URLhaus: 176-65-139-107 Malicious URLs

Hunt Hypothesis

The hypothesis is that an adversary is using the IP 176-65-139-107 to host or distribute malicious URLs as part of a campaign to compromise endpoints. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify and mitigate potential lateral movement or data exfiltration attempts early.

IOC Summary

Threat: 176-65-139-107 Total URLs: 2 Active URLs: 2

URL	Status	Threat	Date Added
`hxxp://176.65.139.107/run.sh`	online	malware_download	2026-05-24
`hxxp://176.65.139.107/cat.sh`	online	malware_download	2026-05-24

KQL: Url Dns Hunt

// Hunt for DNS resolution of URLhaus malicious domains
// Threat: 176-65-139-107
let malicious_domains = dynamic(["176.65.139.107"]);
DnsEvents
| where Name has_any (malicious_domains)
| project TimeGenerated, Computer, Name, IPAddresses
| order by TimeGenerated desc

KQL: Url Proxy Hunt

// Hunt for web traffic to URLhaus malicious domains
let malicious_domains = dynamic(["176.65.139.107"]);
CommonSecurityLog
| where RequestURL has_any (malicious_domains) or DestinationHostName has_any (malicious_domains)
| project TimeGenerated, SourceIP, RequestURL, DestinationHostName, DeviceAction
| order by TimeGenerated desc

Required Data Sources

Sentinel Table	Notes
`CommonSecurityLog`	Ensure this data connector is enabled
`DnsEvents`	Ensure this data connector is enabled

References

URLhaus

False Positive Guidance

Scenario: Legitimate scheduled job using curl to fetch internal reports
Description: A cron job runs curl to fetch internal compliance reports from a server with IP 176-65-139-107.
Filter/Exclusion: Exclude traffic where the source is a known internal cron job or where the URL path includes /reports/ or /internal/.
Scenario: Admin task using wget to download a trusted update package
Description: An administrator uses wget to download a trusted software update from a server with IP 176-65-139-107.
Filter/Exclusion: Exclude traffic where the destination URL contains /updates/ or where the user is a known admin account (e.g., root, admin, sysadmin).
Scenario: Log collection from a remote syslog server
Description: A log aggregation tool like rsyslog or Fluentd sends logs to a syslog server with IP 176-65-139-107.
Filter/Exclusion: Exclude traffic where the destination port is 514 (syslog) or where the source is a known log collector service (e.g., logserver01).
Scenario: Internal DNS resolution using nslookup or dig
Description: A user runs nslookup or dig to resolve internal domain names, and the DNS server is at 176-65-139-107.
Filter/Exclusion: Exclude traffic where the destination port is 53 (DNS) or where the query is for an internal domain (e.g., .internal, .local, .corp).
**Scenario: CI