Karma (Malware Family)

Karma

VTCollection

Ransomware.

References

2022-04-21 ⋅ Sentinel LABS ⋅ Antonis Terefos
Nokoyawa Ransomware | New Karma/Nemty Variant Wears Thin Disguise
Hive Karma Nemty Nokoyawa Ransomware

2022-03-17 ⋅ Sophos ⋅ Tilly Travers
The Ransomware Threat Intelligence Center
ATOMSILO Avaddon AvosLocker BlackKingdom Ransomware BlackMatter Conti Cring DarkSide dearcry Dharma Egregor Entropy Epsilon Red Gandcrab Karma LockBit LockFile Mailto Maze Nefilim RagnarLocker Ragnarok REvil RobinHood Ryuk SamSam Snatch WannaCryptor WastedLocker

2022-03-16 ⋅ Symantec ⋅ Symantec Threat Hunter Team
The Ransomware Threat Landscape: What to Expect in 2022
AvosLocker BlackCat BlackMatter Conti DarkSide DoppelPaymer Emotet Hive Karma Mespinoza Nemty Squirrelwaffle VegaLocker WastedLocker Yanluowang Zeppelin

2022-02-28 ⋅ Sophos ⋅ Sean Gallagher
Conti and Karma actors attack healthcare provider at same time through ProxyShell exploits
Conti Karma

2021-11-22 ⋅ Youtube (OALabs) ⋅ c3rb3ru5d3d53c, Sergei Frankoff
Introduction To Binlex A Binary Trait Lexer Library and Utility - Machine Learning First Steps...
Karma

2021-11-04 ⋅ Blackberry ⋅ BlackBerry Research & Intelligence Team
Threat Thursday: Karma Ransomware
Karma

2021-10-18 ⋅ SentinelOne ⋅ Antonis Terefos
Karma Ransomware | An Emerging Threat With A Hint of Nemty Pedigree
Karma Nemty

2021-08-24 ⋅ cyble ⋅ Cyble
A Deep-dive Analysis of KARMA Ransomware
Karma

Yara Rules

[TLP:WHITE] win_karma_auto (20260504 | Detects win.karma.)

rule win_karma_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2026-05-04"
        version = "1"
        description = "Detects win.karma."
        info = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.6.0"
        signator_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.karma"
        malpedia_rule_date = "20260422"
        malpedia_hash = "a182e35da64e6d71cb55f125c4d4225196523f14"
        malpedia_version = "20260504"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using YARA-Signator.
     * The code and documentation is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { 83c010 83f820 7ce5 33c0 }
            // n = 4, score = 100
            //   83c010               | add                 eax, 0x10
            //   83f820               | cmp                 eax, 0x20
            //   7ce5                 | jl                  0xffffffe7
            //   33c0                 | xor                 eax, eax

        $sequence_1 = { 0f8570ffffff 8b45f8 8b4df4 33d2 5f 66891471 8b4df0 }
            // n = 7, score = 100
            //   0f8570ffffff         | jne                 0xffffff76
            //   8b45f8               | mov                 eax, dword ptr [ebp - 8]
            //   8b4df4               | mov                 ecx, dword ptr [ebp - 0xc]
            //   33d2                 | xor                 edx, edx
            //   5f                   | pop                 edi
            //   66891471             | mov                 word ptr [ecx + esi*2], dx
            //   8b4df0               | mov                 ecx, dword ptr [ebp - 0x10]

        $sequence_2 = { d1f8 40 8d1400 660f1f440000 0fb70411 8d4902 668901 }
            // n = 7, score = 100
            //   d1f8                 | sar                 eax, 1
            //   40                   | inc                 eax
            //   8d1400               | lea                 edx, [eax + eax]
            //   660f1f440000         | nop                 word ptr [eax + eax]
            //   0fb70411             | movzx               eax, word ptr [ecx + edx]
            //   8d4902               | lea                 ecx, [ecx + 2]
            //   668901               | mov                 word ptr [ecx], ax

        $sequence_3 = { e8???????? 8b4e04 e8???????? eb16 e8???????? 33d2 b9???????? }
            // n = 7, score = 100
            //   e8????????           |                     
            //   8b4e04               | mov                 ecx, dword ptr [esi + 4]
            //   e8????????           |                     
            //   eb16                 | jmp                 0x18
            //   e8????????           |                     
            //   33d2                 | xor                 edx, edx
            //   b9????????           |                     

        $sequence_4 = { 0f1f4000 8b51fc 8d49fc 85d2 }
            // n = 4, score = 100
            //   0f1f4000             | nop                 dword ptr [eax]
            //   8b51fc               | mov                 edx, dword ptr [ecx - 4]
            //   8d49fc               | lea                 ecx, [ecx - 4]
            //   85d2                 | test                edx, edx

        $sequence_5 = { 83c102 8bf0 6685c0 75e3 85d2 }
            // n = 5, score = 100
            //   83c102               | add                 ecx, 2
            //   8bf0                 | mov                 esi, eax
            //   6685c0               | test                ax, ax
            //   75e3                 | jne                 0xffffffe5
            //   85d2                 | test                edx, edx

        $sequence_6 = { 668908 83c002 8a4dfd c645fe00 c645ff01 eb1f 807dff00 }
            // n = 7, score = 100
            //   668908               | mov                 word ptr [eax], cx
            //   83c002               | add                 eax, 2
            //   8a4dfd               | mov                 cl, byte ptr [ebp - 3]
            //   c645fe00             | mov                 byte ptr [ebp - 2], 0
            //   c645ff01             | mov                 byte ptr [ebp - 1], 1
            //   eb1f                 | jmp                 0x21
            //   807dff00             | cmp                 byte ptr [ebp - 1], 0

        $sequence_7 = { 0f1f00 0f104405dc 0f1088b8404000 660fefc8 0f114c05dc }
            // n = 5, score = 100
            //   0f1f00               | nop                 dword ptr [eax]
            //   0f104405dc           | movups              xmm0, xmmword ptr [ebp + eax - 0x24]
            //   0f1088b8404000       | movups              xmm1, xmmword ptr [eax + 0x4040b8]
            //   660fefc8             | pxor                xmm1, xmm0
            //   0f114c05dc           | movups              xmmword ptr [ebp + eax - 0x24], xmm1

        $sequence_8 = { 0fb702 8d4902 668901 8d5202 6685c0 75ef 33c9 }
            // n = 7, score = 100
            //   0fb702               | movzx               eax, word ptr [edx]
            //   8d4902               | lea                 ecx, [ecx + 2]
            //   668901               | mov                 word ptr [ecx], ax
            //   8d5202               | lea                 edx, [edx + 2]
            //   6685c0               | test                ax, ax
            //   75ef                 | jne                 0xfffffff1
            //   33c9                 | xor                 ecx, ecx

        $sequence_9 = { 7469 8b01 8b4904 56 33f6 8945ec 894df0 }
            // n = 7, score = 100
            //   7469                 | je                  0x6b
            //   8b01                 | mov                 eax, dword ptr [ecx]
            //   8b4904               | mov                 ecx, dword ptr [ecx + 4]
            //   56                   | push                esi
            //   33f6                 | xor                 esi, esi
            //   8945ec               | mov                 dword ptr [ebp - 0x14], eax
            //   894df0               | mov                 dword ptr [ebp - 0x10], ecx

    condition:
        7 of them and filesize < 49208
}

[TLP:WHITE] win_karma_w0 (20211108 | Detects Karma Ransomware 2021)

import "pe"

rule win_karma_w0 {
    meta:
        author = "Blackberry Threat Research Team"
        description = "Detects Karma Ransomware 2021"
        date = "2021-10"
        license = "This Yara rule is provided under the Apache License 2.0 (https://www.apache.org/licenses/LICENSE-2.0) and open to any user or organization, as long as you use it under this license and ensure originator credit in any derivative to The BlackBerry Research & Intelligence Team"
        source = "https://blogs.blackberry.com/en/2021/11/threat-thursday-karma-ransomware"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.karma"
        malpedia_rule_date = "20211108"
        malpedia_hash = ""
        malpedia_version = "20211108"
        malpedia_license = "Apache License 2.0"
        malpedia_sharing = "TLP:WHITE"
 
    strings:
        $s1 = "WW91ciBuZXR3b3JrIGhhcyBiZWVuIGJyZWFjaGVkIGJ5IEthcm1hIHJhbnNvbXdhcmUgZ3JvdXAu" ascii wide
        $x2 = "crypt32.dll" nocase
        $x3 = "KARMA" ascii wide
        $x4 = "Sleep" nocase                            

    condition:
        //PE File
        uint16(0) == 0x5a4d and
        //Base64 Karma Note
        all of ($s*) and
        //All Strings
        all of ($x*)
}

Download all Yara Rules

Karma Propose Change

References

Yara Rules

Karma