SafeMode - Analysis: runx.cc

Visual Capture

No screenshot available

Detection Info

https://runx.cc

Detected Brand

Runx

Country

International

Confidence

100%

HTTP Status

200

Report ID

c05fd6f7-242…

Analyzed

2026-01-26 12:40

Final URL (after redirects)

https://runx.cc/

Content Hashes (HTML Similarity)

Used to detect similar phishing pages based on HTML content

Algorithm	Hash Value
CONTENT TLSH	T1A7541ABFA32452F9E106D7DCD952E038326E24FE3B5283A8E7594F36B5148DC8855D83
CONTENT ssdeep	1536:Ps8Ucshc9BoUpQ5LToi0ZvqLDTKc9BoUpQ5RyiyOYjyty2ByayMc0OWIbZaHeYNt:P8c9HQKc9HQthc0y65s6

Visual Hashes (Screenshot Similarity)

Used to detect visually similar phishing pages based on screenshots

Algorithm	Hash Value
VISUAL pHash	929979a6a66da496
VISUAL aHash	163c5c003e36283c
VISUAL dHash	a4d8d8e4e4c4d8dc
VISUAL wHash	1e3c5c243e7e2c3c
VISUAL colorHash	38006000200
VISUAL cropResistant	727130d2c96b72f2,a4d8d8e4e4c4d8dc

Code Analysis

Risk Score 100/100

Threat Level BAJO

🎣 Credential Harvester 🎣 OTP Stealer 🎣 Card Stealer 🎣 Banking 🎣 Personal Info

WebSocket C2

🔬 Threat Analysis Report

• Threat: No immediate threat detected
• Target: None identified
• Method: Legitimate business website
• Exfil: No data exfiltration detected
• Indicators: Domain matches brand, complete website
• Risk: LOW - Legitimate business site

🔒 Obfuscation Detected

atob
eval
fromCharCode
unescape
unicode_escape
base64_strings

📡 API Calls Detected

POST
GET

📊 Risk Score Breakdown

Total Risk Score

100/100

Contributing Factors

Active Phishing Kit

Detected Credential Harvester, OTP Stealer, Card Stealer, and Banking kits with real-time form interception capabilities.

High Obfuscation

118 obfuscation techniques detected, indicating advanced evasion and anti-analysis measures.

Malicious JavaScript Files

Presence of large, obfuscated JavaScript files (uwt.js, fbevents.js, 4bd1b696-ad7506e6ce5b48e8.js) totaling 1.03 MB.

WebSocket Communication

Detected 1 WebSocket URL, suggesting real-time data exfiltration or command-and-control communication.

🔬 Comprehensive Threat Analysis

Threat Type

Banking Credential Harvester

Target

Runx users (International)

Attack Method

real-time WebSocket exfiltration + obfuscated JavaScript

Exfiltration Channel

WebSocket (1 endpoints)

Risk Assessment

CRITICAL - Automated credential harvesting with WebSocket (1 endpoints)

⚠️ Indicators of Compromise

Kit types: Credential Harvester, OTP Stealer, Card Stealer, Banking, Personal Info
118 obfuscation techniques

🏢 Brand Impersonation Analysis

Impersonated Brand

Runx

Official Website

Unknown

Fake Service

Exclusive bonus or reward

Fraudulent Claims

⚔️ Attack Methodology

Primary Method: Credential Harvesting

The phishing kit captures user credentials (email and password) via form fields on the fake login page. Data is likely exfiltrated in real-time via WebSocket connections to an attacker-controlled server.

Secondary Method: OTP and Payment Data Theft

The kit includes modules for intercepting one-time passwords (OTP) and stealing payment card details, enabling account takeover and financial fraud.

🌐 Infrastructure Indicators of Compromise

Domain Information

Domain

runx.cc

Registered

2025-12-20 20:23:58+00:00

Registrar

NICENIC INTERNATIONAL GROUP CO., LIMITED

Status

Active (36 days old)

🦠 Malicious Files

Main File

File Size

Large, obfuscated JavaScript file likely containing credential harvesting and data exfiltration logic.

📊 Attack Flow Diagram

Here's a generic ASCII art attack flow diagram for the phishing attack:

```
┌──────────────────────────────────────────────────────────┐
│ 1. INITIAL ACCESS                                        │
│    - Victim receives phishing link (email/SMS)           │
│    - Clicks link to fake Runx Banking page               │
└────────────────────┬─────────────────────────────────────┘
                     │
                     ▼
┌──────────────────────────────────────────────────────────┐
│ 2. FAKE LOGIN PAGE                                       │
│    - Displays convincing Runx branding                   │
│    - Presents credential input form                      │
└────────────────────┬─────────────────────────────────────┘
                     │
                     ▼
┌──────────────────────────────────────────────────────────┐
│ 3. CREDENTIAL CAPTURE                                    │
│    - Victim enters Banking credentials                   │
│    - Form appears to process normally                    │
└────────────────────┬─────────────────────────────────────┘
                     │
                     ▼
┌──────────────────────────────────────────────────────────┐
│ 4. DATA EXFILTRATION                                     │
│    - Stolen credentials sent via WebSocket               │
│    - Single persistent connection used                   │
└──────────────────────────────────────────────────────────┘
```

🔬 JavaScript Deep Analysis

Operator Language

English (1%)

Sophistication Level

Basic

Total Code Size

1.0 MB

🔗 API Endpoints Detected

Other

57

Backend API

1

WebSocket (Real-time)

1

🔐 Obfuscation Detected

: Light
: Moderate
: Moderate
: Moderate
: None
: Light
: Light
: Light
: Light
: Light
: Light
: None
: Light
: Light
: Light
: Light
: Light
: Light
: Light
: Light

🤖 AI-Extracted Threat Intelligence

📊 Attack Flow

Here's a generic ASCII art attack flow diagram for the phishing attack:

```
┌──────────────────────────────────────────────────────────┐
│ 1. INITIAL ACCESS                                        │
│    - Victim receives phishing link (email/SMS)           │
│    - Clicks link to fake Runx Banking page               │
└────────────────────┬─────────────────────────────────────┘
                     │
                     ▼
┌──────────────────────────────────────────────────────────┐
│ 2. FAKE LOGIN PAGE                                       │
│    - Displays convincing Runx branding                   │
│    - Presents credential input form                      │
└────────────────────┬─────────────────────────────────────┘
                     │
                     ▼
┌──────────────────────────────────────────────────────────┐
│ 3. CREDENTIAL CAPTURE                                    │
│    - Victim enters Banking credentials                   │
│    - Form appears to process normally                    │
└────────────────────┬─────────────────────────────────────┘
                     │
                     ▼
┌──────────────────────────────────────────────────────────┐
│ 4. DATA EXFILTRATION                                     │
│    - Stolen credentials sent via WebSocket               │
│    - Single persistent connection used                   │
└──────────────────────────────────────────────────────────┘
```