opera.exe

File Path: C:\Program Files\Opera\71.0.3770.171\opera.exe
Description: Opera Internet Browser

Screenshot

opera.exe

Hashes

Type	Hash
MD5	`FECED32DA54213875400A87196C61233`
SHA1	`EA76E94BAA1C23B76E3B14E6AA9DEE6F3AFCA12D`
SHA256	`B1B08564EDA71D5442BD43E8260878D2971CC42A276A196B825CDF1439DA7FC3`
SHA384	`47D074727F8A638FD2A386BD6087A76532D5A93BF288F64101871BCEAA10504D28015297E7798FA1739C4E7028D0B2F6`
SHA512	`117080BD874B22A5958455238C24BA4AD0CDC2C0DF7E28ACBFF627B3055D864D34057350D21E717BAE75A80E013B50E5F27763BF67D2A222B7167D0FEAF1669A`
SSDEEP	`12288:bw/nvSikZ2xFPqIzJimxhwaBi82z5hHGkmLSluukPyq5eR5+nbojdfU39:ins2xkI1imxhVeKLSkuwyeCW9`
IMP	`4FCB68C6DA9F8547EAC0E5E83F13DDCB`
PESHA1	`BD4038183919CF077881BDF99627AD430CAE2CFA`
PE256	`3020CAD4195CA31AB988BB48ABE207AF40E412025461F8B68C16B75D5703A3F1`

Runtime Data

Usage (stdout):

Opera 71.0.3770.171 Stable
Features available through command-line switches:
	--with-feature:advanced-search-in-history [Enabled by default: true]
	--with-feature:enhanced-address-bar [Enabled by default: false]
	--with-feature:easy-files [Enabled by default: true]
	--with-feature:handle-abp-protocol [Enabled by default: true]
	--with-feature:history-onboarding [Enabled by default: false]
	--with-feature:instagram-panel [Enabled by default: true]
	--with-feature:lookalike-url-navigation-suggestions [Enabled by default: true]
	--with-feature:procedural-tab-drawing [Enabled by default: true]
	--with-feature:search-in-closed-tabs [Enabled by default: true]
	--with-feature:search-in-closed-tabs-show-more [Enabled by default: true]
	--with-feature:search-text-in-tabs [Enabled by default: true]
	--with-feature:sidebar-site-panel [Enabled by default: false]
	--with-feature:suggestion-scoring-improved [Enabled by default: true]
	--with-feature:sync-passphrase-papercuts [Enabled by default: true]
	--with-feature:tutorials [Enabled by default: false]
	--with-feature:weather-on-startpage [Enabled by default: true]
	--with-feature:workspaces [Enabled by default: true]
	--with-feature:workspaces-bookmark-context-menu [Enabled by default: true]
	--with-feature:workspaces-extended-menu [Enabled by default: false]
	--with-feature:workspaces-sidebar-context-menu [Enabled by default: true]
	--with-feature:workspaces-sidebar-notification [Enabled by default: true]
	--with-feature:workspaces-dnd [Enabled by default: false]
	--with-feature:yandex-zen-news [Enabled by default: false]
Press any key to continue . . . 

Child Processes:

launcher.exe

Window Title:

C:\Program Files\Opera\71.0.3770.171\opera.exe

Open Handles:

Path	Type
(RW-) C:\Program Files\Opera\71.0.3770.171	File
(RW-) C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.19041.488_none_ca04af081b815d21	File
\BaseNamedObjects\NLS_CodePage_1252_3_2_0_0	Section
\BaseNamedObjects\NLS_CodePage_437_3_2_0_0	Section
\Sessions\1\BaseNamedObjects\windows_shell_global_counters	Section

Loaded Modules:

Path
C:\Program Files\Opera\71.0.3770.171\opera.exe
C:\Windows\SYSTEM32\apphelp.dll
C:\Windows\System32\KERNEL32.DLL
C:\Windows\System32\KERNELBASE.dll
C:\Windows\SYSTEM32\ntdll.dll

Signature

Status: Signature verified.
Serial: 05F4210DB2B283A32FF2AED29FCB68A4
Thumbprint: 878B0B298671F44FC739C08D826BB22DB1A2A021
Issuer: CN=DigiCert EV Code Signing CA (SHA2), OU=www.digicert.com, O=DigiCert Inc, C=US
Subject: CN=Opera Software AS, O=Opera Software AS, L=Oslo, C=NO, SERIALNUMBER=916 368 127, OID.2.5.4.15=Private Organization, OID.1.3.6.1.4.1.311.60.2.1.3=NO

File Metadata

Original Filename:
Product Name: Opera Internet Browser
Company Name: Opera Software
File Version: 71.0.3770.171
Product Version: 71.0.3770.171
Language: English (United States)
Machine Type: 64-bit

File Scan

VirusTotal Detections: 0/71
VirusTotal Link: https://www.virustotal.com/gui/file/b1b08564eda71d5442bd43e8260878d2971cc42a276a196b825cdf1439da7fc3/detection/

File Similarity (ssdeep match)

File	Score
C:\Program Files\Opera\70.0.3728.106\notification_helper.exe	33
C:\program files\Opera\70.0.3728.133\notification_helper.exe	32

Possible Misuse

The following table contains possible examples of opera.exe being misused. While opera.exe is not inherently malicious, its legitimate functionality can be abused for malicious purposes.

Source	Source File	Example	License
sigma	proxy_ua_malware.yml	`- 'Opera/8.81 (Windows NT 6.0; U; en)' # Sality`	DRL 1.0
sigma	proxy_ua_malware.yml	`- 'Opera' # Trojan Keragany`	DRL 1.0
sigma	win_suspicious_outbound_kerberos_connection.yml	`- '\opera.exe'`	DRL 1.0
sigma	dns_query_win_susp_ipify.yml	`- \opera.exe`	DRL 1.0
sigma	file_event_win_mal_vhd_download.yml	`- opera.exe`	DRL 1.0
sigma	net_connection_win_suspicious_outbound_kerberos_connection.yml	`- '\opera.exe'`	DRL 1.0
sigma	posh_ps_access_to_browser_login_data.yml	`- '\Opera Software\Opera Stable\Login Data'`	DRL 1.0
sigma	proc_creation_win_apt_hafnium.yml	`Image\\|endswith: 'Users\Public\opera\Opera_browser.exe'`	DRL 1.0
sigma	registry_event_asep_reg_keys_modification_currentversion.yml	`TargetObject\\|endswith: '\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Opera Browser Assistant'`	DRL 1.0
sigma	registry_event_asep_reg_keys_modification_currentversion.yml	`Details: 'C:\Program Files\Opera\assistant\browser_assistant.exe'`	DRL 1.0
sigma	registry_event_taskcache_entry.yml	`- '\TaskCache\Tree\Opera scheduled Autoupdate'`	DRL 1.0
sigma	registry_event_taskcache_entry.yml	`- '\TaskCache\Tree\Opera scheduled assistant Autoupdate'`	DRL 1.0
sigma	sysmon_process_hollowing.yml	`- '\opera.exe'`	DRL 1.0
malware-ioc	exchange_exploitation	`\\|`02886f9daa13f7d9855855048c54f1d6b1231b0a`\\|Win32/Agent.ACUQ \\|Opera Cobalt Strike loader`	© ESET 2014-2018
malware-ioc	exchange_exploitation	`\\|`86.105.18[.]116 `\\|“Opera Cobalt Strike” C&C & distribution server`	© ESET 2014-2018
malware-ioc	exchange_exploitation	`\\|`89.34.111[.]11 `\\|“Opera Cobalt Strike” distribution server`	© ESET 2014-2018
malware-ioc	nouns.txt	`opera`	© ESET 2014-2018
atomic-red-team	index.md	- Atomic Test #5: Simulating access to Opera Login Data [windows]	MIT License. © 2018 Red Canary
atomic-red-team	index.md	- Atomic Test #4: List Google Chrome / Opera Bookmarks on Windows with powershell [windows]	MIT License. © 2018 Red Canary
atomic-red-team	windows-index.md	- Atomic Test #5: Simulating access to Opera Login Data [windows]	MIT License. © 2018 Red Canary
atomic-red-team	windows-index.md	- Atomic Test #4: List Google Chrome / Opera Bookmarks on Windows with powershell [windows]	MIT License. © 2018 Red Canary
atomic-red-team	T1071.001.md	Invoke-WebRequest #{domain} -UserAgent “Opera/8.81 (Windows NT 6.0; U; en)” \| out-null	MIT License. © 2018 Red Canary
atomic-red-team	T1071.001.md	#{curl_path} -s -A “Opera/8.81 (Windows NT 6.0; U; en)” -m3 #{domain} >nul 2>&1	MIT License. © 2018 Red Canary
atomic-red-team	T1071.001.md	curl -s -A “Opera/8.81 (Windows NT 6.0; U; en)” -m3 #{domain}	MIT License. © 2018 Red Canary
atomic-red-team	T1217.md	- Atomic Test #4 - List Google Chrome / Opera Bookmarks on Windows with powershell	MIT License. © 2018 Red Canary
atomic-red-team	T1217.md	## Atomic Test #4 - List Google Chrome / Opera Bookmarks on Windows with powershell	MIT License. © 2018 Red Canary
atomic-red-team	T1217.md	Searches for Google Chrome’s and Opera’s Bookmarks file (on Windows distributions) that contains bookmarks.	MIT License. © 2018 Red Canary
atomic-red-team	T1555.003.md	- Atomic Test #5 - Simulating access to Opera Login Data	MIT License. © 2018 Red Canary
atomic-red-team	T1555.003.md	## Atomic Test #5 - Simulating access to Opera Login Data	MIT License. © 2018 Red Canary
atomic-red-team	T1555.003.md	Simulates an adversary accessing encrypted credentials from Opera web browser’s login database.	MIT License. © 2018 Red Canary
atomic-red-team	T1555.003.md	Copy-Item “$env:APPDATA\Opera Software\Opera Stable\Login Data” -Destination $env:temp	MIT License. © 2018 Red Canary
atomic-red-team	T1555.003.md	##### Description: Opera must be installed	MIT License. © 2018 Red Canary
atomic-red-team	T1555.003.md	if (((Test-Path “$env:LOCALAPPDATA\Programs\Opera\launcher.exe”) -Or (Test-Path “C:\Program Files\Opera\launcher.exe”) -Or (Test-Path “C:\Program Files (x86)\Opera\launcher.exe”))) {exit 0} else {exit 1}	MIT License. © 2018 Red Canary
atomic-red-team	T1555.003.md	Invoke-WebRequest -OutFile $env:temp\OperaStandaloneInstaller.exe https://get.geo.opera.com/pub/opera/desktop/82.0.4227.43/win/Opera_82.0.4227.43_Setup.exe	MIT License. © 2018 Red Canary
atomic-red-team	T1555.003.md	Stop-Process -Name “opera”	MIT License. © 2018 Red Canary
atomic-red-team	T1555.003.md	##### Description: Opera login data file must exist	MIT License. © 2018 Red Canary
atomic-red-team	T1555.003.md	if (Test-Path “$env:APPDATA\Opera Software\Opera Stable\Login Data”) {exit 0} else {exit 1}	MIT License. © 2018 Red Canary
atomic-red-team	T1555.003.md	New-Item -Path “$env:APPDATA\Opera Software\Opera Stable\Login Data” -ItemType File	MIT License. © 2018 Red Canary
signature-base	apt_apt30_backspace.yar	$s2 = “Opera.exe” fullword wide	CC BY-NC 4.0
signature-base	apt_apt30_backspace.yar	$s6 = “Copyright Opera Software 1995-“ fullword wide	CC BY-NC 4.0
signature-base	apt_apt30_backspace.yar	$s9 = “Opera Internet Browser” fullword wide	CC BY-NC 4.0
signature-base	apt_apt30_backspace.yar	$s12 = “Opera Software” fullword wide	CC BY-NC 4.0
signature-base	apt_buckeye.yar	$s1 = “Opera Software\Opera Stable\Login Data” fullword wide	CC BY-NC 4.0
signature-base	apt_dragonfly.yar	$s1 = “\AppData\Roaming\Opera Software\Opera Stable\Login Data” fullword wide	CC BY-NC 4.0
signature-base	apt_dragonfly.yar	$s5 = “****** Opera *********” fullword wide	CC BY-NC 4.0
signature-base	apt_telebots.yar	$s6 = “Opera old version credentials” fullword wide	CC BY-NC 4.0
signature-base	crime_credstealer_generic.yar	$s3 = “%s\Opera Software\Opera Stable\Login Data” fullword ascii	CC BY-NC 4.0
signature-base	crime_credstealer_generic.yar	$s10 = “%s\Opera\Opera\profile\wand.dat” fullword ascii	CC BY-NC 4.0
signature-base	crime_envrial.yar	$a1 = “\Opera Software\Opera Stable\Login Data” fullword wide	CC BY-NC 4.0
signature-base	crime_ransom_ragna_locker.yar	$s3 = “Opera Software” fullword wide /* Don’t touch browsers for contact him*/	CC BY-NC 4.0
signature-base	crime_socgholish.yar	$a3 = “Opera” ascii	CC BY-NC 4.0
signature-base	general_cloaking.yar	and not filepath contains “Opera”	CC BY-NC 4.0
signature-base	thor-hacktools.yar	$s1 = “softwares.opera(“ fullword ascii	CC BY-NC 4.0