The hypothesis is that an adversary is using the IP address 176-65-139-219 to host or distribute malicious URLs as part of a campaign to compromise endpoints. A SOC team should proactively hunt for this behavior in Azure Sentinel to identify and mitigate potential command and control or data exfiltration activities early.
IOC Summary
Threat: 176-65-139-219 Total URLs: 8 Active URLs: 4
| URL | Status | Threat | Date Added |
|---|---|---|---|
hxxp://176.65.139.219/run.sh | offline | malware_download | 2026-05-24 |
hxxp://176.65.139.219/arm61 | offline | malware_download | 2026-05-24 |
hxxp://176.65.139.219/ppc64 | offline | malware_download | 2026-05-24 |
hxxp://176.65.139.219/sex.sh | offline | malware_download | 2026-05-24 |
hxxp://176.65.139.219/mipsel | online | malware_download | 2026-05-24 |
hxxp://176.65.139.219/x86 | online | malware_download | 2026-05-24 |
hxxp://176.65.139.219/armv6l | online | malware_download | 2026-05-24 |
hxxp://176.65.139.219/i686 | online | malware_download | 2026-05-24 |
// Hunt for DNS resolution of URLhaus malicious domains
// Threat: 176-65-139-219
let malicious_domains = dynamic(["176.65.139.219"]);
DnsEvents
| where Name has_any (malicious_domains)
| project TimeGenerated, Computer, Name, IPAddresses
| order by TimeGenerated desc// Hunt for web traffic to URLhaus malicious domains
let malicious_domains = dynamic(["176.65.139.219"]);
CommonSecurityLog
| where RequestURL has_any (malicious_domains) or DestinationHostName has_any (malicious_domains)
| project TimeGenerated, SourceIP, RequestURL, DestinationHostName, DeviceAction
| order by TimeGenerated desc| Sentinel Table | Notes |
|---|---|
CommonSecurityLog | Ensure this data connector is enabled |
DnsEvents | Ensure this data connector is enabled |
Scenario: A system administrator is using PowerShell to run a scheduled job that downloads a legitimate software update from a URL tagged as 176-65-139-219.
Filter/Exclusion: Exclude URLs that match known update servers (e.g., update.microsoft.com, download.microsoft.com) or filter by process name (powershell.exe with a known update script).
Scenario: A Windows Task Scheduler job is configured to fetch a configuration file from a remote server at 176-65-139-219, which is part of the company’s internal SCCM (System Center Configuration Manager) infrastructure.
Filter/Exclusion: Exclude traffic originating from or destined to internal IP ranges (e.g., 10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) or filter by domain (internal.company.com).
Scenario: A SIEM (Security Information and Event Management) tool like Splunk or QRadar is configured to send alerts to an external monitoring service at 176-65-139-219 for centralized log analysis.
Filter/Exclusion: Exclude outbound traffic from the SIEM server IP or filter by destination port (e.g., 443 for HTTPS) and source IP (SIEM server).
Scenario: A CI/CD pipeline (e.g., Jenkins, GitHub Actions) is configured to fetch dependencies from a private artifact repository hosted at 176-65-139-219.
Filter/Exclusion: Exclude traffic from known CI/CD agents or filter by user-agent strings associated with CI/