The hypothesis is that an adversary is using the IP 176-65-139-196 to host or distribute malicious URLs as part of a campaign to compromise endpoints. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify and mitigate potential command and control or data exfiltration activities early.
IOC Summary
Threat: 176-65-139-196 Total URLs: 3 Active URLs: 3
| URL | Status | Threat | Date Added |
|---|---|---|---|
hxxp://176.65.139.196/iran.x86_64 | online | malware_download | 2026-05-27 |
hxxp://176.65.139.196/iran.m68k | online | malware_download | 2026-05-27 |
hxxp://176.65.139.196/iran.i486 | online | malware_download | 2026-05-27 |
// Hunt for DNS resolution of URLhaus malicious domains
// Threat: 176-65-139-196
let malicious_domains = dynamic(["176.65.139.196"]);
DnsEvents
| where Name has_any (malicious_domains)
| project TimeGenerated, Computer, Name, IPAddresses
| order by TimeGenerated desc// Hunt for web traffic to URLhaus malicious domains
let malicious_domains = dynamic(["176.65.139.196"]);
CommonSecurityLog
| where RequestURL has_any (malicious_domains) or DestinationHostName has_any (malicious_domains)
| project TimeGenerated, SourceIP, RequestURL, DestinationHostName, DeviceAction
| order by TimeGenerated desc| Sentinel Table | Notes |
|---|---|
CommonSecurityLog | Ensure this data connector is enabled |
DnsEvents | Ensure this data connector is enabled |
Scenario: A system administrator is using curl or wget to download a legitimate update from a trusted internal repository hosted at 176-65-139-196.
Filter/Exclusion: Exclude traffic originating from known admin workstations or filter by source IP if the IP is used internally for updates.
Scenario: A scheduled job using Ansible or Puppet is executing a playbook that fetches configuration files from a remote server at 176-65-139-196.
Filter/Exclusion: Exclude traffic associated with known configuration management tools or filter by destination IP if it’s part of a trusted infrastructure.
Scenario: A developer is using Postman or curl to test a legitimate API endpoint hosted at 176-65-139-196 during development.
Filter/Exclusion: Exclude traffic from development environments or filter by user-agent strings associated with development tools.
Scenario: A backup job using rsync or Veeam is transferring data to a backup server located at 176-65-139-196.
Filter/Exclusion: Exclude traffic related to backup processes or filter by application-specific command-line arguments or process names.
Scenario: A security tool like OSSEC or Splunk is querying a remote server at 176-65-139-196 for threat intelligence or logs.
Filter/Exclusion: Exclude traffic from known security tools or filter by process names or command-line arguments associated with threat intelligence platforms.