b2c27d6e1352b70c181bb7a5f459434309499fd9fb4cab06aba76c04fb4610bc

General

Target

OperaGXSetup.exe
Size

5.7MB
MD5

bcbf7da55719d33eb8c25cb7a2448240
SHA1

fca937fe0204c50e0bf3b295d0375a9972345dfc
SHA256

b2c27d6e1352b70c181bb7a5f459434309499fd9fb4cab06aba76c04fb4610bc
SHA512

3f2fdda2f091b7d36bb1649d59450a777387d0e610c035ac25a0b0135c73f03bc4a33a8d26e1b857cb672fb5f33754a6e72ff951c39691c71cac0d1b55fcbe38
SSDEEP

98304:40NFN6666666666666666666666666666666x666666666666666fwwwwwwwwww9:iRsBd3K2OoT7tafGFxSiEmFgFP8gzQI+

Score

8^/10

spyware stealer

Malware Config

Signatures

Downloads MZ/PE file

Executes dropped EXE 4 IoCs

pid	Process
4916	OperaGXSetup.exe
4564	Opera_GX_assistant_73.0.3856.382_Setup.exe_sfx.exe
964	assistant_installer.exe
760	assistant_installer.exe

Loads dropped DLL 3 IoCs

pid	Process
1932	OperaGXSetup.exe
3224	OperaGXSetup.exe
4916	OperaGXSetup.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Enumerates connected drives 3 TTPs 2 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\D:	OperaGXSetup.exe
File opened (read-only)	\??\F:	OperaGXSetup.exe

Modifies system certificate store 2 TTPs 3 IoCs

evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

T1112

description	ioc	Process
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25\Blob = 040000000100000010000000d474de575c39b2d39c8583c5c065498a0f0000000100000014000000e35ef08d884f0a0ade2f75e96301ce6230f213a8530000000100000040000000303e301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030106082b060105050703086200000001000000200000007431e5f4c3c1ce4690774f0b61e05440883ba9a01ed00ba6abd7806ed3b118cf140000000100000014000000b13ec36903f8bf4701d498261a0802ef63642bc30b00000001000000120000004400690067006900430065007200740000001d00000001000000100000008f76b981d528ad4770088245e2031b630300000001000000140000005fb7ee0633e259dbad0c4c9ae6d38f1a61c7dc25190000000100000010000000ba4f3972e7aed9dccdc210db59da13c92000000001000000c9030000308203c5308202ada003020102021002ac5c266a0b409b8f0b79f2ae462577300d06092a864886f70d0101050500306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100c6cce573e6fbd4bbe52d2d32a6dfe5813fc9cd2549b6712ac3d5943467a20a1cb05f69a640b1c4b7b28fd098a4a941593ad3dc94d63cdb7438a44acc4d2582f74aa5531238eef3496d71917e63b6aba65fc3a484f84f6251bef8c5ecdb3892e306e508910cc4284155fbcb5a89157e71e835bf4d72093dbe3a38505b77311b8db3c724459aa7ac6d00145a04b7ba13eb510a984141224e656187814150a6795c89de194a57d52ee65d1c532c7e98cd1a0616a46873d03404135ca171d35a7c55db5e64e13787305604e511b4298012f1793988a202117c2766b788b778f2ca0aa838ab0a64c2bf665d9584c1a1251e875d1a500b2012cc41bb6e0b5138b84bcb0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e04160414b13ec36903f8bf4701d498261a0802ef63642bc3301f0603551d23041830168014b13ec36903f8bf4701d498261a0802ef63642bc3300d06092a864886f70d010105050003820101001c1a0697dcd79c9f3c886606085721db2147f82a67aabf183276401057c18af37ad911658e35fa9efc45b59ed94c314bb891e8432c8eb378cedbe3537971d6e5219401da55879a2464f68a66ccde9c37cda834b1699b23c89e78222b7043e35547316119ef58c5852f4e30f6a0311623c8e7e2651633cbbf1a1ba03df8ca5e8b318b6008892d0c065c52b7c4f90a98d1155f9f12be7c366338bd44a47fe4262b0ac497690de98ce2c01057b8c876129155f24869d8bc2a025b0f44d42031dbf4ba70265d90609ebc4b17092fb4cb1e4368c90727c1d25cf7ea21b968129c3c9cbf9efc805c9b63cdec47aa252767a037f300827d54d7a9f8e92e13a377e81f4a	OperaGXSetup.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25\Blob = 5c000000010000000400000000080000190000000100000010000000ba4f3972e7aed9dccdc210db59da13c90300000001000000140000005fb7ee0633e259dbad0c4c9ae6d38f1a61c7dc251d00000001000000100000008f76b981d528ad4770088245e2031b630b0000000100000012000000440069006700690043006500720074000000140000000100000014000000b13ec36903f8bf4701d498261a0802ef63642bc36200000001000000200000007431e5f4c3c1ce4690774f0b61e05440883ba9a01ed00ba6abd7806ed3b118cf090000000100000034000000303206082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030106082b06010505070308530000000100000040000000303e301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c00f0000000100000014000000e35ef08d884f0a0ade2f75e96301ce6230f213a8040000000100000010000000d474de575c39b2d39c8583c5c065498a2000000001000000c9030000308203c5308202ada003020102021002ac5c266a0b409b8f0b79f2ae462577300d06092a864886f70d0101050500306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100c6cce573e6fbd4bbe52d2d32a6dfe5813fc9cd2549b6712ac3d5943467a20a1cb05f69a640b1c4b7b28fd098a4a941593ad3dc94d63cdb7438a44acc4d2582f74aa5531238eef3496d71917e63b6aba65fc3a484f84f6251bef8c5ecdb3892e306e508910cc4284155fbcb5a89157e71e835bf4d72093dbe3a38505b77311b8db3c724459aa7ac6d00145a04b7ba13eb510a984141224e656187814150a6795c89de194a57d52ee65d1c532c7e98cd1a0616a46873d03404135ca171d35a7c55db5e64e13787305604e511b4298012f1793988a202117c2766b788b778f2ca0aa838ab0a64c2bf665d9584c1a1251e875d1a500b2012cc41bb6e0b5138b84bcb0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e04160414b13ec36903f8bf4701d498261a0802ef63642bc3301f0603551d23041830168014b13ec36903f8bf4701d498261a0802ef63642bc3300d06092a864886f70d010105050003820101001c1a0697dcd79c9f3c886606085721db2147f82a67aabf183276401057c18af37ad911658e35fa9efc45b59ed94c314bb891e8432c8eb378cedbe3537971d6e5219401da55879a2464f68a66ccde9c37cda834b1699b23c89e78222b7043e35547316119ef58c5852f4e30f6a0311623c8e7e2651633cbbf1a1ba03df8ca5e8b318b6008892d0c065c52b7c4f90a98d1155f9f12be7c366338bd44a47fe4262b0ac497690de98ce2c01057b8c876129155f24869d8bc2a025b0f44d42031dbf4ba70265d90609ebc4b17092fb4cb1e4368c90727c1d25cf7ea21b968129c3c9cbf9efc805c9b63cdec47aa252767a037f300827d54d7a9f8e92e13a377e81f4a	OperaGXSetup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25	OperaGXSetup.exe

Suspicious behavior: AddClipboardFormatListener 1 IoCs

pid	Process
5024	vlc.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
5024	vlc.exe

Suspicious use of FindShellTrayWindow 8 IoCs

pid	Process
5024	vlc.exe
5024	vlc.exe
5024	vlc.exe
5024	vlc.exe
5024	vlc.exe
5024	vlc.exe
5024	vlc.exe
5024	vlc.exe

Suspicious use of SendNotifyMessage 7 IoCs

pid	Process
5024	vlc.exe
5024	vlc.exe
5024	vlc.exe
5024	vlc.exe
5024	vlc.exe
5024	vlc.exe
5024	vlc.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
1932	OperaGXSetup.exe
5024	vlc.exe

Suspicious use of WriteProcessMemory 15 IoCs

description	pid	Process	procid_target
PID 1932 wrote to memory of 3224	1932	OperaGXSetup.exe	93
PID 1932 wrote to memory of 3224	1932	OperaGXSetup.exe	93
PID 1932 wrote to memory of 3224	1932	OperaGXSetup.exe	93
PID 1932 wrote to memory of 4916	1932	OperaGXSetup.exe	94
PID 1932 wrote to memory of 4916	1932	OperaGXSetup.exe	94
PID 1932 wrote to memory of 4916	1932	OperaGXSetup.exe	94
PID 1932 wrote to memory of 4564	1932	OperaGXSetup.exe	104
PID 1932 wrote to memory of 4564	1932	OperaGXSetup.exe	104
PID 1932 wrote to memory of 4564	1932	OperaGXSetup.exe	104
PID 1932 wrote to memory of 964	1932	OperaGXSetup.exe	105
PID 1932 wrote to memory of 964	1932	OperaGXSetup.exe	105
PID 1932 wrote to memory of 964	1932	OperaGXSetup.exe	105
PID 964 wrote to memory of 760	964	assistant_installer.exe	106
PID 964 wrote to memory of 760	964	assistant_installer.exe	106
PID 964 wrote to memory of 760	964	assistant_installer.exe	106

C:\Users\Admin\AppData\Local\Temp\OperaGXSetup.exe
"C:\Users\Admin\AppData\Local\Temp\OperaGXSetup.exe"
1⤵
- Loads dropped DLL
- Enumerates connected drives
- Modifies system certificate store
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1932
- C:\Users\Admin\AppData\Local\Temp\OperaGXSetup.exe
  C:\Users\Admin\AppData\Local\Temp\OperaGXSetup.exe --type=crashpad-handler /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Roaming\Opera Software\Opera GX Stable\Crash Reports" "--crash-count-file=C:\Users\Admin\AppData\Roaming\Opera Software\Opera GX Stable\crash_count.txt" --url=https://crashstats-collector.opera.com/collector/submit --annotation=channel=Stable --annotation=plat=Win32 --annotation=prod=OperaDesktopGX --annotation=ver=109.0.5097.98 --initial-client-data=0x2a0,0x2a4,0x2a8,0x27c,0x2ac,0x74ae4260,0x74ae426c,0x74ae4278
  2⤵
  - Loads dropped DLL
  PID:3224
- C:\Users\Admin\AppData\Local\Temp\.opera\Opera GX Installer Temp\OperaGXSetup.exe
  "C:\Users\Admin\AppData\Local\Temp\.opera\Opera GX Installer Temp\OperaGXSetup.exe" --version
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  PID:4916
- C:\Users\Admin\AppData\Local\Temp\.opera\Opera GX Installer Temp\opera_package_202405261543291\assistant\Opera_GX_assistant_73.0.3856.382_Setup.exe_sfx.exe
  "C:\Users\Admin\AppData\Local\Temp\.opera\Opera GX Installer Temp\opera_package_202405261543291\assistant\Opera_GX_assistant_73.0.3856.382_Setup.exe_sfx.exe"
  2⤵
  - Executes dropped EXE
  PID:4564
- C:\Users\Admin\AppData\Local\Temp\.opera\Opera GX Installer Temp\opera_package_202405261543291\assistant\assistant_installer.exe
  "C:\Users\Admin\AppData\Local\Temp\.opera\Opera GX Installer Temp\opera_package_202405261543291\assistant\assistant_installer.exe" --version
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:964
- - C:\Users\Admin\AppData\Local\Temp\.opera\Opera GX Installer Temp\opera_package_202405261543291\assistant\assistant_installer.exe
    "C:\Users\Admin\AppData\Local\Temp\.opera\Opera GX Installer Temp\opera_package_202405261543291\assistant\assistant_installer.exe" --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Roaming\Opera Software\Opera GX Stable\Crash Reports" "--crash-count-file=C:\Users\Admin\AppData\Roaming\Opera Software\Opera GX Stable\crash_count.txt" --url=https://crashstats-collector.opera.com/collector/submit --annotation=channel=Stable --annotation=plat=Win32 --annotation=prod=OperaDesktopGX --annotation=ver=73.0.3856.382 --initial-client-data=0x26c,0x270,0x274,0x248,0x278,0x10c4f48,0x10c4f58,0x10c4f64
    3⤵
    - Executes dropped EXE
    PID:760

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=4136 --field-trial-handle=3192,i,2785050981002401924,4037047756083432660,262144 --variations-seed-version /prefetch:8
1⤵
PID:1092

C:\Program Files\VideoLAN\VLC\vlc.exe
"C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file "C:\Users\Admin\Desktop\RegisterTest.m1v"
1⤵
- Suspicious behavior: AddClipboardFormatListener
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
PID:5024

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Subvert Trust Controls

1

T1553

Install Root Certificate

1

T1553.004

Credential Access

Unsecured Credentials

1

T1552

Credentials In Files

1

T1552.001

Discovery

Peripheral Device Discovery

Query Registry

System Information Discovery

1

T1082

Lateral Movement

Collection

Data from Local System

1

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\.opera\Opera GX Installer Temp\OperaGXSetup.exe

Filesize
5.7MB

MD5
bcbf7da55719d33eb8c25cb7a2448240

SHA1
fca937fe0204c50e0bf3b295d0375a9972345dfc

SHA256
b2c27d6e1352b70c181bb7a5f459434309499fd9fb4cab06aba76c04fb4610bc

SHA512
3f2fdda2f091b7d36bb1649d59450a777387d0e610c035ac25a0b0135c73f03bc4a33a8d26e1b857cb672fb5f33754a6e72ff951c39691c71cac0d1b55fcbe38

Download Submit
C:\Users\Admin\AppData\Local\Temp\.opera\Opera GX Installer Temp\opera_package_202405261543291\additional_file0.tmp

Filesize
1.4MB

MD5
e9a2209b61f4be34f25069a6e54affea

SHA1
6368b0a81608c701b06b97aeff194ce88fd0e3c0

SHA256
e950f17f4181009eeafa9f5306e8a9dfd26d88ca63b1838f44ff0efc738e7d1f

SHA512
59e46277ca79a43ed8b0a25b24eff013e251a75f90587e013b9c12851e5dd7283b6172f7d48583982f6a32069457778ee440025c1c754bf7bb6ce8ae1d2c3fc5

Download Submit
C:\Users\Admin\AppData\Local\Temp\.opera\Opera GX Installer Temp\opera_package_202405261543291\assistant\assistant_installer.exe

Filesize
1.8MB

MD5
4c8fbed0044da34ad25f781c3d117a66

SHA1
8dd93340e3d09de993c3bc12db82680a8e69d653

SHA256
afe569ce9e4f71c23ba5f6e8fd32be62ac9538e397cde8f2ecbe46faa721242a

SHA512
a04e6fd052d2d63a0737c83702c66a9af834f9df8423666508c42b3e1d8384300239c9ddacdc31c1e85140eb1193bcfac209f218750b40342492ffce6e9da481

Download Submit
C:\Users\Admin\AppData\Local\Temp\Opera_installer_2405261543210541932.dll

Filesize
5.2MB

MD5
b475e76899deb89d881b9cea475ff960

SHA1
840f53d36f18437b782b382e088e6d30dca627e1

SHA256
a3e9972d2e8213f71e742d3d1f2a0e738c99e3678e61a1262226d5d35e8819bf

SHA512
2ba854f1f272c26e476e0cd7507e48ad5c809be4529982d935749e5a620dfc1b3dca692820dc222acaebd01b1ffa67a7bd7471dc49662ecdfc498d9e01523865

Download Submit
C:\Users\Admin\AppData\Roaming\Opera Software\Opera GX Stable\Crash Reports\settings.dat

Filesize
40B

MD5
afb5f124386b397b9a20e488d348e7d4

SHA1
d556f5216d962e0c8e909b15b0a6e0e7d2b218ab

SHA256
446786c12c2dac510660bd8d126c4c7b27ee0ebb6fececeb0765c2ae4600722d

SHA512
597aa05cee500ab64df97541642cd652a48bed47d7e18248c4c5f451adf41c0f88e2df28da1c817036bc3e6d7558718699157fb415a37cbfeaea470b9d989b63

Download Submit
memory/5024-107-0x00007FFEE6AC0000-0x00007FFEE6AD1000-memory.dmp

Filesize
68KB

Download
memory/5024-104-0x00007FFEE77C0000-0x00007FFEE77D7000-memory.dmp

Filesize
92KB

Download
memory/5024-102-0x00007FFED6040000-0x00007FFED62F4000-memory.dmp

Filesize
2.7MB

Download
memory/5024-106-0x00007FFEE6E90000-0x00007FFEE6EA7000-memory.dmp

Filesize
92KB

Download
memory/5024-109-0x00007FFED8170000-0x00007FFED8181000-memory.dmp

Filesize
68KB

Download
memory/5024-108-0x00007FFEDE900000-0x00007FFEDE91D000-memory.dmp

Filesize
116KB

Download
memory/5024-110-0x00007FFED5E40000-0x00007FFED6040000-memory.dmp

Filesize
2.0MB

Download
memory/5024-101-0x00007FFEE6F50000-0x00007FFEE6F84000-memory.dmp

Filesize
208KB

Download
memory/5024-105-0x00007FFEE6EB0000-0x00007FFEE6EC1000-memory.dmp

Filesize
68KB

Download
memory/5024-100-0x00007FF60C530000-0x00007FF60C628000-memory.dmp

Filesize
992KB

Download
memory/5024-103-0x00007FFEE7B80000-0x00007FFEE7B98000-memory.dmp

Filesize
96KB

Download
memory/5024-116-0x00007FFED4CE0000-0x00007FFED4CF1000-memory.dmp

Filesize
68KB

Download
memory/5024-115-0x00007FFED4D00000-0x00007FFED4D11000-memory.dmp

Filesize
68KB

Download
memory/5024-112-0x00007FFED4D50000-0x00007FFED4D8F000-memory.dmp

Filesize
252KB

Download
memory/5024-117-0x00007FFED4CC0000-0x00007FFED4CD1000-memory.dmp

Filesize
68KB

Download
memory/5024-114-0x00007FFED8150000-0x00007FFED8168000-memory.dmp

Filesize
96KB

Download
memory/5024-113-0x00007FFED4D20000-0x00007FFED4D41000-memory.dmp

Filesize
132KB

Download
memory/5024-118-0x00007FFED4640000-0x00007FFED47F2000-memory.dmp

Filesize
1.7MB

Download
memory/5024-111-0x00007FFED4D90000-0x00007FFED5E3B000-memory.dmp

Filesize
16.7MB

Download

Analysis

Sharing