The hypothesis is that an adversary is using the IP 176-65-139-194 to host or distribute malicious URLs as part of a campaign to compromise endpoints. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify and mitigate potential lateral movement or data exfiltration attempts early.
IOC Summary
Threat: 176-65-139-194 Total URLs: 2 Active URLs: 2
| URL | Status | Threat | Date Added |
|---|---|---|---|
hxxp://176.65.139.194/VAL-VIP.exe | online | malware_download | 2026-05-19 |
hxxps://176.65.139.194/VAL-VIP.exe | online | malware_download | 2026-05-19 |
// Hunt for DNS resolution of URLhaus malicious domains
// Threat: 176-65-139-194
let malicious_domains = dynamic(["176.65.139.194"]);
DnsEvents
| where Name has_any (malicious_domains)
| project TimeGenerated, Computer, Name, IPAddresses
| order by TimeGenerated desc// Hunt for web traffic to URLhaus malicious domains
let malicious_domains = dynamic(["176.65.139.194"]);
CommonSecurityLog
| where RequestURL has_any (malicious_domains) or DestinationHostName has_any (malicious_domains)
| project TimeGenerated, SourceIP, RequestURL, DestinationHostName, DeviceAction
| order by TimeGenerated desc| Sentinel Table | Notes |
|---|---|
CommonSecurityLog | Ensure this data connector is enabled |
DnsEvents | Ensure this data connector is enabled |
Scenario: A system administrator is using PowerShell to run a scheduled job that downloads a legitimate software update from a URL associated with the IP 176-65-139-194.
Filter/Exclusion: Check for ProcessName = powershell.exe and CommandLine containing Update-Software or similar known administrative tasks.
Scenario: A Windows Task Scheduler job is configured to fetch a configuration file from a URL tagged with the IP 176-65-139-194 as part of a regular system maintenance routine.
Filter/Exclusion: Filter by ProcessName = schtasks.exe or TaskName matching known maintenance tasks.
Scenario: A Logstash instance is configured to receive logs from a remote server using a URL that resolves to the IP 176-65-139-194.
Filter/Exclusion: Check for ProcessName = logstash.exe and DestinationIP = 176-65-139-194 in the event data.
Scenario: A Docker container is running a service that communicates with an external API hosted on a server with the IP 176-65-139-194 as part of a legitimate integration.
Filter/Exclusion: Filter by ProcessName containing docker and ImageName matching known trusted container images.
Scenario: A SIEM system (e.g., Splunk) is configured to receive alerts from a remote monitoring tool that uses the IP 176-65-139-194 for data ingestion.
Filter/Exclusion: Check for SourceIP =