The hypothesis is that an adversary is using the IP address 176-65-149-239 to host or distribute malicious URLs as part of a campaign to compromise endpoints. A SOC team should proactively hunt for this behavior in Azure Sentinel to identify and mitigate potential lateral movement or data exfiltration attempts originating from known malicious sources.
IOC Summary
Threat: 176-65-149-239 Total URLs: 5 Active URLs: 5
| URL | Status | Threat | Date Added |
|---|---|---|---|
hxxp://176.65.149.239/mitty-project_void.exe | online | malware_download | 2026-05-19 |
hxxp://176.65.149.239/teste.exe | online | malware_download | 2026-05-19 |
hxxp://176.65.149.239/javaws.exe | online | malware_download | 2026-05-19 |
hxxp://176.65.149.239/bps.exe | online | malware_download | 2026-05-19 |
hxxp://176.65.149.239/chrome_decrypt.dll | online | malware_download | 2026-05-19 |
// Hunt for DNS resolution of URLhaus malicious domains
// Threat: 176-65-149-239
let malicious_domains = dynamic(["176.65.149.239"]);
DnsEvents
| where Name has_any (malicious_domains)
| project TimeGenerated, Computer, Name, IPAddresses
| order by TimeGenerated desc// Hunt for web traffic to URLhaus malicious domains
let malicious_domains = dynamic(["176.65.149.239"]);
CommonSecurityLog
| where RequestURL has_any (malicious_domains) or DestinationHostName has_any (malicious_domains)
| project TimeGenerated, SourceIP, RequestURL, DestinationHostName, DeviceAction
| order by TimeGenerated desc| Sentinel Table | Notes |
|---|---|
CommonSecurityLog | Ensure this data connector is enabled |
DnsEvents | Ensure this data connector is enabled |
Scenario: Legitimate scheduled job using PowerShell for system maintenance
Description: A scheduled PowerShell script runs daily to clean temporary files and logs, and it makes a request to a URL that is mistakenly flagged as malicious.
Filter/Exclusion: Exclude URLs containing powershell.exe or C:\Windows\Temp\ in the request path.
Scenario: Admin task using curl to fetch internal documentation
Description: A system administrator uses curl to fetch internal documentation hosted on an internal server with an IP address that matches the malicious IP range.
Filter/Exclusion: Exclude URLs originating from the internal network (e.g., 10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) or filter by domain name.
Scenario: Automated backup process using rsync over HTTP
Description: A backup system uses rsync to transfer files over HTTP to a remote server, and the request includes a URL that is falsely flagged due to a shared IP address.
Filter/Exclusion: Exclude URLs containing backup or rsync in the request path, or filter by source IP address of the backup server.
Scenario: Internal tool for monitoring system health using curl
Description: An internal monitoring tool (e.g., Prometheus or Zabbix) periodically checks the status of internal services, and one of the endpoints is flagged as malicious.
Filter/Exclusion: Exclude URLs that match internal service endpoints (e.g., /api/v1/metrics, /status) or filter by source IP of the monitoring tool.
Scenario: User-generated report using wget to download a PDF from an internal share
**Description