EN ES PT

Phishing Analysis

Detailed analysis of captured phishing page

Back to Stats

Captura Visual

Screenshot of 77552354xyz.imtoken1.bmxuij.cn

Información de Detección

http://77552354xyz.imtoken1.bmxuij.cn/
Detected Brand
imToken
Country
International
Confidence
100%
HTTP Status
200
Report ID
020d5956-72b…
Analyzed
2026-01-26 12:05

Hashes de Contenido (Similitud HTML)

Used to detect similar phishing pages based on HTML content

Algorithm Hash Value
CONTENT TLSH
T1A56224705889EE3701E7A6D1CB71AB3DE1C192A6CA765D05C2F8878D4F46FADCE03906
CONTENT ssdeep
192:VjoEJKsPVzRACInJ+PmifkYK76AL4zKSpwj5bXkTRLTT3SPo73q:Wpsa6Zw6nlb6Wa

Hashes Visuales (Similitud de Captura)

Used to detect visually similar phishing pages based on screenshots

Algorithm Hash Value
VISUAL pHash
aced43929238e1ed
VISUAL aHash
fffffbffff000000
VISUAL dHash
1c2213372452f0d4
VISUAL wHash
ffffc3d7d7000000
VISUAL colorHash
070020001c0
VISUAL cropResistant
163803121f372642,0c3232320aa49409,809248b2b2969680,00143070ccd4d4d4

Análisis de Código

Risk Score 85/100
Threat Level ALTO
⚠️ Phishing Confirmed
🎣 Credential Harvester 🎣 OTP Stealer 🎣 Banking 🎣 Personal Info

🔬 Threat Analysis Report

• Amenaza: Kit de phishing para robo de credenciales
• Objetivo: Usuarios de imToken internacionalmente
• Método: Formulario falso que roba credenciales de usuario
• Exfil: Datos enviados a URL de acción de formulario externo
• Indicadores: Dominio sospechoso, JavaScript ofuscado, marca no coincidente
• Riesgo: ALTO - Robo inmediato de credenciales

🔐 Credential Harvesting Forms

🔒 Obfuscation Detected

  • fromCharCode
  • unescape
  • document.write
  • unicode_escape
  • base64_strings

📡 API Calls Detected

  • POST
  • text/html

📤 Form Action Targets

  • https://d0a5ba0b.sibforms.com/serve/MUIEAEz3dQk0fDrweVnmTpQQbZ2rw7qQ0gwoG6uu7cmDs0Qbh-IH9n_9vnkOQcAbKkvvwJN3s6pdlocND15cgu8iWZpPKmLHrRotNy0Y7OWZCbE6s_ufjQdZ1gF97q8wMCufNErgiw-O2ZXG15IuswkxLv9-ibQzyNEr6vAKCXMI0DSy_0nRpnTgnUV27alZPD76WvkNNHW5Ylmh

📊 Desglose de Puntuación de Riesgo

Total Risk Score
100/100

Contributing Factors

Active Phishing Kit
Detected Credential Harvester, OTP Stealer, and Banking kits with real-time form interception capabilities.
Brand Impersonation
Domain impersonates imToken, a high-value cryptocurrency wallet target.
Obfuscation Techniques
3084 obfuscation techniques detected, indicating heavy code concealment.
Malicious JavaScript
Multiple obfuscated JS files (vendor.0c72b11a.js, main.6bd68ac0.js, main.4963463c.js) with total size 0.26 MB.

🔬 Análisis Integral de Amenazas

Tipo de Amenaza
Banking Credential Harvester
Objetivo
imToken users (International)
Método de Ataque
Brand impersonation + credential harvesting forms + obfuscated JavaScript
Canal de Exfiltración
HTTP POST to backend
Evaluación de Riesgo
CRITICAL - Automated credential harvesting with HTTP POST to backend

⚠️ Indicators of Compromise

  • Kit types: Credential Harvester, OTP Stealer, Banking, Personal Info
  • 3084 obfuscation techniques

🏢 Análisis de Suplantación de Marca

Impersonated Brand
imToken
Official Website
https://token.im
Fake Service
Cryptocurrency wallet download

⚔️ Metodología de Ataque

Primary Method: Wallet Credential Harvesting

The phishing site mimics imToken's interface to trick users into entering their wallet credentials. The Credential Harvester kit captures input in real-time and transmits it to the attacker's server, enabling immediate unauthorized access to the victim's cryptocurrency wallet.

Secondary Method: OTP Interception

The OTP Stealer kit may intercept one-time passwords or 2FA codes sent to the victim's device, bypassing additional security layers to authorize fraudulent transactions.

Target Blockchain
Ethereum

🌐 Indicadores de Compromiso de Infraestructura

Domain Information

Domain
77552354xyz.imtoken1.bmxuij.cn
Registered
2025-06-18 18:29:39+00:00
Registrar
厦门纳网科技股份有限公司
Status
Active (221 days old)

🦠 Malicious Files

Main File
File Size

Obfuscated JavaScript file containing credential harvesting and OTP interception logic.

📊 Diagrama de Flujo de Ataque

Here's a generic ASCII art attack flow diagram for the phishing attack:

```
┌──────────────────────────────────────────────────────────┐
│ 1. INITIAL ACCESS                                        │
│    - Victim directed to fake crypto wallet page          │
└────────────────────┬─────────────────────────────────────┘
                     │
                     ▼
┌──────────────────────────────────────────────────────────┐
│ 2. FAKE INTERFACE DISPLAY                                │
│    - Spoofed wallet login form presented                 │
└────────────────────┬─────────────────────────────────────┘
                     │
                     ▼
┌──────────────────────────────────────────────────────────┐
│ 3. CREDENTIAL CAPTURE                                    │
│    - User enters wallet credentials                      │
│    - Form collects sensitive information                 │
└────────────────────┬─────────────────────────────────────┘
                     │
                     ▼
┌──────────────────────────────────────────────────────────┐
│ 4. DATA TRANSMISSION                                     │
│    - Stolen credentials sent via HTTP POST               │
│    - Single endpoint receives harvested data             │
└──────────────────────────────────────────────────────────┘
```

🔬 JavaScript Deep Analysis

Operator Language
English (1%)
Total Code Size
269,0 KB

🔗 API Endpoints Detected

Other
19

🔐 Obfuscation Detected

  • : Moderate
  • : Light
  • : None
  • : Moderate
  • : None
  • : None
  • : None
  • : None
  • : None
  • : None
  • : Moderate
  • : None
  • : None
  • : None
  • : Light
  • : None
  • : None
  • : None
  • : None
  • : None

🤖 AI-Extracted Threat Intelligence

📊 Attack Flow

Here's a generic ASCII art attack flow diagram for the phishing attack:

```
┌──────────────────────────────────────────────────────────┐
│ 1. INITIAL ACCESS                                        │
│    - Victim directed to fake crypto wallet page          │
└────────────────────┬─────────────────────────────────────┘
                     │
                     ▼
┌──────────────────────────────────────────────────────────┐
│ 2. FAKE INTERFACE DISPLAY                                │
│    - Spoofed wallet login form presented                 │
└────────────────────┬─────────────────────────────────────┘
                     │
                     ▼
┌──────────────────────────────────────────────────────────┐
│ 3. CREDENTIAL CAPTURE                                    │
│    - User enters wallet credentials                      │
│    - Form collects sensitive information                 │
└────────────────────┬─────────────────────────────────────┘
                     │
                     ▼
┌──────────────────────────────────────────────────────────┐
│ 4. DATA TRANSMISSION                                     │
│    - Stolen credentials sent via HTTP POST               │
│    - Single endpoint receives harvested data             │
└──────────────────────────────────────────────────────────┘
```

🎯 Malicious Files Identified

Similar Websites

Pages with identical visual appearance (based on perceptual hash)

Screenshot
Unknown
https://cdn.gosafemode.com/screenshots/7a7db05aecce.png
Abr 01, 2026
 Screenshot
Unknown
https://www.htfgd.cn/
Mar 20, 2026
 Screenshot
Unknown
http://htfgd.cn
Mar 19, 2026
 Screenshot
Unknown
https://www.htfgd.cn/
Mar 19, 2026
 Screenshot
imToken
http://www.token.imtoken.bmxuij.cn/
Ene 19, 2026
😰
"Nunca pensé que me pasaría a mí"
Esto dicen las 2.3 millones de víctimas cada año. No esperes a ser una estadística.