opera.exe

  • File Path: C:\Program Files\Opera\opera.exe
  • Description: Opera Internet Browser

Screenshot

opera.exe

Hashes

Type Hash
MD5 E0639D77B61005C1AC3031630591AADD
SHA1 DB7934EF2B106DB19B0B9272355CF34EC62DE71B
SHA256 8E7DF6927A8CC697945FAFC77CDA348D4A6811C519311E2A5F56EC26B5E4A60B
SHA384 78A43EF4721AE5FA4ADD9D97A1B6930C2E4C4E4138BD81B2D4E8C8512C31F3943A1B5D2DD56E1B1637FF6B6EF592D98E
SHA512 06A148B705DDFBCEF2A05F138F8224480CA5F3667DEC173CFEB2FE746EB4BEC641DC3F766B1D9E3767D8725B9F50AC99B81F1C73F4DE66B071F0319C740AF791
SSDEEP 24576:cZjRywiARFxLpyI229tUswLxzPZrmT4AFUj2s:cZjRyMFx9X22QsslJmT4/
IMP 7242815B741D06B2E808FC4737B667C1
PESHA1 D2B987E6274E23DCB200B57D2C215AF67695F1A7
PE256 E9D8F9764E94803662F9A4983048FF5AB5D51E931EBD9749ABB0C0FA57A65A4F

Runtime Data

Usage (stdout):

Opera 81.0.4196.31 Stable
Features available through command-line switches:
	--with-feature:adblock-snippets [Enabled by default: true]
	--with-feature:automatic-video-popout [Enabled by default: false]
	--with-feature:enhanced-address-bar [Enabled by default: false]
	--with-feature:bookmarks-trash-cleaner [Enabled by default: true]
	--with-feature:cashback [Enabled by default: false]
	--with-feature:cashback-all-workspaces [Enabled by default: false]
	--with-feature:cashback-extension-download [Enabled by default: false]
	--with-feature:dify [Enabled by default: false]
	--with-feature:disable-media-indicator-in-power-save-mode [Enabled by default: false]
	--with-feature:easy-files-downloads-folder [Enabled by default: true]
	--with-feature:fast-tab-tooltip [Enabled by default: true]
	--with-feature:global-vpn-throttle [Enabled by default: true]
	--with-feature:history-onboarding [Enabled by default: false]
	--with-feature:new-session-manager [Enabled by default: false]
	--with-feature:no-vpn-credentials-delay [Enabled by default: true]
	--with-feature:open-new-tabs-right-to-parent [Enabled by default: false]
	--with-feature:pinboard [Enabled by default: true]
	--with-feature:pinboard-local [Enabled by default: false]
	--with-feature:reader-mode [Enabled by default: true]
	--with-feature:sidebar-site-panel [Enabled by default: false]
	--with-feature:snap-meme-generator [Enabled by default: false]
	--with-feature:startpage-sync-banner [Enabled by default: false]
	--with-feature:static-tab-audio-indicator [Enabled by default: false]
	--with-feature:video-conferencing-popout [Enabled by default: true]
	--with-feature:video-conferencing-popout-tab-sharing [Enabled by default: false]
	--with-feature:workspaces-dnd [Enabled by default: false]
	--with-feature:yat-emoji-addresses [Enabled by default: false]
	--with-feature:yandex-zen-news [Enabled by default: false]
Press any key to continue . . . 

Child Processes:

launcher.exe

Window Title:

C:\Program Files\Opera\opera.exe

Open Handles:

Path Type
(RW-) C:\Program Files\Opera\81.0.4196.31 File
\BaseNamedObjects\C:*ProgramData*Microsoft*Windows*Caches*{6AF0698E-D558-4F6E-9B3C-3716689AF493}.2.ver0x0000000000000002.db Section
\BaseNamedObjects\C:*ProgramData*Microsoft*Windows*Caches*{DDF571F2-BE98-426D-8288-1A9A39C3FDA2}.2.ver0x0000000000000002.db Section
\BaseNamedObjects\C:*ProgramData*Microsoft*Windows*Caches*cversions.2 Section
\BaseNamedObjects\NLS_CodePage_1252_3_2_0_0 Section
\BaseNamedObjects\NLS_CodePage_437_3_2_0_0 Section
\Sessions\1\BaseNamedObjects\windows_shell_global_counters Section

Loaded Modules:

Path
C:\Program Files\Opera\opera.exe
C:\Windows\SYSTEM32\apphelp.dll
C:\Windows\System32\KERNEL32.DLL
C:\Windows\System32\KERNELBASE.dll
C:\Windows\SYSTEM32\ntdll.dll

Signature

  • Status: Signature verified.
  • Serial: 0D31C23EB2249CE611B953FB16EA0D25
  • Thumbprint: 373CD800B048D39CE2057A09937093EA73BCDE5F
  • Issuer: CN=DigiCert EV Code Signing CA (SHA2), OU=www.digicert.com, O=DigiCert Inc, C=US
  • Subject: CN=Opera Software AS, O=Opera Software AS, L=Oslo, C=NO, SERIALNUMBER=916 368 127, OID.2.5.4.15=Private Organization, OID.1.3.6.1.4.1.311.60.2.1.3=NO

File Metadata

  • Original Filename:
  • Product Name: Opera Internet Browser
  • Company Name: Opera Software
  • File Version: 81.0.4196.31
  • Product Version: 81.0.4196.31
  • Language: English (United States)
  • Legal Copyright: Copyright Opera Software 2021
  • Machine Type: 64-bit

File Scan

  • VirusTotal Detections: 0/73
  • VirusTotal Link: https://www.virustotal.com/gui/file/8e7df6927a8cc697945fafc77cda348d4a6811c519311e2a5f56ec26b5e4a60b/detection

File Similarity (ssdeep match)

File Score
C:\Program Files\Opera\81.0.4196.31\opera.exe 100

Possible Misuse

The following table contains possible examples of opera.exe being misused. While opera.exe is not inherently malicious, its legitimate functionality can be abused for malicious purposes.

Source Source File Example License
sigma proxy_ua_malware.yml - 'Opera/8.81 (Windows NT 6.0; U; en)' # Sality DRL 1.0
sigma proxy_ua_malware.yml - 'Opera' # Trojan Keragany DRL 1.0
sigma win_suspicious_outbound_kerberos_connection.yml - '\opera.exe' DRL 1.0
sigma dns_query_win_susp_ipify.yml - \opera.exe DRL 1.0
sigma file_event_win_mal_vhd_download.yml - opera.exe DRL 1.0
sigma net_connection_win_suspicious_outbound_kerberos_connection.yml - '\opera.exe' DRL 1.0
sigma posh_ps_access_to_browser_login_data.yml - '\Opera Software\Opera Stable\Login Data' DRL 1.0
sigma proc_creation_win_apt_hafnium.yml Image\|endswith: 'Users\Public\opera\Opera_browser.exe' DRL 1.0
sigma registry_event_asep_reg_keys_modification_currentversion.yml TargetObject\|endswith: '\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Opera Browser Assistant' DRL 1.0
sigma registry_event_asep_reg_keys_modification_currentversion.yml Details: 'C:\Program Files\Opera\assistant\browser_assistant.exe' DRL 1.0
sigma registry_event_taskcache_entry.yml - '\TaskCache\Tree\Opera scheduled Autoupdate' DRL 1.0
sigma registry_event_taskcache_entry.yml - '\TaskCache\Tree\Opera scheduled assistant Autoupdate' DRL 1.0
sigma sysmon_process_hollowing.yml - '\opera.exe' DRL 1.0
malware-ioc exchange_exploitation \|02886f9daa13f7d9855855048c54f1d6b1231b0a\|Win32/Agent.ACUQ \|Opera Cobalt Strike loader © ESET 2014-2018
malware-ioc exchange_exploitation \|86.105.18[.]116 \|“Opera Cobalt Strike C&C & distribution server © ESET 2014-2018
malware-ioc exchange_exploitation \|89.34.111[.]11 \|“Opera Cobalt Strike distribution server © ESET 2014-2018
malware-ioc nouns.txt opera © ESET 2014-2018
atomic-red-team index.md - Atomic Test #5: Simulating access to Opera Login Data [windows] MIT License. © 2018 Red Canary
atomic-red-team index.md - Atomic Test #4: List Google Chrome / Opera Bookmarks on Windows with powershell [windows] MIT License. © 2018 Red Canary
atomic-red-team windows-index.md - Atomic Test #5: Simulating access to Opera Login Data [windows] MIT License. © 2018 Red Canary
atomic-red-team windows-index.md - Atomic Test #4: List Google Chrome / Opera Bookmarks on Windows with powershell [windows] MIT License. © 2018 Red Canary
atomic-red-team T1071.001.md Invoke-WebRequest #{domain} -UserAgent “Opera/8.81 (Windows NT 6.0; U; en)” | out-null MIT License. © 2018 Red Canary
atomic-red-team T1071.001.md #{curl_path} -s -A “Opera/8.81 (Windows NT 6.0; U; en)” -m3 #{domain} >nul 2>&1 MIT License. © 2018 Red Canary
atomic-red-team T1071.001.md curl -s -A “Opera/8.81 (Windows NT 6.0; U; en)” -m3 #{domain} MIT License. © 2018 Red Canary
atomic-red-team T1217.md - Atomic Test #4 - List Google Chrome / Opera Bookmarks on Windows with powershell MIT License. © 2018 Red Canary
atomic-red-team T1217.md ## Atomic Test #4 - List Google Chrome / Opera Bookmarks on Windows with powershell MIT License. © 2018 Red Canary
atomic-red-team T1217.md Searches for Google Chrome’s and Opera’s Bookmarks file (on Windows distributions) that contains bookmarks. MIT License. © 2018 Red Canary
atomic-red-team T1555.003.md - Atomic Test #5 - Simulating access to Opera Login Data MIT License. © 2018 Red Canary
atomic-red-team T1555.003.md ## Atomic Test #5 - Simulating access to Opera Login Data MIT License. © 2018 Red Canary
atomic-red-team T1555.003.md Simulates an adversary accessing encrypted credentials from Opera web browser’s login database. MIT License. © 2018 Red Canary
atomic-red-team T1555.003.md Copy-Item “$env:APPDATA\Opera Software\Opera Stable\Login Data” -Destination $env:temp MIT License. © 2018 Red Canary
atomic-red-team T1555.003.md ##### Description: Opera must be installed MIT License. © 2018 Red Canary
atomic-red-team T1555.003.md if (((Test-Path “$env:LOCALAPPDATA\Programs\Opera\launcher.exe”) -Or (Test-Path “C:\Program Files\Opera\launcher.exe”) -Or (Test-Path “C:\Program Files (x86)\Opera\launcher.exe”))) {exit 0} else {exit 1} MIT License. © 2018 Red Canary
atomic-red-team T1555.003.md Invoke-WebRequest -OutFile $env:temp\OperaStandaloneInstaller.exe https://get.geo.opera.com/pub/opera/desktop/82.0.4227.43/win/Opera_82.0.4227.43_Setup.exe MIT License. © 2018 Red Canary
atomic-red-team T1555.003.md Stop-Process -Name “opera” MIT License. © 2018 Red Canary
atomic-red-team T1555.003.md ##### Description: Opera login data file must exist MIT License. © 2018 Red Canary
atomic-red-team T1555.003.md if (Test-Path “$env:APPDATA\Opera Software\Opera Stable\Login Data”) {exit 0} else {exit 1} MIT License. © 2018 Red Canary
atomic-red-team T1555.003.md New-Item -Path “$env:APPDATA\Opera Software\Opera Stable\Login Data” -ItemType File MIT License. © 2018 Red Canary
signature-base apt_apt30_backspace.yar $s2 = “Opera.exe” fullword wide CC BY-NC 4.0
signature-base apt_apt30_backspace.yar $s6 = “Copyright Opera Software 1995-“ fullword wide CC BY-NC 4.0
signature-base apt_apt30_backspace.yar $s9 = “Opera Internet Browser” fullword wide CC BY-NC 4.0
signature-base apt_apt30_backspace.yar $s12 = “Opera Software” fullword wide CC BY-NC 4.0
signature-base apt_buckeye.yar $s1 = “Opera Software\Opera Stable\Login Data” fullword wide CC BY-NC 4.0
signature-base apt_dragonfly.yar $s1 = “\AppData\Roaming\Opera Software\Opera Stable\Login Data” fullword wide CC BY-NC 4.0
signature-base apt_dragonfly.yar $s5 = “******** Opera ***********” fullword wide CC BY-NC 4.0
signature-base apt_telebots.yar $s6 = “Opera old version credentials” fullword wide CC BY-NC 4.0
signature-base crime_credstealer_generic.yar $s3 = “%s\Opera Software\Opera Stable\Login Data” fullword ascii CC BY-NC 4.0
signature-base crime_credstealer_generic.yar $s10 = “%s\Opera\Opera\profile\wand.dat” fullword ascii CC BY-NC 4.0
signature-base crime_envrial.yar $a1 = “\Opera Software\Opera Stable\Login Data” fullword wide CC BY-NC 4.0
signature-base crime_ransom_ragna_locker.yar $s3 = “Opera Software” fullword wide /* Don’t touch browsers for contact him*/ CC BY-NC 4.0
signature-base crime_socgholish.yar $a3 = “Opera” ascii CC BY-NC 4.0
signature-base general_cloaking.yar and not filepath contains “Opera” CC BY-NC 4.0
signature-base thor-hacktools.yar $s1 = “softwares.opera(“ fullword ascii CC BY-NC 4.0

MIT License. Copyright (c) 2020-2021 Strontic.