SafeMode - Analysis: secure05b-chase.publicvm.com

Visual Capture

Screenshot of secure05b-chase.publicvm.com

Detection Info

https://secure05b-chase.publicvm.com/Chase/login.php

Detected Brand

Chase

Country

USA

Confidence

99%

HTTP Status

200

Report ID

ef72f236-b0e…

Analyzed

2026-01-26 23:48

Content Hashes (HTML Similarity)

Used to detect similar phishing pages based on HTML content

Algorithm	Hash Value
CONTENT TLSH	T1A301D0120001ECB2C5A1F5B09391990116D6C724CB971800A7FCD7ED3AF5CADCD875A9
CONTENT ssdeep	12:nwMy7F8L1PZLEIzicYuPKH833YPKHPf35cElBcjGuuRStGuaHWgTK5V5XKkgFp1F:n/CcVZLvzFJvxcElB4oS723F/N

Visual Hashes (Screenshot Similarity)

Used to detect visually similar phishing pages based on screenshots

Algorithm	Hash Value
VISUAL pHash	888c6c7367367a33
VISUAL aHash	10391c3e7c581c01
VISUAL dHash	e57370f4d9b9e8b1
VISUAL wHash	103d3f3e7c783c41
VISUAL colorHash	06e00000040
VISUAL cropResistant	637360d491b1e8b1,999323ab2bf868e8,8ebc94d9786689d0,e57370f4d9b9e8b1,c3c3e56522f153ca

Code Analysis

Risk Score 81/100

Threat Level ALTO

⚠️ Phishing Confirmed

🎣 Credential Harvester

Telegram Exfiltration

🔬 Threat Analysis Report

• Threat: Credential harvesting phishing attack targeting Chase customers.
• Target: Chase bank customers.
• Method: A fake Chase login page attempts to steal usernames and passwords.
• Exfil: Stolen data is sent to a Telegram bot using the token 7897438235:AAHp5zT-bVKW6N1hrIGEWRjtzBorp-4fBck.
• Indicators: Suspicious domain name, use of PHP for form submission, obfuscated JavaScript, and a Telegram bot token indicating data exfiltration.
• Risk: CRITICAL - Real-time credential theft is highly likely.

🔐 Credential Harvesting Forms

🔒 Obfuscation Detected

fromCharCode
unicode_escape

📤 Form Action Targets

post.php

🔑 Telegram Bot Tokens (1)

7897438235:AAHp...rp-4fBck

📊 Risk Score Breakdown

Total Risk Score

96/100

Contributing Factors

Active Phishing Kit

Detected Credential Harvester kit with real-time form interception targeting Chase Banking credentials.

Brand Impersonation

Domain and URL structure mimic Chase Bank's official login portal, increasing likelihood of victim deception.

Obfuscation Techniques

84 obfuscation techniques detected, indicating deliberate evasion of detection and analysis.

Exfiltration Method

Telegram bot detected for real-time credential exfiltration, enabling immediate attacker access.

Malicious JavaScript

Single JavaScript file (jq.js) with 0.35 MB size, likely containing credential harvesting logic.

🔬 Comprehensive Threat Analysis

Threat Type

Credential Harvesting Kit

Target

Chase users (USA)

Attack Method

Brand impersonation + credential harvesting forms + obfuscated JavaScript

Exfiltration Channel

Telegram Bot (7897438235:AAHp5zT-b...) + HTTP POST to backend

Risk Assessment

CRITICAL - Automated credential harvesting with Telegram Bot (7897438235:AAHp5zT-b...) + HTTP POST to backend

⚠️ Indicators of Compromise

1 Telegram bot token(s)
Kit types: Credential Harvester
84 obfuscation techniques

🏢 Brand Impersonation Analysis

Impersonated Brand

Chase

Official Website

https://www.chase.com

Fake Service

Chase Bank Account Login

⚔️ Attack Methodology

Primary Method: Credential Harvesting

The phishing page presents a fake Chase Bank login form with fields for 'Username' and 'Password'. Submitted credentials are intercepted in real-time via JavaScript and exfiltrated to a Telegram bot controlled by the attacker.

Secondary Method: Real-Time Exfiltration

Detected Telegram bot integration enables immediate transmission of harvested credentials to the attacker, reducing the window for victim remediation.

📡 Telegram Command & Control Infrastructure

Bot Token (Masked)

7897438235:AAHp...rp-4fBck

Bot ID

7897438235

Group/Chat ID

Unknown

Operator Language

Unknown

💬 Message Templates (3)

ID	Portuguese	English	Trigger

🌐 Infrastructure Indicators of Compromise

Domain Information

Domain

secure05b-chase.publicvm.com

Registered

2007-07-19 05:57:17+00:00

Registrar

Netdorm, Inc. dba DnsExit.com

Status

Active (6766 days old)

🦠 Malicious Files

Main File

File Size

Contains credential harvesting logic and Telegram bot integration for real-time exfiltration.

🔌 External APIs Abused

telegram

chat_id: Detected
bot_token: Detected

📊 Attack Flow Diagram

┌──────────────────────────────────────────────────────────┐
│ 1. VICTIM RECEIVES PHISHING LURE                          │
│    - Email/SMS with fake Chase alert                     │
│    - Link to spoofed Chase login page                    │
└────────────────────┬─────────────────────────────────────┘
                     │
                     ▼
┌──────────────────────────────────────────────────────────┐
│ 2. FAKE LOGIN PAGE LOADING                                │
│    - Victim lands on Chase-branded phishing site         │
│    - Displays urgent security message                    │
└────────────────────┬─────────────────────────────────────┘
                     │
                     ▼
┌──────────────────────────────────────────────────────────┐
│ 3. CREDENTIAL SUBMISSION                                  │
│    - Victim enters Banking credentials                   │
│    - Form captures input without validation              │
└────────────────────┬─────────────────────────────────────┘
                     │
                     ▼
┌──────────────────────────────────────────────────────────┐
│ 4. DATA EXFILTRATION                                      │
│    - Stolen credentials sent to Telegram bot             │
│    - Single token used for communication                 │
└──────────────────────────────────────────────────────────┘

🔬 JavaScript Deep Analysis

Total Code Size

360.3 KB

🔗 API Endpoints Detected

Other

6

🔐 Obfuscation Detected

: Moderate

🤖 AI-Extracted Threat Intelligence

📊 Attack Flow

┌──────────────────────────────────────────────────────────┐
│ 1. VICTIM RECEIVES PHISHING LURE                          │
│    - Email/SMS with fake Chase alert                     │
│    - Link to spoofed Chase login page                    │
└────────────────────┬─────────────────────────────────────┘
                     │
                     ▼
┌──────────────────────────────────────────────────────────┐
│ 2. FAKE LOGIN PAGE LOADING                                │
│    - Victim lands on Chase-branded phishing site         │
│    - Displays urgent security message                    │
└────────────────────┬─────────────────────────────────────┘
                     │
                     ▼
┌──────────────────────────────────────────────────────────┐
│ 3. CREDENTIAL SUBMISSION                                  │
│    - Victim enters Banking credentials                   │
│    - Form captures input without validation              │
└────────────────────┬─────────────────────────────────────┘
                     │
                     ▼
┌──────────────────────────────────────────────────────────┐
│ 4. DATA EXFILTRATION                                      │
│    - Stolen credentials sent to Telegram bot             │
│    - Single token used for communication                 │
└──────────────────────────────────────────────────────────┘