SafeMode - Analysis: imtonkem.im

Visual Capture

No screenshot available

Detection Info

https://imtonkem.im/

Detected Brand

imToken

Country

International

Confidence

100%

HTTP Status

200

Report ID

cd7a9a14-6e9…

Analyzed

2025-12-31 01:43

Content Hashes (HTML Similarity)

Used to detect similar phishing pages based on HTML content

Algorithm	Hash Value
CONTENT TLSH	T1C2E54B8DB6E1707546A7A0B84D3F508AB17E15AB6488D850F79CC8D03F740AE9277FAC
CONTENT ssdeep	49152:pcKff/TsJ1xozyfWCZDzZiHxMXK5jnhFcLSURvYcqqRW0jnLClqIce:PwA1ce

Visual Hashes (Screenshot Similarity)

Used to detect visually similar phishing pages based on screenshots

Algorithm	Hash Value
VISUAL pHash	ece943929231e1ed
VISUAL aHash	fffffbffff000000
VISUAL dHash	0b2312372452f0d4
VISUAL wHash	edffc3dfdf000000
VISUAL colorHash	070020001c0
VISUAL cropResistant	0b29061317372643,0830320809c48609,82924cb292969680,0012e040c4d4d4d4

Code Analysis

Risk Score 95/100

Threat Level BAJO

🎣 Credential Harvester 🎣 OTP Stealer 🎣 Banking 🎣 Personal Info

🔬 Threat Analysis Report

• Threat: Potential brand impersonation via domain name.
• Target: imToken users.
• Method: Using a similar domain name to redirect users to a promotional page.
• Exfil: No data exfiltration detected.
• Indicators: The URL domain does not match the main brand domain, although the text claims it's official.
• Risk: LOW - Although the domain name is suspect, no sensitive info is requested and the page appears to promote imToken.

🔐 Credential Harvesting Forms

🔒 Obfuscation Detected

atob
fromCharCode
unescape
document.write
unicode_escape
base64_strings

🎯 Kit Endpoints

/blog

📡 API Calls Detected

POST
https://www.google.com/ccm/geo
text/html

📤 Form Action Targets

https://d0a5ba0b.sibforms.com/serve/MUIEAEz3dQk0fDrweVnmTpQQbZ2rw7qQ0gwoG6uu7cmDs0Qbh-IH9n_9vnkOQcAbKkvvwJN3s6pdlocND15cgu8iWZpPKmLHrRotNy0Y7OWZCbE6s_ufjQdZ1gF97q8wMCufNErgiw-O2ZXG15IuswkxLv9-ibQzyNEr6vAKCXMI0DSy_0nRpnTgnUV27alZPD76WvkNNHW5Ylmh