The hypothesis is that an adversary is using the IP address 176-65-139-126 to host or distribute malicious URLs as part of a campaign to compromise endpoints. A SOC team should proactively hunt for this behavior in Azure Sentinel to identify and mitigate potential lateral movement or data exfiltration attempts.
IOC Summary
Threat: 176-65-139-126 Total URLs: 12 Active URLs: 3
| URL | Status | Threat | Date Added |
|---|---|---|---|
hxxp://176.65.139.126/bins/arm5 | online | malware_download | 2026-06-07 |
hxxp://176.65.139.126/bins/arm | offline | malware_download | 2026-06-07 |
hxxp://176.65.139.126/bins/mipsel | online | malware_download | 2026-06-07 |
hxxp://176.65.139.126/bins/arm6 | offline | malware_download | 2026-06-07 |
hxxp://176.65.139.126/bins/cat.sh | online | malware_download | 2026-06-07 |
hxxp://176.65.139.126/bins/arm7 | offline | malware_download | 2026-06-07 |
hxxp://176.65.139.126/bins/mips | offline | malware_download | 2026-06-07 |
hxxp://176.65.139.126/bins/sh4 | offline | malware_download | 2026-06-07 |
hxxp://176.65.139.126/bins/ppc | offline | malware_download | 2026-06-07 |
hxxp://176.65.139.126/bins/x86_64 | offline | malware_download | 2026-06-07 |
hxxp://176.65.139.126/bins/m68k | offline | malware_download | 2026-06-07 |
hxxp://176.65.139.126/bins/spc | offline | malware_download | 2026-06-07 |
// Hunt for DNS resolution of URLhaus malicious domains
// Threat: 176-65-139-126
let malicious_domains = dynamic(["176.65.139.126"]);
DnsEvents
| where Name has_any (malicious_domains)
| project TimeGenerated, Computer, Name, IPAddresses
| order by TimeGenerated desc// Hunt for web traffic to URLhaus malicious domains
let malicious_domains = dynamic(["176.65.139.126"]);
CommonSecurityLog
| where RequestURL has_any (malicious_domains) or DestinationHostName has_any (malicious_domains)
| project TimeGenerated, SourceIP, RequestURL, DestinationHostName, DeviceAction
| order by TimeGenerated desc| Sentinel Table | Notes |
|---|---|
CommonSecurityLog | Ensure this data connector is enabled |
DnsEvents | Ensure this data connector is enabled |
Scenario: A system administrator is using PowerShell to run a scheduled job that downloads a legitimate update from a URL matching the IP 176-65-139-126.
Filter/Exclusion: Exclude URLs that match known update servers (e.g., *.update.microsoft.com, *.download.windowsupdate.com) or filter by process name (powershell.exe with a whitelisted command line).
Scenario: A Windows Task Scheduler job is configured to fetch a configuration file from a URL hosted on an internal server with the IP 176-65-139-126.
Filter/Exclusion: Exclude traffic originating from internal IP ranges or filter by source IP using a source IP whitelist in the detection rule.
Scenario: A CI/CD pipeline (e.g., Jenkins or GitHub Actions) is pulling a dependency from a public repository that resolves to the IP 176-65-139-126.
Filter/Exclusion: Exclude URLs that match known package managers (e.g., npm, pip, Maven) or filter by domain using a domain whitelist.
Scenario: A log management tool (e.g., Splunk or ELK Stack) is sending logs to a central server that uses the IP 176-65-139-126 for internal monitoring.
Filter/Exclusion: Exclude traffic to internal monitoring services (e.g., logs.internal.company.com) or filter by destination IP using a destination IP whitelist.
Scenario: A remote desktop session (e.g., RDP) is being initiated from a machine with the IP 176-65-139-126, which is part of a legitimate remote access