Confidence Level

58%

Medium?

Geolocation

🇳🇴

NorwaySandefjord

ISPGigahost AS

ASNAS56655

NetworkTor Exit Node

Activity Timeline

First seenFeb 28, 2026, 06:47 PM

Last seen3h ago

7Sessions

7Events

Protocol Breakdown

SMB

5 / 5

SSH

2 / 2

194.32.107.231 has a moderate threat confidence level of 58%, originating from Sandefjord, Norway, on the Gigahost AS network (56655), This IP is a known Tor exit node. It has been observed across 7 sessions targeting SMB, SSH, with detected attack patterns including smb authenticated rpc service and account enumeration, First observed on February 28, 2026, most recently active March 10, 2026.

Behaviors

Classified behavioral patterns observed

Smb Authenticated Rpc Service And Account Enumeration

high1x

Identifies an SMB session where the IPC$ share is accessed and RPC bindings are established to the SAMR and SRVSVC interfaces via named pipes. The combination of IPC$ access, SAMR RPC binding (Security Account Manager Remote), and SRVSVC pipe interaction indicates authenticated enumeration of user accounts, groups, shares, or service information on a Windows host. This behavior reflects structured post-authentication reconnaissance against Windows systems rather than unauthenticated share scanning.

Primitives

Individual actions observed

Smb Ipc Share Access4 Smb Empty Rpc Call3 Smb Root Read2 Smb Srvsvc Rpc Bind2 Smb Netlogon Share Access2 Smb Samr Rpc Bind1 Smb Srvsvc Pipe Open1 Smb Data Share Access1

Related Threats

Explore related threat intelligence

🇳🇴More threats fromNorway ASMore threats fromGigahost AS SMBMore threats targetingSMB SSHMore threats targetingSSH { }Browse allAttack Patterns

WHOIS Lookup

IP Address	Confidence	Events
185.40.4.81	94%	107
195.0.131.104	25%	43
88.94.34.15	31%	63
185.12.59.117	80%	4,177
148.135.195.202	81%	4