EN ES PT

Phishing Analysis

Detailed analysis of captured phishing page

Back to Stats

Captura Visual

Screenshot of mwizz.leadsbr.com.br

Información de Detección

https://mwizz.leadsbr.com.br/latest/index.php/campaigns/ho806l0mosf9b/track-url/mz028zdd19c4e/26b041c23b666a5a5c9ae7d2f88afe177a51623d
Detected Brand
Insurance Companies (Porto Seguro, Zurich, etc.)
Country
International
Confianza
100%
HTTP Status
200
Report ID
1054310b-1e5…
Analyzed
2026-02-17 12:45
Final URL (after redirects)
https://coteaqui.planosparavc.com.br/auto-1/

Hashes de Contenido (Similitud HTML)

Used to detect similar phishing pages based on HTML content

Algorithm Hash Value
CONTENT TLSH
T155E3A67FA1249C6FF29AC394EFB414697198D0C9E782D394C3E8837C6E604DB5C3A964
CONTENT ssdeep
768:qrHlpBS5sKuOIbFlMGYjMPNnhVM58ZK4zNes0o0:qTlpiuOaFlMGYjoFK500

Hashes Visuales (Similitud de Captura)

Used to detect visually similar phishing pages based on screenshots

Algorithm Hash Value
VISUAL pHash
9753e82ae2aae2cc
VISUAL aHash
bd0e0e0e0e0f9fff
VISUAL dHash
69dc9c5c7cfa330c
VISUAL wHash
850e0e0e0e0f1fff
VISUAL colorHash
060000001c0
VISUAL cropResistant
0061697969699609,dcdc5c7cfc7b330c,a1a94c76a80e61a9,4960928c14cd4a55,a69e16d4598ba242,dcd89c5c7cfcfa33

Análisis de Código

Risk Score 100/100
Nivel de Amenaza ALTO
⚠️ Phishing Confirmed
🎣 Credential Harvester 🎣 OTP Stealer 🎣 Card Stealer 🎣 Banking 🎣 Personal Info

🔬 Threat Analysis Report

• Amenaza: Phishing
• Objetivo: Clientes de seguros
• Método: Suplantación de identidad a través de un formulario
• Exfil: descadastramento.php, salvaeenvia.php, https://painel.sauti.com.br/modules/Webforms/capture.php
• Indicadores: Coincidencia de dominio, logotipos de múltiples marcas, formulario que solicita información personal.
• Riesgo: ALTO

🔐 Credential Harvesting Forms

🔒 Obfuscation Detected

  • atob
  • eval
  • fromCharCode
  • unescape
  • hex_escape
  • unicode_escape
  • base64_strings

🎯 Kit Endpoints

  • http://developers.facebook.com/policy/].
  • http://www.ans.gov.br/planos-de-saude-e-operadoras/contratacao-e-troca-de-plano/dicas-para-escolher-um-plano/segmentacao-assistencial
  • https://www.facebook.com/privacy_sandbox/pixel/register/trigger/
  • https://connect.facebook.net/
  • #small-dialog-ch
  • https://connect.facebook.net/en_US/fbevents.js
  • https://www.googletagmanager.com/gtag/js?id=AW-1002935720
  • https://connect.facebook.net/log/fbevents_telemetry/
  • https://www.facebook.com/tr
  • https://developers.facebook.com/docs/meta-pixel/reference/
  • http://www.ans.gov.br/planos-de-saude-e-operadoras/contratacao-e-troca-de-plano/dicas-para-escolher-um-plano/formas-de-contratacao-de-planos-de-saude
  • https://www.instagram.com/tr/
  • https://api.whatsapp.com/send?l=pt&phone=5511985499166
  • http://www.ans.gov.br/images/stories/Materiais_para_pesquisa/Materiais_por_assunto/cartilha_plano_de_saude.pdf
  • https://www.facebook.com/privacy_sandbox/topics/registration/
  • https://gw.conversionsapigateway.com
  • https://mwizz.leadsbr.com.br/latest/index.php/campaigns/ho806l0mosf9b/track-url/mz028zdd19c4e/custom.js
  • https://www.facebook.com/tr/
  • #small-dialog-in
  • #small-dialog-it
  • https://www.planodesaudepopulares.com.br/contador/
  • https://painel.sauti.com.br/modules/Webforms/capture.php
  • https://developers.facebook.com/docs/ads-for-websites/pixel-events/#events
  • https://wa.me/
  • https://connect.facebook.net/signals/config/2029723907178183?v=2.9.265&r=stable&domain=coteaqui.planosparavc.com.br&hme=8faeb0ed09c145bbd9d3213e762abac29e9f76b8e7a9df9d71a3058625e3b7dd&ex_m=96%2C187%2C136%2C21%2C68%2C69%2C129%2C64%2C43%2C130%2C73%2C63%2C10%2C143%2C82%2C15%2C95%2C124%2C117%2C71%2C74%2C123%2C140%2C104%2C145%2C7%2C3%2C4%2C6%2C5%2C2%2C83%2C93%2C146%2C151%2C201%2C57%2C167%2C168%2C50%2C238%2C28%2C70%2C213%2C212%2C211%2C30%2C56%2C9%2C59%2C89%2C90%2C91%2C97%2C120%2C29%2C27%2C122%2C119%2C118%2C137%2C72%2C139%2C138%2C45%2C55%2C113%2C14%2C142%2C40%2C226%2C227%2C225%2C24%2C25%2C26%2C17%2C19%2C39%2C35%2C37%2C36%2C78%2C84%2C88%2C102%2C128%2C131%2C41%2C103%2C22%2C20%2C109%2C65%2C33%2C133%2C132%2C134%2C125%2C23%2C32%2C54%2C101%2C141%2C66%2C16%2C135%2C106%2C77%2C62%2C18%2C31%2C249%2C194%2C181%2C182%2C180%2C252%2C244%2C195%2C99%2C121%2C76%2C111%2C49%2C42%2C44%2C105%2C110%2C116%2C53%2C60%2C115%2C48%2C51%2C47%2C92%2C144%2C0%2C114%2C13%2C112%2C11%2C1%2C52%2C85%2C58%2C61%2C108%2C81%2C80%2C147%2C148%2C86%2C87%2C8%2C94%2C46%2C126%2C79%2C75%2C67%2C107%2C98%2C38%2C127%2C34%2C100%2C12%2C149
  • https://embed.tawk.to/5e7e2b8c35bcbb0c9aab1791/default

📡 API Calls Detected

  • GET
  • https://www.google.com/ccm/geo
  • POST

📤 Form Action Targets

  • descadastramento.php
  • salvaeenvia.php
  • https://painel.sauti.com.br/modules/Webforms/capture.php

📊 Desglose de Puntuación de Riesgo

Total Risk Score
90/100

Contributing Factors

Domain mismatch
The domain does not match any brand, suggesting an attempt to impersonate.
Requests for sensitive information
The form asks for personal and contact details, increasing the risk of data theft.
Obfuscated Javascript
Javascript obfuscation found indicating malicious behavior.
Multi-brand Impersonation
Multiple brands are being impersonated.

🔬 Análisis Integral de Amenazas

Tipo de Amenaza
Banking Credential Harvester
Objetivo
Insurance Companies (Porto Seguro, Zurich, etc.) users (International)
Método de Ataque
Brand impersonation + credential harvesting forms + obfuscated JavaScript
Canal de Exfiltración
HTTP POST to backend
Evaluación de Riesgo
CRITICAL - Automated credential harvesting with HTTP POST to backend

⚠️ Indicators of Compromise

  • Kit types: Credential Harvester, OTP Stealer, Card Stealer, Banking, Personal Info
  • 175 obfuscation techniques

🏢 Análisis de Suplantación de Marca

Impersonated Brand
Multiple Insurance Companies
Official Website
Unknown
Fake Service
Insurance Quotes

⚔️ Metodología de Ataque

Primary Method: Credential Harvesting

The attacker aims to collect user's personal information by having them fill out a form that requests their name, contact details and other potentially sensitive data. This data can be used for identity theft or other malicious purposes.

🌐 Indicadores de Compromiso de Infraestructura

🦠 Malicious Files

Main File
2029723907178183?v=2.9.265&r=stable&domain=coteaqui.planosparavc.com.br&hme=8faeb0ed09c145bbd9d3213e762abac29e9f76b8e7a9df9d71a3058625e3b7dd&ex_m=96%2C187%2C136%2C21%2C68%2C69%2C129%2C64%2C43%2C130%2C73%2C63%2C10%2C143%2C82%2C15%2C95%2C124%2C117%2C71%2C74%2C123%2C140%2C104%2C145%2C7%2C3%2C4%2C6%2C5%2C2%2C83%2C93%2C146%2C151%2C201%2C57%2C167%2C168%2C50%2C238%2C28%2C70%2C213%2C212%2C211%2C30%2C56%2C9%2C59%2C89%2C90%2C91%2C97%2C120%2C29%2C27%2C122%2C119%2C118%2C137%2C72%2C139%2C138%2C45%2C55%2C113%2C14%2C142%2C40%2C226%2C227%2C225%2C24%2C25%2C26%2C17%2C19%2C39%2C35%2C37%2C36%2C78%2C84%2C88%2C102%2C128%2C131%2C41%2C103%2C22%2C20%2C109%2C65%2C33%2C133%2C132%2C134%2C125%2C23%2C32%2C54%2C101%2C141%2C66%2C16%2C135%2C106%2C77%2C62%2C18%2C31%2C249%2C194%2C181%2C182%2C180%2C252%2C244%2C195%2C99%2C121%2C76%2C111%2C49%2C42%2C44%2C105%2C110%2C116%2C53%2C60%2C115%2C48%2C51%2C47%2C92%2C144%2C0%2C114%2C13%2C112%2C11%2C1%2C52%2C85%2C58%2C61%2C108%2C81%2C80%2C147%2C148%2C86%2C87%2C8%2C94%2C46%2C126%2C79%2C75%2C67%2C107%2C98%2C38%2C127%2C34%2C100%2C12%2C149
File Size

🔬 JavaScript Deep Analysis

Operator Language
Portuguese (1%)
Sophistication Level
Basic
Total Code Size
566,4 KB

🔗 API Endpoints Detected

Other
14

🔐 Obfuscation Detected

  • : Light
  • : Moderate
  • : Light

🤖 AI-Extracted Threat Intelligence

🎯 Malicious Files Identified

Main Drainer
2029723907178183?v=2.9.265&r=stable&domain=coteaqui.planosparavc.com.br&hme=8faeb0ed09c145bbd9d3213e762abac29e9f76b8e7a9df9d71a3058625e3b7dd&ex_m=96%2C187%2C136%2C21%2C68%2C69%2C129%2C64%2C43%2C130%2C73%2C63%2C10%2C143%2C82%2C15%2C95%2C124%2C117%2C71%2C74%2C123%2C140%2C104%2C145%2C7%2C3%2C4%2C6%2C5%2C2%2C83%2C93%2C146%2C151%2C201%2C57%2C167%2C168%2C50%2C238%2C28%2C70%2C213%2C212%2C211%2C30%2C56%2C9%2C59%2C89%2C90%2C91%2C97%2C120%2C29%2C27%2C122%2C119%2C118%2C137%2C72%2C139%2C138%2C45%2C55%2C113%2C14%2C142%2C40%2C226%2C227%2C225%2C24%2C25%2C26%2C17%2C19%2C39%2C35%2C37%2C36%2C78%2C84%2C88%2C102%2C128%2C131%2C41%2C103%2C22%2C20%2C109%2C65%2C33%2C133%2C132%2C134%2C125%2C23%2C32%2C54%2C101%2C141%2C66%2C16%2C135%2C106%2C77%2C62%2C18%2C31%2C249%2C194%2C181%2C182%2C180%2C252%2C244%2C195%2C99%2C121%2C76%2C111%2C49%2C42%2C44%2C105%2C110%2C116%2C53%2C60%2C115%2C48%2C51%2C47%2C92%2C144%2C0%2C114%2C13%2C112%2C11%2C1%2C52%2C85%2C58%2C61%2C108%2C81%2C80%2C147%2C148%2C86%2C87%2C8%2C94%2C46%2C126%2C79%2C75%2C67%2C107%2C98%2C38%2C127%2C34%2C100%2C12%2C149
File Size
567KB

Similar Websites

Pages with identical visual appearance (based on perceptual hash)

Screenshot
Seguro Auto (Insurance)
https://mwizz.leadsbr.com.br/latest/index.php/campaigns/nq54...
Feb 17, 2026

Scan History for mwizz.leadsbr.com.br

Found 7 other scans for this domain

😰
"Nunca pensé que me pasaría a mí"
Esto dicen las 2.3 millones de víctimas cada año. No esperes a ser una estadística.