In the present article we are going to analyze an Agent Tesla malware sample downloader script. The downloader artifact points to the malicious C&C IP address 198.55.98[.]29 to download the VXVXH6.zip archive.
The IP Address in question is currently offline, we can see that it had the following opened ports and services: 21 (FTP), 80 (HTTP), 136 (DCE-RPC), 137 and 139 (NetBIOS), 443 (HTTPS), 445 (SMB), 3306 (MySQL), 3389 (RDP), 5985 (WinRM), 47001 (HTTP). The FTP protocol could be used by the attackers to steal files, information and data and send them to the C&C IP Address or to store the artifact and then deliver it. We can see the structure of the web application is composed of XAMPP, Apache HTTP and PHP. The C&C IP address has been registered by KPRONET KPROHOST in USA (others OSINT sources indicate also as registration countries UK and Netherlands).
The SMB server hosted on the C&C IP address has been started on 13th August 2025. The IP address in question is also related to other Trojan threats, infostealers, clipboard loggers, such as Formbook, AgentTesla, the resolved malicious domains associated to the IP address highlighted follow.
It has self-signed certificates related to AnyDesk, here is the run JS downloader script debugging context executed:
IOCs:
- 97c901192ffae83c2ef241c0f1f2552d258eaa616f0786b4e3edfef1d4245d57
- 6eea3f1bb27a38654fbbe815114286535878dd64
- 41cac26f6bbbfc40b2e88c5b1f3950ee
- 198.55.98[.]29
- VXVXH6