The hypothesis is that the adversary is using malicious URLs hosted on IP 176-65-139-99 to deliver payloads or exfiltrate data. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify and mitigate potential command and control or data exfiltration activities early.
IOC Summary
Threat: 176-65-139-99 Total URLs: 11 Active URLs: 11
| URL | Status | Threat | Date Added |
|---|---|---|---|
hxxp://176.65.139.99/wife.dbg | online | malware_download | 2026-05-26 |
hxxp://176.65.139.99/wife.arm7 | online | malware_download | 2026-05-26 |
hxxp://176.65.139.99/wife.i686 | online | malware_download | 2026-05-26 |
hxxp://176.65.139.99/wife.mips | online | malware_download | 2026-05-26 |
hxxp://176.65.139.99/wife.mpsl | online | malware_download | 2026-05-26 |
hxxp://176.65.139.99/peniss.sh | online | malware_download | 2026-05-26 |
hxxp://176.65.139.99/wife.i486 | online | malware_download | 2026-05-26 |
hxxp://176.65.139.99/wife.arm5 | online | malware_download | 2026-05-26 |
hxxp://176.65.139.99/wife.m68k | online | malware_download | 2026-05-26 |
hxxp://176.65.139.99/wife.arm4 | online | malware_download | 2026-05-26 |
hxxp://176.65.139.99/wife.arm6 | online | malware_download | 2026-05-26 |
// Hunt for DNS resolution of URLhaus malicious domains
// Threat: 176-65-139-99
let malicious_domains = dynamic(["176.65.139.99"]);
DnsEvents
| where Name has_any (malicious_domains)
| project TimeGenerated, Computer, Name, IPAddresses
| order by TimeGenerated desc// Hunt for web traffic to URLhaus malicious domains
let malicious_domains = dynamic(["176.65.139.99"]);
CommonSecurityLog
| where RequestURL has_any (malicious_domains) or DestinationHostName has_any (malicious_domains)
| project TimeGenerated, SourceIP, RequestURL, DestinationHostName, DeviceAction
| order by TimeGenerated desc| Sentinel Table | Notes |
|---|---|
CommonSecurityLog | Ensure this data connector is enabled |
DnsEvents | Ensure this data connector is enabled |
Scenario: Scheduled System Update Job
Description: A legitimate scheduled job runs a system update that downloads a package from a URL matching the IP 176-65-139-99.
Filter/Exclusion: Exclude URLs associated with known system update mechanisms (e.g., wget, curl, or yum/apt update scripts) or filter by process name like update-manager or yum.
Scenario: Admin Task for Log Collection
Description: An administrator uses a tool like logrotate or rsyslog to collect logs from a remote server, which is configured to use the IP 176-65-139-99 as a log server.
Filter/Exclusion: Exclude traffic from known log collection tools or filter by process names like logrotate, rsyslog, or syslog-ng.
Scenario: Internal Monitoring Tool Polling
Description: An internal monitoring tool, such as Nagios or Zabbix, polls a server at IP 176-65-139-99 to check system metrics or service status.
Filter/Exclusion: Exclude traffic from monitoring tools by process name or by matching known monitoring endpoints (e.g., /check_http, /api/v1/metrics).
Scenario: CI/CD Pipeline Artifact Download
Description: A CI/CD pipeline (e.g., Jenkins, GitLab CI) downloads a build artifact from a private repository hosted at IP 176-65-139-99.
Filter/Exclusion: Exclude traffic from CI/CD tools by process name (e.g., java -jar jenkins.war, gitlab-runner) or by matching known artifact download paths.