SafeMode - Analysis: qrco.de

Visual Capture

No screenshot available

Detection Info

https://qrco.de/bgZUNV

Detected Brand

Microsoft

Country

Unknown

Confidence

95%

HTTP Status

200

Report ID

e93c8eec-513…

Analyzed

2026-01-26 08:49

Content Hashes (HTML Similarity)

Used to detect similar phishing pages based on HTML content

Algorithm	Hash Value
CONTENT TLSH	T1681255B195809D3B129786E4AA71AB0F77E44788CF432B11BAF853DE1FC6CA5DC4B091
CONTENT ssdeep	96:n4duiEpxl+JQfPrxzoqiwMQZBRnMRH4RJu/wJ/Fx6/lO4IhbP1hDss8Mcr8QbHA+:1vnr15ZkhOSw4KNKsfcrvbWfLiwqgw

Visual Hashes (Screenshot Similarity)

Used to detect visually similar phishing pages based on screenshots

Algorithm	Hash Value
VISUAL pHash	a70f8d0f27078d0f
VISUAL aHash	3fffffe7e7ffffff
VISUAL dHash	6008000808000800
VISUAL wHash	00ffffe720383030
VISUAL colorHash	07001019040
VISUAL cropResistant	6008000808000800

Code Analysis

Risk Score 71/100

Threat Level HIGH

🎣 Credential Harvester 🎣 Personal Info

🔒 Obfuscation Detected

eval
fromCharCode

📡 API Calls Detected

POST
//

📊 Risk Score Breakdown

Total Risk Score

100/100

Contributing Factors

Active Phishing Kit

Detected Credential Harvester and Personal Info kit types, indicating a high likelihood of credential and sensitive data harvesting.

Obfuscation Techniques

36 obfuscation techniques detected, significantly increasing the difficulty of analysis and indicating malicious intent.

Suspicious JavaScript Files

Presence of JavaScript files (photoswipe.min.js, photoswipe-ui-default.min.js) with potential for malicious functionality, despite no immediate indicators of abuse.

Lack of Transparency

No identifiable brand, language, or clear attack vector, increasing the likelihood of a sophisticated or targeted phishing attempt.

🔬 Comprehensive Threat Analysis

Threat Type

Credential Harvesting Kit

Target

General public

Attack Method

obfuscated JavaScript

Exfiltration Channel

Unknown

Risk Assessment

HIGH - Automated credential harvesting with Unknown

⚠️ Indicators of Compromise

Kit types: Credential Harvester, Personal Info
36 obfuscation techniques

🏢 Brand Impersonation Analysis

Fake Service

Unknown (No specific service or brand impersonation detected)

⚔️ Attack Methodology

Primary Method: Credential Harvesting

The phishing kit is designed to capture user credentials through deceptive input forms or fake login prompts. The harvested credentials are likely transmitted to a remote server controlled by the attacker for further exploitation, such as account takeover or identity theft.

Secondary Method: Personal Information Theft

In addition to credentials, the kit targets personal information such as names, addresses, and contact details. This data can be used for identity fraud, phishing, or sold on underground markets.

🌐 Infrastructure Indicators of Compromise

Domain Information

Domain

qrco.de

Registered

Unknown

Registrar

Unknown

Status

Active (age unknown)

🦠 Malicious Files

Main File

File Size

JavaScript file with no immediately detectable malicious functions but included in a high-risk phishing kit.

📊 Attack Flow Diagram

Here's a generic ASCII art attack flow diagram for the phishing attack:

```
┌──────────────────────────────────────────────────────────┐
│ 1. INITIAL CONTACT                                       │
│    - Victim receives phishing message                    │
│    - Message contains link to fake Banking site          │
└────────────────────┬─────────────────────────────────────┘
                     │
                     ▼
┌──────────────────────────────────────────────────────────┐
│ 2. FAKE SITE ACCESS                                      │
│    - Victim visits fraudulent Banking page               │
│    - Page mimics legitimate login interface              │
└────────────────────┬─────────────────────────────────────┘
                     │
                     ▼
┌──────────────────────────────────────────────────────────┐
│ 3. CREDENTIAL SUBMISSION                                 │
│    - Victim enters Banking credentials                   │
│    - Form appears identical to legitimate site           │
└────────────────────┬─────────────────────────────────────┘
                     │
                     ▼
┌──────────────────────────────────────────────────────────┐
│ 4. DATA CAPTURE                                          │
│    - Credentials collected by attacker                   │
│    - Data prepared for exfiltration                      │
└────────────────────┬─────────────────────────────────────┘
                     │
                     ▼
┌──────────────────────────────────────────────────────────┐
│ 5. EXFILTRATION                                           │
│    - Credentials sent via HTTP POST                      │
│    - Standard form submission to attacker-controlled     │
│      destination                                         │
└──────────────────────────────────────────────────────────┘
```

🔬 JavaScript Deep Analysis

Total Code Size

40.8 KB

🔗 API Endpoints Detected

Other

5

🔐 Obfuscation Detected

: Light
: None

🤖 AI-Extracted Threat Intelligence

📊 Attack Flow

Here's a generic ASCII art attack flow diagram for the phishing attack:

```
┌──────────────────────────────────────────────────────────┐
│ 1. INITIAL CONTACT                                       │
│    - Victim receives phishing message                    │
│    - Message contains link to fake Banking site          │
└────────────────────┬─────────────────────────────────────┘
                     │
                     ▼
┌──────────────────────────────────────────────────────────┐
│ 2. FAKE SITE ACCESS                                      │
│    - Victim visits fraudulent Banking page               │
│    - Page mimics legitimate login interface              │
└────────────────────┬─────────────────────────────────────┘
                     │
                     ▼
┌──────────────────────────────────────────────────────────┐
│ 3. CREDENTIAL SUBMISSION                                 │
│    - Victim enters Banking credentials                   │
│    - Form appears identical to legitimate site           │
└────────────────────┬─────────────────────────────────────┘
                     │
                     ▼
┌──────────────────────────────────────────────────────────┐
│ 4. DATA CAPTURE                                          │
│    - Credentials collected by attacker                   │
│    - Data prepared for exfiltration                      │
└────────────────────┬─────────────────────────────────────┘
                     │
                     ▼
┌──────────────────────────────────────────────────────────┐
│ 5. EXFILTRATION                                           │
│    - Credentials sent via HTTP POST                      │
│    - Standard form submission to attacker-controlled     │
│      destination                                         │
└──────────────────────────────────────────────────────────┘
```