URLhaus: 176-65-139-129 Malicious URLs

Hunt Hypothesis

The hypothesis is that an adversary is using the IP address 176-65-139-129 to host or distribute malicious URLs as part of a campaign to compromise endpoints. A SOC team should proactively hunt for this behavior in Azure Sentinel to identify and mitigate potential lateral movement or data exfiltration attempts.

IOC Summary

Threat: 176-65-139-129 Total URLs: 9 Active URLs: 9

URL	Status	Threat	Date Added
`hxxp://176.65.139.129/x86`	online	malware_download	2026-06-07
`hxxp://176.65.139.129/i686`	online	malware_download	2026-06-07
`hxxp://176.65.139.129/armv7l`	online	malware_download	2026-06-07
`hxxp://176.65.139.129/armv6l`	online	malware_download	2026-06-07
`hxxp://176.65.139.129/mipsel`	online	malware_download	2026-06-07
`hxxp://176.65.139.129/x86_64`	online	malware_download	2026-06-07
`hxxp://176.65.139.129/mips`	online	malware_download	2026-06-07
`hxxp://176.65.139.129/ppc64`	online	malware_download	2026-06-07
`hxxp://176.65.139.129/armv5l`	online	malware_download	2026-06-07

KQL: Url Dns Hunt

// Hunt for DNS resolution of URLhaus malicious domains
// Threat: 176-65-139-129
let malicious_domains = dynamic(["176.65.139.129"]);
DnsEvents
| where Name has_any (malicious_domains)
| project TimeGenerated, Computer, Name, IPAddresses
| order by TimeGenerated desc

KQL: Url Proxy Hunt

// Hunt for web traffic to URLhaus malicious domains
let malicious_domains = dynamic(["176.65.139.129"]);
CommonSecurityLog
| where RequestURL has_any (malicious_domains) or DestinationHostName has_any (malicious_domains)
| project TimeGenerated, SourceIP, RequestURL, DestinationHostName, DeviceAction
| order by TimeGenerated desc

Required Data Sources

Sentinel Table	Notes
`CommonSecurityLog`	Ensure this data connector is enabled
`DnsEvents`	Ensure this data connector is enabled

References

URLhaus

False Positive Guidance

Scenario: Scheduled System Update Job
Description: A legitimate system update job uses a URL from the IP 176-65-139-129 to download a patch.
Filter/Exclusion: Exclude traffic originating from the system update scheduler (e.g., task scheduler, cron, or ansible job with known update scripts).
Scenario: Internal Monitoring Tool Data Collection
Description: An internal monitoring tool (e.g., Splunk, ELK Stack, or Datadog) sends data to a URL hosted on the IP 176-65-139-129 for centralized logging.
Filter/Exclusion: Exclude traffic from known monitoring tools (e.g., splunkforwarder, logstash, or datadog-agent).
Scenario: Cloud Backup Service Sync
Description: A cloud backup service (e.g., Veeam, Commvault, or AWS Backup) uses a URL from the IP 176-65-139-129 to sync data to a remote server.
Filter/Exclusion: Exclude traffic associated with backup services (e.g., veeambackup, commvault, or aws-backup).
Scenario: Admin Task for Patch Management
Description: An administrator manually runs a patch management tool (e.g., WSUS, Microsoft Endpoint Manager, or Altiris) that connects to the IP 176-65-139-129.
Filter/Exclusion: Exclude traffic initiated by known admin tools (e.g., wsusutil, meconfig, or altiris).
Scenario: Internal DevOps Pipeline Artifact Download
Description: A CI