31.173.123.226

Summary (Bottom Line Up Front)

Russian-based host 31.173.123.226 conducted sustained SMBv1 reconnaissance against network infrastructure over a 20-day period from February 16 to March 8, 2026, generating nearly 5,000 connection attempts. This activity represents HIGH-confidence reconnaissance operations likely preceding more aggressive SMB-based attacks such as EternalBlue exploitation. Immediate blocking and enhanced SMB monitoring are recommended.

Modbus smb

SMB

Activity Timeline

INITIAL REPORT2026-03-21T12:42:30Z

Source: Analyst Manual Entry

Technical details

Source: 31.173.123.226 (AS31224 PJSC MegaFon, Russia)
Attack Volume: 4,889 events over 20-day period (Feb 16 - Mar 8, 2026)
Protocols: SMBv1 connections targeting port 445
MITRE Technique: T1135 (Network Share Discovery)
Kill Chain Phase: Reconnaissance
Primary Indicators: Persistent SMBv1 usage patterns indicating systematic enumeration of network shares and vulnerable systems
Assessment: Botnet-associated infrastructure with evolving attack capabilities

IOCs

IP:31.173.123.226

ASN:31224

COUNTRY:RU

Recommendations

Block source IP 31.173.123.226 and monitor for additional IPs from AS31224 exhibiting similar SMB scanning behavior
Disable SMBv1 protocol across all network infrastructure and audit systems for legacy SMB dependencies
Implement enhanced monitoring for SMB connection attempts, particularly focusing on authentication failures and protocol negotiation anomalies
Deploy network segmentation controls to limit SMB traffic to authorized business requirements only
Conduct proactive threat hunting for EternalBlue exploitation attempts and other SMB-based attack vectors following this reconnaissance activity