The hypothesis is that the adversary is using the IP 176-65-139-119 to host or distribute malicious URLs as part of a campaign to compromise endpoints. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify and mitigate potential lateral movement or data exfiltration attempts early.
IOC Summary
Threat: 176-65-139-119 Total URLs: 2 Active URLs: 2
| URL | Status | Threat | Date Added |
|---|---|---|---|
hxxp://176.65.139.119/run.sh | online | malware_download | 2026-05-24 |
hxxp://176.65.139.119/cat.sh | online | malware_download | 2026-05-24 |
// Hunt for DNS resolution of URLhaus malicious domains
// Threat: 176-65-139-119
let malicious_domains = dynamic(["176.65.139.119"]);
DnsEvents
| where Name has_any (malicious_domains)
| project TimeGenerated, Computer, Name, IPAddresses
| order by TimeGenerated desc// Hunt for web traffic to URLhaus malicious domains
let malicious_domains = dynamic(["176.65.139.119"]);
CommonSecurityLog
| where RequestURL has_any (malicious_domains) or DestinationHostName has_any (malicious_domains)
| project TimeGenerated, SourceIP, RequestURL, DestinationHostName, DeviceAction
| order by TimeGenerated desc| Sentinel Table | Notes |
|---|---|
CommonSecurityLog | Ensure this data connector is enabled |
DnsEvents | Ensure this data connector is enabled |
Scenario: A system administrator uses wget to download a legitimate software update from a server with the IP 176-65-139-119.
Filter/Exclusion: Exclude traffic originating from known admin workstations or use a custom field like src_user = "admin_user".
Scenario: A scheduled job runs curl to fetch a configuration file from a trusted internal server with the IP 176-65-139-119.
Filter/Exclusion: Exclude traffic to internal IPs or use a field like dest_ip = "176-65-139-119" and check against a whitelist of internal URLs.
Scenario: A DevOps pipeline uses ansible to push code to a remote server with the IP 176-65-139-119 via a secure HTTPS connection.
Filter/Exclusion: Exclude traffic from known CI/CD tools or use a field like process_name = "ansible" and check against a whitelist of allowed hosts.
Scenario: A user accesses a legitimate phishing training page hosted on a server with the IP 176-65-139-119 as part of a security awareness program.
Filter/Exclusion: Exclude traffic to URLs containing /phishing-training/ or use a field like url = "*phishing-training*" for exclusion.
Scenario: A backup job runs rsync to transfer data to a remote backup server with the IP 176-65-139-119.
Filter/Exclusion: Exclude traffic associated with backup processes or use a field like process_name = "rsync" and check against a known backup server list.