The hypothesis is that the detected URLs are associated with the wraith malware, which is used for command and control activities. SOC teams should proactively hunt for these URLs in Azure Sentinel to identify and mitigate potential compromise of endpoints and data exfiltration.
IOC Summary
Threat: wraith Total URLs: 4 Active URLs: 0
| URL | Status | Threat | Date Added |
|---|---|---|---|
hxxp://176.65.139.188/3bi6zyc9/uvffofq.arm5 | offline | malware_download | 2026-05-23 |
hxxp://176.65.139.188/3bi6zyc9/nqwseha.arm | offline | malware_download | 2026-05-23 |
hxxp://176.65.139.188/3bi6zyc9/dgkbspx.arm6 | offline | malware_download | 2026-05-23 |
hxxp://176.65.139.188/3bi6zyc9/ubonojy.arm7 | offline | malware_download | 2026-05-23 |
// Hunt for DNS resolution of URLhaus malicious domains
// Threat: wraith
let malicious_domains = dynamic(["176.65.139.188"]);
DnsEvents
| where Name has_any (malicious_domains)
| project TimeGenerated, Computer, Name, IPAddresses
| order by TimeGenerated desc// Hunt for web traffic to URLhaus malicious domains
let malicious_domains = dynamic(["176.65.139.188"]);
CommonSecurityLog
| where RequestURL has_any (malicious_domains) or DestinationHostName has_any (malicious_domains)
| project TimeGenerated, SourceIP, RequestURL, DestinationHostName, DeviceAction
| order by TimeGenerated desc| Sentinel Table | Notes |
|---|---|
CommonSecurityLog | Ensure this data connector is enabled |
DnsEvents | Ensure this data connector is enabled |
Scenario: A system administrator is manually testing a new URL shortening service by generating and accessing short URLs for internal documentation.
Filter/Exclusion: Exclude URLs containing the domain internal-docs.example.com or any URL with the query parameter ?test=1.
Scenario: A scheduled job runs a script to fetch and validate internal software updates from a trusted internal repository using a URL that matches the wraith pattern.
Filter/Exclusion: Exclude URLs that include the path /updates/ or originate from the IP range 10.0.0.0/8.
Scenario: A security analyst is using a tool like OSSEC to monitor system logs and generates a test URL to simulate an alert, which is then accessed by the analyst’s workstation.
Filter/Exclusion: Exclude URLs that contain the string test-url or are accessed from the user security_analyst.
Scenario: A DevOps team uses Ansible to automate configuration management and includes a URL to a public CDN for static assets, which is mistakenly flagged as malicious.
Filter/Exclusion: Exclude URLs that start with https://cdn.example.com/ or are part of a known CDN infrastructure.
Scenario: A database administrator uses SQL*Plus to execute scripts that temporarily access a remote database endpoint for backup purposes, which is flagged due to its URL structure.
Filter/Exclusion: Exclude URLs that include the path /backup/ or are accessed from the host db-server.example.com.