opera.exe

  • File Path: C:\Program Files\Opera\70.0.3728.106\opera.exe
  • Description: Opera Internet Browser

Screenshot

opera.exe

Hashes

Type Hash
MD5 C3365FF810311F43C51189D1F646D420
SHA1 C81DC5FD5ECFEA2B3FD68978F79E8B6A27D777A1
SHA256 E8CBF7487B32541CAC4B87D870C13320A3D0D954C40F4777C397B960BE690174
SHA384 261DE0026F6E63386A43D385A956F67206AC8A56461CA0D959016ADCEF7CD399B24A0DFCD22105D25702C5A67B81A2EE
SHA512 F6689D71661A26E7DBC7B7E264C52780ECFB4143617C1D7CA8F247EBA7F14261761F1C43D27692E848C03A5F9F177AF2F7550CF984EE60F858C26A6FAA7D7986
SSDEEP 12288:5vwkvP/aNl347aOSvtpYb1jyUPqfM0RcNZrfAhvGOwHceR5+n3coXCC7F:5PaNt2aOSvjOj6fM4hv8qcmn7F

Runtime Data

Usage (stdout):

Opera 70.0.3728.106 Stable
Features available through command-line switches:
	--with-feature:enhanced-address-bar [Enabled by default: false]
	--with-feature:handle-abp-protocol [Enabled by default: true]
	--with-feature:history-onboarding [Enabled by default: false]
	--with-feature:instagram-panel [Enabled by default: true]
	--with-feature:lookalike-url-navigation-suggestions [Enabled by default: true]
	--with-feature:procedural-tab-drawing [Enabled by default: true]
	--with-feature:search-in-closed-tabs [Enabled by default: true]
	--with-feature:search-text-in-tabs [Enabled by default: true]
	--with-feature:shared-start-page [Enabled by default: true]
	--with-feature:sidebar-site-panel [Enabled by default: false]
	--with-feature:smart-files [Enabled by default: false]
	--with-feature:suggestion-scoring-improved [Enabled by default: true]
	--with-feature:sync-passphrase-papercuts [Enabled by default: true]
	--with-feature:weather-on-startpage [Enabled by default: true]
	--with-feature:workspaces [Enabled by default: true]
	--with-feature:workspaces-bookmark-context-menu [Enabled by default: true]
	--with-feature:workspaces-extended-menu [Enabled by default: false]
	--with-feature:workspaces-sidebar-context-menu [Enabled by default: true]
	--with-feature:workspaces-sidebar-notification [Enabled by default: true]
	--with-feature:workspaces-dnd [Enabled by default: false]
	--with-feature:yandex-zen-news [Enabled by default: false]
Press any key to continue . . .

Child Processes:

launcher.exe

Signature

  • Status: Signature verified.
  • Serial: 0D31C23EB2249CE611B953FB16EA0D25
  • Thumbprint: 373CD800B048D39CE2057A09937093EA73BCDE5F
  • Issuer: CN=DigiCert EV Code Signing CA (SHA2), OU=www.digicert.com, O=DigiCert Inc, C=US
  • Subject: CN=Opera Software AS, O=Opera Software AS, L=Oslo, C=NO, SERIALNUMBER=916 368 127, OID.2.5.4.15=Private Organization, OID.1.3.6.1.4.1.311.60.2.1.3=NO

File Metadata

  • Original Filename:
  • Product Name: Opera Internet Browser
  • Company Name: Opera Software
  • File Version: 70.0.3728.106
  • Product Version: 70.0.3728.106
  • Language: English (United States)
  • Legal Copyright: Copyright Opera Software 2020

File Similarity (ssdeep match)

File Score
C:\program files\Opera\70.0.3728.133\opera.exe 96

Possible Misuse

The following table contains possible examples of opera.exe being misused. While opera.exe is not inherently malicious, its legitimate functionality can be abused for malicious purposes.

Source Source File Example License
sigma proxy_ua_malware.yml - 'Opera/8.81 (Windows NT 6.0; U; en)' # Sality DRL 1.0
sigma proxy_ua_malware.yml - 'Opera' # Trojan Keragany DRL 1.0
sigma win_suspicious_outbound_kerberos_connection.yml - '\opera.exe' DRL 1.0
sigma dns_query_win_susp_ipify.yml - \opera.exe DRL 1.0
sigma file_event_win_mal_vhd_download.yml - opera.exe DRL 1.0
sigma net_connection_win_suspicious_outbound_kerberos_connection.yml - '\opera.exe' DRL 1.0
sigma posh_ps_access_to_browser_login_data.yml - '\Opera Software\Opera Stable\Login Data' DRL 1.0
sigma proc_creation_win_apt_hafnium.yml Image\|endswith: 'Users\Public\opera\Opera_browser.exe' DRL 1.0
sigma registry_event_asep_reg_keys_modification_currentversion.yml TargetObject\|endswith: '\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Opera Browser Assistant' DRL 1.0
sigma registry_event_asep_reg_keys_modification_currentversion.yml Details: 'C:\Program Files\Opera\assistant\browser_assistant.exe' DRL 1.0
sigma registry_event_taskcache_entry.yml - '\TaskCache\Tree\Opera scheduled Autoupdate' DRL 1.0
sigma registry_event_taskcache_entry.yml - '\TaskCache\Tree\Opera scheduled assistant Autoupdate' DRL 1.0
sigma sysmon_process_hollowing.yml - '\opera.exe' DRL 1.0
malware-ioc exchange_exploitation \|02886f9daa13f7d9855855048c54f1d6b1231b0a\|Win32/Agent.ACUQ \|Opera Cobalt Strike loader © ESET 2014-2018
malware-ioc exchange_exploitation \|86.105.18[.]116 \|“Opera Cobalt Strike C&C & distribution server © ESET 2014-2018
malware-ioc exchange_exploitation \|89.34.111[.]11 \|“Opera Cobalt Strike distribution server © ESET 2014-2018
malware-ioc nouns.txt opera © ESET 2014-2018
atomic-red-team index.md - Atomic Test #5: Simulating access to Opera Login Data [windows] MIT License. © 2018 Red Canary
atomic-red-team index.md - Atomic Test #4: List Google Chrome / Opera Bookmarks on Windows with powershell [windows] MIT License. © 2018 Red Canary
atomic-red-team windows-index.md - Atomic Test #5: Simulating access to Opera Login Data [windows] MIT License. © 2018 Red Canary
atomic-red-team windows-index.md - Atomic Test #4: List Google Chrome / Opera Bookmarks on Windows with powershell [windows] MIT License. © 2018 Red Canary
atomic-red-team T1071.001.md Invoke-WebRequest #{domain} -UserAgent “Opera/8.81 (Windows NT 6.0; U; en)” | out-null MIT License. © 2018 Red Canary
atomic-red-team T1071.001.md #{curl_path} -s -A “Opera/8.81 (Windows NT 6.0; U; en)” -m3 #{domain} >nul 2>&1 MIT License. © 2018 Red Canary
atomic-red-team T1071.001.md curl -s -A “Opera/8.81 (Windows NT 6.0; U; en)” -m3 #{domain} MIT License. © 2018 Red Canary
atomic-red-team T1217.md - Atomic Test #4 - List Google Chrome / Opera Bookmarks on Windows with powershell MIT License. © 2018 Red Canary
atomic-red-team T1217.md ## Atomic Test #4 - List Google Chrome / Opera Bookmarks on Windows with powershell MIT License. © 2018 Red Canary
atomic-red-team T1217.md Searches for Google Chrome’s and Opera’s Bookmarks file (on Windows distributions) that contains bookmarks. MIT License. © 2018 Red Canary
atomic-red-team T1555.003.md - Atomic Test #5 - Simulating access to Opera Login Data MIT License. © 2018 Red Canary
atomic-red-team T1555.003.md ## Atomic Test #5 - Simulating access to Opera Login Data MIT License. © 2018 Red Canary
atomic-red-team T1555.003.md Simulates an adversary accessing encrypted credentials from Opera web browser’s login database. MIT License. © 2018 Red Canary
atomic-red-team T1555.003.md Copy-Item “$env:APPDATA\Opera Software\Opera Stable\Login Data” -Destination $env:temp MIT License. © 2018 Red Canary
atomic-red-team T1555.003.md ##### Description: Opera must be installed MIT License. © 2018 Red Canary
atomic-red-team T1555.003.md if (((Test-Path “$env:LOCALAPPDATA\Programs\Opera\launcher.exe”) -Or (Test-Path “C:\Program Files\Opera\launcher.exe”) -Or (Test-Path “C:\Program Files (x86)\Opera\launcher.exe”))) {exit 0} else {exit 1} MIT License. © 2018 Red Canary
atomic-red-team T1555.003.md Invoke-WebRequest -OutFile $env:temp\OperaStandaloneInstaller.exe https://get.geo.opera.com/pub/opera/desktop/82.0.4227.43/win/Opera_82.0.4227.43_Setup.exe MIT License. © 2018 Red Canary
atomic-red-team T1555.003.md Stop-Process -Name “opera” MIT License. © 2018 Red Canary
atomic-red-team T1555.003.md ##### Description: Opera login data file must exist MIT License. © 2018 Red Canary
atomic-red-team T1555.003.md if (Test-Path “$env:APPDATA\Opera Software\Opera Stable\Login Data”) {exit 0} else {exit 1} MIT License. © 2018 Red Canary
atomic-red-team T1555.003.md New-Item -Path “$env:APPDATA\Opera Software\Opera Stable\Login Data” -ItemType File MIT License. © 2018 Red Canary
signature-base apt_apt30_backspace.yar $s2 = “Opera.exe” fullword wide CC BY-NC 4.0
signature-base apt_apt30_backspace.yar $s6 = “Copyright Opera Software 1995-“ fullword wide CC BY-NC 4.0
signature-base apt_apt30_backspace.yar $s9 = “Opera Internet Browser” fullword wide CC BY-NC 4.0
signature-base apt_apt30_backspace.yar $s12 = “Opera Software” fullword wide CC BY-NC 4.0
signature-base apt_buckeye.yar $s1 = “Opera Software\Opera Stable\Login Data” fullword wide CC BY-NC 4.0
signature-base apt_dragonfly.yar $s1 = “\AppData\Roaming\Opera Software\Opera Stable\Login Data” fullword wide CC BY-NC 4.0
signature-base apt_dragonfly.yar $s5 = “******** Opera ***********” fullword wide CC BY-NC 4.0
signature-base apt_telebots.yar $s6 = “Opera old version credentials” fullword wide CC BY-NC 4.0
signature-base crime_credstealer_generic.yar $s3 = “%s\Opera Software\Opera Stable\Login Data” fullword ascii CC BY-NC 4.0
signature-base crime_credstealer_generic.yar $s10 = “%s\Opera\Opera\profile\wand.dat” fullword ascii CC BY-NC 4.0
signature-base crime_envrial.yar $a1 = “\Opera Software\Opera Stable\Login Data” fullword wide CC BY-NC 4.0
signature-base crime_ransom_ragna_locker.yar $s3 = “Opera Software” fullword wide /* Don’t touch browsers for contact him*/ CC BY-NC 4.0
signature-base crime_socgholish.yar $a3 = “Opera” ascii CC BY-NC 4.0
signature-base general_cloaking.yar and not filepath contains “Opera” CC BY-NC 4.0
signature-base thor-hacktools.yar $s1 = “softwares.opera(“ fullword ascii CC BY-NC 4.0

MIT License. Copyright (c) 2020-2021 Strontic.