The detection identifies potential command and control communication from a known malicious IP address associated with multiple malicious URLs, indicating possible adversary persistence or data exfiltration. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify and mitigate early-stage compromise attempts leveraging compromised or malicious URLs.
IOC Summary
Threat: 176-65-139-7 Total URLs: 7 Active URLs: 7
| URL | Status | Threat | Date Added |
|---|---|---|---|
hxxp://176.65.139.7/hiddenbin/Space.arm | online | malware_download | 2026-05-19 |
hxxp://176.65.139.7/hiddenbin/Space.arm5 | online | malware_download | 2026-05-19 |
hxxp://176.65.139.7/hiddenbin/Space.mpsl | online | malware_download | 2026-05-19 |
hxxp://176.65.139.7/hiddenbin/Space.arm7 | online | malware_download | 2026-05-19 |
hxxp://176.65.139.7/hiddenbin/Space.spc | online | malware_download | 2026-05-19 |
hxxp://176.65.139.7/hiddenbin/Space.sh4 | online | malware_download | 2026-05-19 |
hxxp://176.65.139.7/hiddenbin/Space.arc | online | malware_download | 2026-05-19 |
// Hunt for DNS resolution of URLhaus malicious domains
// Threat: 176-65-139-7
let malicious_domains = dynamic(["176.65.139.7"]);
DnsEvents
| where Name has_any (malicious_domains)
| project TimeGenerated, Computer, Name, IPAddresses
| order by TimeGenerated desc// Hunt for web traffic to URLhaus malicious domains
let malicious_domains = dynamic(["176.65.139.7"]);
CommonSecurityLog
| where RequestURL has_any (malicious_domains) or DestinationHostName has_any (malicious_domains)
| project TimeGenerated, SourceIP, RequestURL, DestinationHostName, DeviceAction
| order by TimeGenerated desc| Sentinel Table | Notes |
|---|---|
CommonSecurityLog | Ensure this data connector is enabled |
DnsEvents | Ensure this data connector is enabled |
Scenario: Legitimate system update job using a known IP
Description: A scheduled system update job (e.g., Windows Server Update Services or Ansible playbook) uses the IP 176-65-139-7 to fetch updates from a trusted source.
Filter/Exclusion: Exclude traffic from known update servers or apply a filter for destination_ip = 176-65-139-7 and process_name = "wuauclt.exe" or process_name = "ansible".
Scenario: Internal DNS resolution using a public DNS server
Description: An internal DNS query (e.g., from a DNS server like Microsoft DNS or Unbound) resolves a domain using the IP 176-65-139-7, which is a public DNS resolver (e.g., Cloudflare 1.1.1.1).
Filter/Exclusion: Exclude DNS queries to known public DNS servers using destination_ip = 176-65-139-7 and process_name = "dnscmd.exe" or process_name = "unbound-control".
Scenario: Malware analysis tool accessing a sandboxed environment
Description: A malware analysis tool like Cuckoo Sandbox or Joe Sandbox connects to a sandboxed environment hosted on the IP 176-65-139-7 for dynamic analysis.
Filter/Exclusion: Exclude traffic from known sandboxing tools using process_name = "cuckoo" or process_name = "joebox" and destination_ip = 176-65-139-7.
Scenario: Legitimate remote management tool using the IP
Description: A remote management tool like Microsoft Remote Desktop or TeamViewer uses the IP