument, input value, pattern, network port). Please use our online service to access the data.

References

The following list contains external sources which discuss the actor and the associated activities:

Literature

The following articles explain our unique predictive cyber threat intelligence:

16 KiB Raw Blame History