SafeMode - Analysis: www.lemsunspares.com

Visual Capture

Detection Info

http://www.lemsunspares.com/wp-content/plugins/modern-admin/sixmonthes/login.php

Detected Brand

Chase

Country

USA

Confidence

96%

HTTP Status

200

Report ID

75ed1330-d5d…

Analyzed

2026-01-31 18:22

Content Hashes (HTML Similarity)

Used to detect similar phishing pages based on HTML content

Algorithm	Hash Value
CONTENT TLSH	T1E611AF110005ECB6C561F5B0D39599011696C720CB9B180097FCD7BD3AF5C99CE875B9
CONTENT ssdeep	12:nwMy7F8L1PZLEIzicYuPKH833YPKHPf35cElBmPKHm433XjGuuRStGuaHWgTK5VO:n/CcVZLvzFJvxcElBpZoS723F/N

Visual Hashes (Screenshot Similarity)

Used to detect visually similar phishing pages based on screenshots

Algorithm	Hash Value
VISUAL pHash	888c6e7367267ab1
VISUAL aHash	10391c3e7c581c01
VISUAL dHash	e57330f0d1b9e8b1
VISUAL wHash	103d3f3e7c783c41
VISUAL colorHash	06c00000040
VISUAL cropResistant	637370f491b1e8b1,999323ab2bf868e8,8ebc94d9786689d0,e57330f0d1b9e8b1,c3c3e56522f153ca

Code Analysis

Risk Score 81/100

Threat Level ALTO

⚠️ Phishing Confirmed

🎣 Credential Harvester

Telegram Exfiltration

🔬 Threat Analysis Report

• Threat: Credential Phishing
• Target: Chase customers
• Method: Impersonation of Chase login page.
• Exfil: Telegram bot
• Indicators: Domain mismatch, Form asking for username, password, phone number.
• Risk: HIGH

🔐 Credential Harvesting Forms

🔒 Obfuscation Detected

fromCharCode
unicode_escape

📤 Form Action Targets

post.php

🔑 Telegram Bot Tokens (1)

7489476150:AAGW...uVlQBTec

📊 Risk Score Breakdown

Total Risk Score

90/100

Contributing Factors

Domain Mismatch

The domain does not match the brand being impersonated.

Credential Harvesting Form

The site contains a form requesting sensitive user credentials.

Javascript Obfuscation

Javascript obfuscation used to hide malicious code

Telegram Token Detected

Telegram token is a sign that information will be sent to the attackers.

🔬 Comprehensive Threat Analysis

Threat Type

Credential Harvesting Kit

Target

Chase users (USA)

Attack Method

Brand impersonation + credential harvesting forms + obfuscated JavaScript

Exfiltration Channel

Telegram Bot (7489476150:AAGWFiFsn...) + HTTP POST to backend

Risk Assessment

CRITICAL - Automated credential harvesting with Telegram Bot (7489476150:AAGWFiFsn...) + HTTP POST to backend

⚠️ Indicators of Compromise

1 Telegram bot token(s)
Kit types: Credential Harvester
84 obfuscation techniques

🏢 Brand Impersonation Analysis

Impersonated Brand

Chase

Official Website

null

Fake Service

Chase Login

⚔️ Attack Methodology

Primary Method: Credential Harvesting

The attacker has set up a website that mimics the Chase login page. The user is tricked into entering their login credentials and phone number into the fake form. This is used by the attacker to gain access to the user's account.