89.109.8.38

Summary (Bottom Line Up Front)

Russian-origin IP address 89.109.8.38 conducted SMBv1 protocol negotiation attempts against non-standard port 9001 on February 26, 2026 at 17:00 hours. This reconnaissance activity presents medium risk due to SMBv1's inherent vulnerabilities and potential for lateral movement exploitation. Network defenders should immediately audit SMB configurations and implement port-based blocking for non-standard SMB services.

TCP auto

AI_DETECTED SMB

Activity Timeline

INITIAL REPORT2026-03-26T16:17:48Z

Source: Analyst Manual Entry

Technical details

Attack Vector: SMBv1 protocol negotiation targeting TCP port 9001, indicating reconnaissance for misconfigured or tunneled SMB services. The attacker initiated 24 connection attempts over a 4-minute window, probing legacy SMB dialects including "LANMAN1.0", "LM1.2X002", and "NT LANMAN 1.0".

MITRE Mapping: T1021.002 (Remote Services: SMB/Windows Admin Shares) during reconnaissance phase. The activity originated from Rostelecom ASN AS12389 with no current reputation indicators.

IOCs: Source IP 89.109.8.38, targeting non-standard SMB port 9001/TCP with legacy protocol negotiation strings. Payload analysis reveals standard SMBv1 session request headers with multiple dialect options.

IOCs

IP:89.109.8.38

ASN:12389

COUNTRY:RU

Recommendations

Block inbound connections to non-standard SMB ports (anything other than 445/TCP) at network perimeter
Audit internal systems for SMBv1 protocol usage and disable where operationally feasible
Implement network segmentation to prevent lateral SMB-based movement between critical assets
Monitor for SMBv1 traffic on unusual ports using network detection capabilities
Consider blocking traffic from Rostelecom ASN AS12389 if no legitimate business requirements exist

high AI_DETECTED auto:9001

ff534d42720000000018012800000000000000000000000000002f4b0000c55e003100024c414e4d414e312e3000024c4d312e325830303200024e54204c414e4d414e20312e3000024e54204c4d20302e3132

medium SMB TCP:9001

NT LM 0.12