Adversaries may be using the IP 176-65-139-77 to host or distribute malicious URLs as part of a campaign to compromise endpoints. SOC teams should proactively hunt for this IP in Azure Sentinel to identify potential command and control or data exfiltration activities early.
IOC Summary
Threat: 176-65-139-77 Total URLs: 12 Active URLs: 12
| URL | Status | Threat | Date Added |
|---|---|---|---|
hxxp://176.65.139.77/hiddenbin/boatnet.spc | online | malware_download | 2026-05-29 |
hxxp://176.65.139.77/hiddenbin/boatnet.arm6 | online | malware_download | 2026-05-29 |
hxxp://176.65.139.77/hiddenbin/boatnet.ppc | online | malware_download | 2026-05-29 |
hxxp://176.65.139.77/hiddenbin/boatnet.arm5 | online | malware_download | 2026-05-29 |
hxxp://176.65.139.77/hiddenbin/boatnet.arm7 | online | malware_download | 2026-05-29 |
hxxp://176.65.139.77/hiddenbin/boatnet.arm | online | malware_download | 2026-05-29 |
hxxp://176.65.139.77/hiddenbin/boatnet.mips | online | malware_download | 2026-05-29 |
hxxp://176.65.139.77/hiddenbin/boatnet.x86 | online | malware_download | 2026-05-29 |
hxxp://176.65.139.77/hiddenbin/boatnet.sh4 | online | malware_download | 2026-05-29 |
hxxp://176.65.139.77/hiddenbin/boatnet.arc | online | malware_download | 2026-05-29 |
hxxp://176.65.139.77/hiddenbin/boatnet.m68k | online | malware_download | 2026-05-29 |
hxxp://176.65.139.77/hiddenbin/boatnet.mpsl | online | malware_download | 2026-05-29 |
// Hunt for DNS resolution of URLhaus malicious domains
// Threat: 176-65-139-77
let malicious_domains = dynamic(["176.65.139.77"]);
DnsEvents
| where Name has_any (malicious_domains)
| project TimeGenerated, Computer, Name, IPAddresses
| order by TimeGenerated desc// Hunt for web traffic to URLhaus malicious domains
let malicious_domains = dynamic(["176.65.139.77"]);
CommonSecurityLog
| where RequestURL has_any (malicious_domains) or DestinationHostName has_any (malicious_domains)
| project TimeGenerated, SourceIP, RequestURL, DestinationHostName, DeviceAction
| order by TimeGenerated desc| Sentinel Table | Notes |
|---|---|
CommonSecurityLog | Ensure this data connector is enabled |
DnsEvents | Ensure this data connector is enabled |
Scenario: A system administrator is using PowerShell to download a legitimate update from a known internal repository hosted at 176-65-139-77.
Filter/Exclusion: Exclude URLs matching the internal repository domain or use a URL filtering list that includes the internal IP address as a trusted source.
Scenario: A scheduled backup job is configured to transfer data to a remote server using a script that connects to 176-65-139-77 via rsync or scp.
Filter/Exclusion: Exclude connections initiated by backup processes or use a process name filter to exclude rsync or scp from the detection logic.
Scenario: A CI/CD pipeline (e.g., Jenkins or GitLab CI) is pushing code to a remote server using a private IP 176-65-139-77 for internal artifact storage.
Filter/Exclusion: Exclude traffic originating from CI/CD tools or use a process name filter for jenkins-agent or gitlab-runner.
Scenario: An endpoint protection tool (e.g., CrowdStrike or Microsoft Defender) is performing a network scan or health check to 176-65-139-77 as part of its routine monitoring.
Filter/Exclusion: Exclude traffic from known security tools using process name filters like CrowdStrike or Microsoft Defender.
Scenario: A remote desktop session (e.g., via RDP or VNC) is being established to a server with the IP 176-65-139-77, which is used for internal remote access.
Filter/Exclusion: Exclude connections initiated by remote access tools using