SafeMode - Analysis: registrosaqui.com

Captura Visual

Información de Detección

https://registrosaqui.com/

Detected Brand

CMR Puntos

Country

International

Confianza

100%

HTTP Status

N/A

Report ID

66d466e6-26d…

Analyzed

2026-01-30 06:55

Hashes de Contenido (Similitud HTML)

Used to detect similar phishing pages based on HTML content

Algorithm	Hash Value
CONTENT TLSH	T1514153318545C93B5693A6A49321DF2AB1D3C613CB0318A5B2F993ED9BD7D85CDD028C
CONTENT ssdeep	48:sHhHcpnifS6uM6hRx1fRYwiMucL+CDQyS:CaiS6uM6hIk+1

Hashes Visuales (Similitud de Captura)

Used to detect visually similar phishing pages based on screenshots

Algorithm	Hash Value
VISUAL pHash	e6dc997174c43199
VISUAL aHash	ffffe7c3c3c3e7e7
VISUAL dHash	8c140c4d0e0e4c0c
VISUAL wHash	42c7c3c3c3c3e3c3
VISUAL colorHash	07600006000
VISUAL cropResistant	8c140c4d0e0e4c0c,100c32b2b2320c10,0929696577b4da5a

Análisis de Código

Risk Score 81/100

Nivel de Amenaza ALTO

⚠️ Phishing Confirmed

🎣 Credential Harvester 🎣 OTP Stealer

🔬 Threat Analysis Report

• Amenaza: Kit de phishing de recolección de credenciales dirigido a usuarios de CMR Puntos.
• Objetivo: Usuarios del programa de recompensas CMR Puntos.
• Método: Formulario de inicio de sesión falso diseñado para robar RUT (Identificación tributaria chilena) y la contraseña de banca por Internet.
• Exfil: Exfiltración de datos probablemente a través del envío de formularios JavaScript, posiblemente conduciendo a una API personalizada basada en ofuscación.
• Indicators: Registro de dominio muy reciente, JavaScript ofuscado y un nombre de dominio no relacionado con la marca.
• Riesgo: ALTO - Robo inmediato de credenciales y posible compromiso de la cuenta.

🔒 Obfuscation Detected

fromCharCode
base64_strings

📡 API Calls Detected

https://api.ipify.org?format=json
/submit.php
POST

📊 Desglose de Puntuación de Riesgo

Total Risk Score

100/100

Contributing Factors

Active Phishing Kit

Detected Credential Harvester and OTP Stealer kits with real-time form interception for RUT and Clave Internet fields.

High Obfuscation

19 obfuscation techniques detected, indicating deliberate evasion of detection and analysis.

Brand Impersonation

Targeting CMR Puntos, a recognized financial loyalty program, increasing likelihood of successful credential theft.

Form Fields

3 forms detected, including sensitive fields (RUT, Clave Internet) commonly used for account takeover.

🔬 Análisis Integral de Amenazas

Tipo de Amenaza

Two-Factor Authentication Stealer

Objetivo

CMR Puntos users (International)

Método de Ataque

Brand impersonation + credential harvesting forms + obfuscated JavaScript

Canal de Exfiltración

Form submission (backend endpoint not detected - likely JavaScript-based)

Evaluación de Riesgo

CRITICAL - Automated credential harvesting with Form submission (backend endpoint not detected - likely JavaScript-based)

⚠️ Indicators of Compromise

Kit types: Credential Harvester, OTP Stealer
19 obfuscation techniques

🏢 Análisis de Suplantación de Marca

Impersonated Brand

CMR Puntos

Official Website

https://www.cmrpuntos.cl/

Fake Service

CMR Puntos account access and loyalty points management

⚔️ Metodología de Ataque

Primary Method: Credential Harvesting

The phishing kit captures RUT (Chilean national ID) and Clave Internet (internet Banking password) via form submission. Data is likely exfiltrated in real-time to an attacker-controlled server for immediate account takeover.

Secondary Method: OTP Stealer

The OTP Stealer kit component intercepts one-time passwords (OTPs) sent via SMS or authentication apps, enabling bypass of two-factor authentication (2FA) for CMR Puntos accounts.

🌐 Indicadores de Compromiso de Infraestructura

Domain Information

Dominio

registrosaqui.com

Registered

2026-01-18 22:44:09+00:00

Registrar

Tecnocratica Centro de Datos, S.L.

Estado

Recently registered (8 days old)

🦠 Malicious Files

Main File

File Size

JavaScript file with potential credential harvesting or OTP interception functionality.

📊 Diagrama de Flujo de Ataque

┌──────────────────────────────────────────────────────────┐
│ 1. VICTIM RECEIVES PHISHING LURE                          │
│    - Email/SMS with fake CMR Puntos offer                │
│    - Link to fraudulent login page                       │
└────────────────────┬─────────────────────────────────────┘
                     │
                     ▼
┌──────────────────────────────────────────────────────────┐
│ 2. FAKE LOGIN PAGE LOAD                                  │
│    - Mimics legitimate CMR Puntos site                   │
│    - Displays credential input form                      │
└────────────────────┬─────────────────────────────────────┘
                     │
                     ▼
┌──────────────────────────────────────────────────────────┐
│ 3. CREDENTIAL SUBMISSION                                 │
│    - Victim enters Banking credentials                   │
│    - Form captures input data                            │
└────────────────────┬─────────────────────────────────────┘
                     │
                     ▼
┌──────────────────────────────────────────────────────────┐
│ 4. DATA EXFILTRATION                                     │
│    - Credentials sent via HTTP POST                      │
│    - Standard form submission to attacker server         │
└──────────────────────────────────────────────────────────┘

🔬 JavaScript Deep Analysis

Total Code Size

68,7 KB

🔗 API Endpoints Detected

Other

5

🔐 Obfuscation Detected

: Light

🤖 AI-Extracted Threat Intelligence

📊 Attack Flow

┌──────────────────────────────────────────────────────────┐
│ 1. VICTIM RECEIVES PHISHING LURE                          │
│    - Email/SMS with fake CMR Puntos offer                │
│    - Link to fraudulent login page                       │
└────────────────────┬─────────────────────────────────────┘
                     │
                     ▼
┌──────────────────────────────────────────────────────────┐
│ 2. FAKE LOGIN PAGE LOAD                                  │
│    - Mimics legitimate CMR Puntos site                   │
│    - Displays credential input form                      │
└────────────────────┬─────────────────────────────────────┘
                     │
                     ▼
┌──────────────────────────────────────────────────────────┐
│ 3. CREDENTIAL SUBMISSION                                 │
│    - Victim enters Banking credentials                   │
│    - Form captures input data                            │
└────────────────────┬─────────────────────────────────────┘
                     │
                     ▼
┌──────────────────────────────────────────────────────────┐
│ 4. DATA EXFILTRATION                                     │
│    - Credentials sent via HTTP POST                      │
│    - Standard form submission to attacker server         │
└──────────────────────────────────────────────────────────┘