SafeMode - Analysis: www.qiyeyou126.cn

Captura Visual

Información de Detección

https://www.qiyeyou126.cn/login/

Detected Brand

NetEase (网易)

Country

International

Confianza

100%

HTTP Status

200

Report ID

28d7dfae-789…

Analyzed

2026-03-19 16:00

Hashes de Contenido (Similitud HTML)

Used to detect similar phishing pages based on HTML content

Algorithm	Hash Value
CONTENT TLSH	T1BB33DE312D980EBB03FB52CE7A54EF3B60C3BA69C3154D898AF8499D1E4CDE1AD90157
CONTENT ssdeep	768:xG/9qACeoYjJU/gULbNcTW+wFACeSOFm44m/s:4EAF/ULbiwFAF4K/s

Hashes Visuales (Similitud de Captura)

Used to detect visually similar phishing pages based on screenshots

Algorithm	Hash Value
VISUAL pHash	9a1be77ae1659812
VISUAL aHash	00000c028f9fffff
VISUAL dHash	42383816393c64cd
VISUAL wHash	00000c0a8fdfffff
VISUAL colorHash	06007000000
VISUAL cropResistant	42383816393c64cd

Análisis de Código

Risk Score 100/100

Nivel de Amenaza ALTO

⚠️ Phishing Confirmed

🎣 Credential Harvester 🎣 OTP Stealer 🎣 Banking 🎣 Personal Info

🔬 Threat Analysis Report

• Amenaza: Phishing
• Objetivo: Usuarios de NetEase
• Método: Suplantación de identidad y recopilación de credenciales
• Exfil: Al sistema de inicio de sesión de NetEase
• Indicadores: Coincidencia de dominio, código ofuscado y acciones de formulario
• Riesgo: Alto

🔐 Credential Harvesting Forms

🔒 Obfuscation Detected

eval
fromCharCode
unescape
document.write
hex_escape
unicode_escape
js_packer
base64_strings

🎯 Kit Endpoints

https://open.qiye.163.com/advconfig/getAdvConfig?type=login&callback=jsonp_u0e95xgwix02wyy
https://entryhz.qiye.163.com/login/action/getCtCodes?callback=jsonp_w8k3dlqqjkoourr
https://ss.knet.cn/verifyseal.dll?sn=e12051044010020841301459&ct=df&pa=151131
https://entry.qiye.163.com/domain/domainEntLogin
//qiye.163.com/entry/buy-price.htm?from=login_pc
https://entry.qiye.163.com/domain/domainAdminLogin

📡 API Calls Detected

GET
//office.163.com/
get
POST

📤 Form Action Targets

https://entry.qiye.163.com/domain/domainEntLogin
https://entry.qiye.163.com/domain/domainAdminLogin

📊 Desglose de Puntuación de Riesgo

Total Risk Score

90/100

Contributing Factors

Domain Mismatch

The domain does not belong to the brand being impersonated.

Obfuscation Detected

Obfuscated Javascript code, increases risk

Form Actions

Form action is targeting a legitimate service, likely credential harvesting

🔬 Análisis Integral de Amenazas

Tipo de Amenaza

Banking Credential Harvester

Objetivo

NetEase (网易) users (International)

Método de Ataque

Brand impersonation + credential harvesting forms + obfuscated JavaScript

Canal de Exfiltración

HTTP POST to backend

Evaluación de Riesgo

CRITICAL - Automated credential harvesting with HTTP POST to backend

⚠️ Indicators of Compromise

Kit types: Credential Harvester, OTP Stealer, Banking, Personal Info
24141 obfuscation techniques

🏢 Análisis de Suplantación de Marca

Impersonated Brand

NetEase

Official Website

qiye.163.com

Fake Service

NetEase email login

⚔️ Metodología de Ataque

Primary Method: Credential harvesting via phishing

The attacker is presenting a fake login page that mimics the appearance of NetEase to harvest user credentials. They are likely using the QR code to direct users to the login form, tricking them to input their credentials.