Adversaries may be using the IP 176-65-148-69 to host or distribute malicious URLs as part of a campaign to compromise endpoints. SOC teams should proactively hunt for this IP in Azure Sentinel to identify potential command and control or data exfiltration activities early.
IOC Summary
Threat: 176-65-148-69 Total URLs: 11 Active URLs: 11
| URL | Status | Threat | Date Added |
|---|---|---|---|
hxxp://176.65.148.69/hiddenbin/Space.arm7 | online | malware_download | 2026-05-26 |
hxxp://176.65.148.69/hiddenbin/Space.arm5 | online | malware_download | 2026-05-26 |
hxxp://176.65.148.69/hiddenbin/Space.m68k | online | malware_download | 2026-05-26 |
hxxp://176.65.148.69/hiddenbin/Space.mips | online | malware_download | 2026-05-26 |
hxxp://176.65.148.69/hiddenbin/Space.arc | online | malware_download | 2026-05-26 |
hxxp://176.65.148.69/hiddenbin/Space.ppc | online | malware_download | 2026-05-26 |
hxxp://176.65.148.69/hiddenbin/Space.arm | online | malware_download | 2026-05-26 |
hxxp://176.65.148.69/hiddenbin/Space.i686 | online | malware_download | 2026-05-26 |
hxxp://176.65.148.69/hiddenbin/Space.sh4 | online | malware_download | 2026-05-26 |
hxxp://176.65.148.69/hiddenbin/Space.mpsl | online | malware_download | 2026-05-26 |
hxxp://176.65.148.69/hiddenbin/Space.arm6 | online | malware_download | 2026-05-26 |
// Hunt for DNS resolution of URLhaus malicious domains
// Threat: 176-65-148-69
let malicious_domains = dynamic(["176.65.148.69"]);
DnsEvents
| where Name has_any (malicious_domains)
| project TimeGenerated, Computer, Name, IPAddresses
| order by TimeGenerated desc// Hunt for web traffic to URLhaus malicious domains
let malicious_domains = dynamic(["176.65.148.69"]);
CommonSecurityLog
| where RequestURL has_any (malicious_domains) or DestinationHostName has_any (malicious_domains)
| project TimeGenerated, SourceIP, RequestURL, DestinationHostName, DeviceAction
| order by TimeGenerated desc| Sentinel Table | Notes |
|---|---|
CommonSecurityLog | Ensure this data connector is enabled |
DnsEvents | Ensure this data connector is enabled |
Scenario: A system administrator is using PowerShell to download a legitimate software update from a server with the IP 176-65-148-69.
Filter/Exclusion: Exclude URLs containing update.microsoft.com or software.update.microsoft.com in the URL field.
Scenario: A scheduled job in Ansible is configured to fetch configuration files from a private repository hosted on a server with the IP 176-65-148-69.
Filter/Exclusion: Exclude URLs that match the pattern https://private-repo.example.com/config/ or include the hostname private-repo.example.com.
Scenario: A CI/CD pipeline (e.g., Jenkins) is accessing a public artifact repository (e.g., Maven Central) via a proxy server with the IP 176-65-148-69.
Filter/Exclusion: Exclude URLs that start with https://repo1.maven.org/maven2/ or include the domain maven.org.
Scenario: An endpoint protection tool (e.g., CrowdStrike Falcon) is performing a network scan to check for vulnerabilities, and the IP 176-65-148-69 is part of a known internal or trusted network.
Filter/Exclusion: Exclude traffic originating from or destined to internal IP ranges (e.g., 10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) or tagged as internal_network.
Scenario: A log aggregation tool (e.g., ELK Stack) is sending logs to a centralized server with the IP `