SafeMode - Analysis: www.imtoken.bot

Visual Capture

Detection Info

https://www.imtoken.bot/

Detected Brand

imToken

Country

International

Confidence

100%

HTTP Status

200

Report ID

636fb6d3-af4…

Analyzed

2026-02-03 23:43

Content Hashes (HTML Similarity)

Used to detect similar phishing pages based on HTML content

Algorithm	Hash Value
CONTENT TLSH	T151A3D512B390713AC156B0A298EFDE08B675415C93DA9818766DC1E99FB087C8B3FDDC
CONTENT ssdeep	3072:KwngiVX0VAFYS6RLC8O0G79Z3wKz3bjOvD++z/HC2fnU:KwngiVEVAV6RLC8E79Z3wKz3bjOvDT/8

Visual Hashes (Screenshot Similarity)

Used to detect visually similar phishing pages based on screenshots

Algorithm	Hash Value
VISUAL pHash	ece943929231e1ed
VISUAL aHash	fffffbffff000000
VISUAL dHash	0b2312372452f0d4
VISUAL wHash	edffc3dfdf000000
VISUAL colorHash	070020001c0
VISUAL cropResistant	0b29061317372643,0830320809c48609,82924cb292969680,0012e040c4d4d4d4

Code Analysis

Risk Score 100/100

Threat Level ALTO

⚠️ Phishing Confirmed

🎣 Credential Harvester 🎣 OTP Stealer 🎣 Banking 🎣 Personal Info

🔬 Threat Analysis Report

• Threat: Phishing
• Target: imToken users
• Method: Domain spoofing, form submission to a suspicious domain
• Exfil: Form data likely being sent to a third party.
• Indicators: Domain mismatch, obfuscation, suspicious form action.
• Risk: HIGH

🔐 Credential Harvesting Forms

🔒 Obfuscation Detected

atob
eval
fromCharCode
unescape
document.write
hex_escape
unicode_escape
base64_strings

🎯 Kit Endpoints

https://www.imtoken.bot/scripts/analysis.js
https://beacon-v2.helpscout.net/static/js/vendor.0c72b11a.js
/blog

📡 API Calls Detected

https://www.google.com/ccm/geo
text/html
POST

📤 Form Action Targets

https://d0a5ba0b.sibforms.com/serve/MUIEAEz3dQk0fDrweVnmTpQQbZ2rw7qQ0gwoG6uu7cmDs0Qbh-IH9n_9vnkOQcAbKkvvwJN3s6pdlocND15cgu8iWZpPKmLHrRotNy0Y7OWZCbE6s_ufjQdZ1gF97q8wMCufNErgiw-O2ZXG15IuswkxLv9-ibQzyNEr6vAKCXMI0DSy_0nRpnTgnUV27alZPD76WvkNNHW5Ylmh

📊 Risk Score Breakdown

Total Risk Score

90/100

Contributing Factors

Domain Mismatch

The domain is a clear indicator of malicious intent.

Form Submission

Form is designed to harvest information to a malicious domain.

Obfuscation

Javascript Obfuscation detected, increases the likelyhood of malicious behaviour.

🔬 Comprehensive Threat Analysis

Threat Type

Banking Credential Harvester

Target

imToken users (International)

Attack Method

Brand impersonation + credential harvesting forms + obfuscated JavaScript

Exfiltration Channel

HTTP POST to backend

Risk Assessment

CRITICAL - Automated credential harvesting with HTTP POST to backend

⚠️ Indicators of Compromise

Kit types: Credential Harvester, OTP Stealer, Banking, Personal Info
6456 obfuscation techniques

🏢 Brand Impersonation Analysis

Impersonated Brand

imToken

Fake Service

Digital Wallet

⚔️ Attack Methodology

Primary Method: Credential Harvesting

The site uses a domain similar to the real imToken site and presents a login form to harvest user credentials.

🌐 Infrastructure Indicators of Compromise

🦠 Malicious Files

Main File

analysis.js

File Size

Functions: sendData, submitForm

📊 Attack Flow Diagram

User fills <input name='wallet'> → sendData() → fetch('https://beacon-v2.helpscout.net') → exfiltration of wallet credentials

🔬 JavaScript Deep Analysis

Operator Language

English (1%)

Sophistication Level

Basic

Total Code Size

1.2 MB

🔗 API Endpoints Detected

Other

14

🔐 Obfuscation Detected

: Moderate
: Light
: None
: None
: None
: None
: None
: None
: None
: Heavy
: Light
: None
: Moderate
: Light
: Light
: Light
: None
: Moderate
: Light

🤖 AI-Extracted Threat Intelligence

📊 Attack Flow

User fills <input name='wallet'> → sendData() → fetch('https://beacon-v2.helpscout.net') → exfiltration of wallet credentials

🎯 Malicious Files Identified

Main Drainer

analysis.js

File Size

45KB

Malicious Functions

sendData
submitForm

Similar Websites

Pages with identical visual appearance (based on perceptual hash)

imToken

https://www.imtokevn.im/

Jun 08, 2026

No screenshot

imToken

https://zn-imtoken.me/