{
	"id": "d7ff796a-655a-4269-b706-ca8b27f099de",
	"created_at": "2026-04-06T00:13:24.348383Z",
	"updated_at": "2026-04-10T13:12:04.372412Z",
	"deleted_at": null,
	"sha1_hash": "c4ed56d311e13b5c7ee7afa143fc293ac4b0263e",
	"title": "Ares Banking Trojan adds the old Qakbot DGA | Zscaler",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 395464,
	"plain_text": "Ares Banking Trojan adds the old Qakbot DGA | Zscaler\r\nBy Brett Stone-Gross\r\nPublished: 2022-09-06 · Archived: 2026-04-05 14:20:21 UTC\r\nSummary: ThreatLabz observed an update to the Ares banking trojan that introduces a domain generation\r\nalgorithm (DGA), which mirrors the Qakbot DGA. Based on analyzing the malware code, there does not appear to\r\nbe a direct link between these two malware families. The Ares DGA may be an effort for the threat actor to\r\nmaximize the lifetime of an infection, which provides more opportunities for monetizing compromised systems\r\nthrough attacks such as wire fraud and ransomware.\r\nKey Points\r\nThe Ares banking trojan received new updates in August 2022 including a domain generation algorithm\r\n(DGA) that is used as a fallback in the event the primary command-and-control (C2) communication\r\nchannel is unreachable.\r\nThe domain generation algorithm implementation is virtually identical to the Qakbot banking trojan’s\r\ndefunct DGA algorithm.\r\nThe DGA algorithm is based on a hardcoded seed and the current date. The algorithm generates 50\r\ndomains per interval (150 domains per month) and uses the daytime protocol to obtain the date.\r\nBased on reverse engineering Ares, the DGA appears to be a reimplementation of Qakbot’s algorithm\r\nrather than sharing the same codebase.\r\nThe Ares banking trojan is currently being used to target financial institutions in Mexico.\r\nZscaler ThreatLabz has been tracking developments to the Ares banking trojan, which emerged in February 2021.\r\nAres is based on the Osiris malware family, which in turn, was forked from the original Kronos banking trojan.\r\nThreat actors that utilize Ares had been inactive from approximately March 2022 to June 2022. However, there is\r\na new version of Ares that was released in August 2022 that adds new features. These new Ares samples were\r\ncompiled on August 15, 2022 and implement a domain generation algorithm. The introduction of a DGA is not by\r\nitself novel. However, the DGA algorithm is particularly interesting because it is nearly identical to the DGA that\r\nwas implemented by the Qakbot banking trojan.\r\nTechnical Analysis\r\nAres samples contain one or more hardcoded URLs that are used as the primary C2 channel. In new versions of\r\nAres, the malware will make up to 50 attempts to contact the primary C2 servers. If these C2 channels are\r\nunreachable, Ares will generate domains using a DGA. An example code comparison between the Ares DGA and\r\nQakbot DGA is shown in Figure 1.\r\nhttps://www.zscaler.com/blogs/security-research/ares-banking-trojan-learns-old-tricks-adds-defunct-qakbot-dga\r\nPage 1 of 10\n\nFigure 1. Code comparison between the DGAs of Ares (left) and Qakbot (right)\r\nThe primary differences between the Ares DGA and the Qakbot DGA are the former generates 50 domains per\r\ninterval while the old Qakbot algorithm generated 5,000 domains. In addition, Ares uses the daytime protocol via\r\nTCP port 13 to retrieve the current day from one of the following servers:\r\ntime-a.nist.gov\r\ntime-a-g.nist.gov\r\ntime.nist.gov\r\nAres will try each NIST daytime server up to three times. The response from the NIST server is similar to the\r\nfollowing:\r\n59820 22-08-29 23:18:13 50 0 0 593.0 UTC(NIST) * \r\nIn contrast, the Qakbot DGA obtained the current date from public web servers including google.com, cnn.com,\r\nand microsoft.com. Similar to Qakbot, Ares converts the response from the daytime server to a string with the\r\nformat Date: %a, %d %b %Y 00:00:00 GMT. An example string in this format is Date: Mon, 29 Aug 2022\r\n00:00:00 GMT.\r\nFrom this point forward, the algorithm is identical to Qakbot. The date string is converted to the format\r\n%u.%s.%s.%08x. The first parameter is an integer in the range between 0 and 2 (depending on the day of the\r\nmonth), followed by the abbreviated month converted to lowercase, followed by the year and a hardcoded\r\nconstant. In the Ares samples analyzed by ThreatLabz, the magic constant was 0x9283920. Conversely, Qakbot\r\ntypically hardcoded this magic value to 0 or 1. An example string in this format is 2.aug.2022.09283920. This\r\nstring is then passed to a CRC32 hash function to produce an integer value that is used as a seed to a Mersenne\r\nTwister pseudo random number generator. The Mersenne Twister generates random integers that are used as an\r\nhttps://www.zscaler.com/blogs/security-research/ares-banking-trojan-learns-old-tricks-adds-defunct-qakbot-dga\r\nPage 2 of 10\n\nindex to choose a sequence of lowercase alphabetic characters. The algorithm will produce a domain that is\r\nbetween 8 and 25 characters in length appended with a hardcoded top-level domain (TLD). The TLD is chosen by\r\nsplitting the string com;net;org;info;biz;org (note the double use of the .org TLD) into an array and using the\r\nMersenne Twister PRNG to choose an integer value as an index into the array. The algorithm splits the set of 50\r\ndomains into three time intervals. The first two intervals have a validity of 10 days, while the domains in the last\r\ninterval are valid from 8 to 11 days depending on the number of days in the month. Therefore, Ares will generated\r\n150 potential C2 domains per month. Example domains generated for August 29, 2022 by Ares are shown below\r\nin Table 1.\r\n \r\ntruktkqrhbqid.com afthptslohtxez.info sqahzasvxlfqfgmbhaprfa.org\r\nivdcsnrjyve.biz ozwltevtjzxjt.biz ysqoogvpyldzmpfrzcqy.biz\r\nuippsfkjsfava.info zzmlwansfyuccivdfscnhcsr.com tswcpdxiaaz.com\r\nllbkeikzi.com axowplsnwlipfvxsafeeqnjk.org bdwytmphgml.org\r\ndkqnlmmqhd.org dfzvvfzxxnzbuvjyapcvb.net dqbcfturck.info\r\nmsirddguztwcbgaeyjo.com wojwxbefozrxuaealwzv.org klvfokpnhhrcffzku.net\r\nlmdfbabllhzcfdomogl.org uimlehvhuwtckjgpdgig.net zkhedomcvpaiv.biz\r\nyzuzswfkybcmllnel.net kcmdsrapukosxvqnb.org fdymwocojutqlc.org\r\nvhfrymxypwcrxaioki.org affptoavdvnmqyf.biz sjnnzyad.net\r\nzahdnhgplnetn.org zkwdxdoycewkr.info cbimmnjplweqg.biz\r\niztlcqlnlkjnepx.biz qdavlycfepldabbu.info sqbnndxmoc.net\r\nhttps://www.zscaler.com/blogs/security-research/ares-banking-trojan-learns-old-tricks-adds-defunct-qakbot-dga\r\nPage 3 of 10\n\nwfnyzfwjlarffupafqh.org umgkxgjjccmkftfuyydsdt.com zayaugajoxoks.com\r\nwpioqqyhdttoymcxkredun.org hazovvbctmpkaigwzdbtpve.com mndfoyaki.net\r\njsnrmrzwiulbmjpniafmbsheu.com onfwmtjfntfzp.info ptltetfmogk.org\r\nksnicjvlrhzotedcdn.net lsuliwpuhovocjeyjxlggotft.info jznilwezhqwdp.info\r\njgxcvpxxvfkxkgyyxwkiszo.biz bytqndajubxkhqjy.org wgxhfkmetcwnxaqnlhce.info\r\nugnnzgbirvceq.org mxekahcaolryntmhrxpk.biz  \r\nTable 1. Ares DGA domains for August 29, 2022\r\nAt the time of publication, none of these domains currently resolve.\r\nAnalysis of the Ares code indicates that the algorithm was likely reimplemented rather than having access to the\r\nQakbot DGA source code. In fact, there is an open source C implementation of the Qakbot algorithm that is likely\r\nthe origin of the Ares implementation. In comparison, this open source implementation uses non-native Windows\r\nAPI functions for string operations (e.g., strcat, strlen, atoi, etc), which is identical to Ares. On the other hand,\r\nQakbot uses Windows APIs including lstrcatA and lstrlenA.\r\nThreatLabz has modified a Python-based implementation of the Qakbot DGA authored by Johannes Bader to\r\ngenerate the Ares DGA domains. The Ares DGA tool is located in our GitHub repository here.\r\nWeb Inject Configuration\r\nThe Ares malware author appears to be testing web injects to insert HTML content and JavaScript into a targeted\r\nwebsite. While the Ares C2 server is not currently serving a dynamic web inject configuration, recent samples\r\ncontain the following hardcoded configuration targeting BBVA Mexico as shown below:\r\nset_url http*bbva*.mx* GP\r\ndata_before\r\ndata_end\r\ndata_inject\r\nhttps://www.zscaler.com/blogs/security-research/ares-banking-trojan-learns-old-tricks-adds-defunct-qakbot-dga\r\nPage 4 of 10\n\ndata_end\r\nDynamic API Hash Algorithm\r\nThe Ares malware author has altered the original Kronos source code to create new Windows API hash values for\r\ndynamically resolving NTDLL functions. The modification to the CRC64 algorithm is very slight, but sufficient to\r\nbypass static signatures that search for the previous Kronos hash values. In particular, the CRC64 polynomial\r\n(0xD800000000000000) was modified by setting the lower DWORD value from 0x00 to 0x10 as shown in Figure\r\n2.\r\nFigure 2. Ares import hashing algorithm with a modification to the standard CRC64 polynomial\r\nAs an example, the standard CRC64 hash value for the string sprintf is 5FE79276722143D0, while in the latest\r\nAres variant, the CRC64 hash value is DC1FC2878FEE79C0. Ares then utilizes the Kronos algorithm to map\r\nthese values to alphanumeric characters. ThreatLabz has implemented a Python script (available in our GitHub\r\nrepository) that can be used to generate these hash values. The full list of NTDLL API function names used by\r\nAres and the corresponding hash values is located in the Appendix.\r\nConclusion\r\nThe developer of Ares continues to add new features to the malware to make it more resilient to detection and\r\ndisruption. The implementation of Qakbot's DGA will allow a threat actor using Ares to easily deploy new C2\r\nservers and regain control of infected systems if the primary servers are taken down. This is likely an indicator\r\nthat further attacks are soon to follow.\r\nCloud Sandbox Detection\r\nhttps://www.zscaler.com/blogs/security-research/ares-banking-trojan-learns-old-tricks-adds-defunct-qakbot-dga\r\nPage 5 of 10\n\nIn addition to sandbox detections, Zscaler’s multilayered cloud security platform detects indicators related to the\r\ncampaign at various levels with the following threat names:\r\nWin32.Banker.Kronos\r\nWin32.Banker.Kronos.LZ\r\nIndicators of Compromise (IOC)\r\nIndicator Description\r\nbaae5bbaf2decf7af9b22c4d10f66c7c77c9ebc7b73476f7cbe449d2bba97ed9 Ares DGA variant SHA256\r\n31ed2ee200da9a35ab3868b3d2977e6b18bc49772d39c27d57a53b49b6e6fa4a Ares DGA variant SHA256\r\nhttp://tomolina[.]top/panel/connect.php Ares Hardcoded C2 URL\r\nThe domains generated by the Ares DGA for August 1, 2022 to December 31, 2022 are available here.\r\nAres Hash Values\r\nAPI Function Name Ares Hash Value\r\nhttps://www.zscaler.com/blogs/security-research/ares-banking-trojan-learns-old-tricks-adds-defunct-qakbot-dga\r\nPage 6 of 10\n\nLdrGetProcedureAddress Y3Y5E2P5S1S3D1U7\r\nLdrLoadDll F5R0Y0X7R5R3D8Y3\r\nNtAllocateVirtualMemory A6T2D7A2Q2R5B6T6\r\nNtClose F0D3C0A7F5T6P3A2\r\nNtCreateFile T1D7X7R5D7U6C6Q7\r\nNtCreateKey Q3C6Y3P7U6C6P2A3\r\nNtCreateSection P4H8Y3Q3B2Q0S7B7\r\nNtDebugActiveProcess Q3A7Q6R3H0G0B6B7\r\nNtDelayExecution D8B3B3T8A4F6P3T5\r\nNtDeleteFile S3Y3U5G1X0E2T3P7\r\nNtDeleteValueKey Y3G2G7G3B3D2P7F6\r\nNtDuplicateObject U6D1G5D8G1E3R6H4\r\nNtEnumerateValueKey Q6T4F5Q0F1S2G1Y5\r\nNtFreeVirtualMemory X3A2D5D5B4S7F3C4\r\nNtGetContextThread E3Y5Q4R2G7R4U3S5\r\nhttps://www.zscaler.com/blogs/security-research/ares-banking-trojan-learns-old-tricks-adds-defunct-qakbot-dga\r\nPage 7 of 10\n\nNtMapViewOfSection B4S3E6S5C6G5Y6Y6\r\nNtOpenEvent G2D4H0P5F5Q7Q0C0\r\nNtOpenFile T4X3U6U8E7Q0D3C7\r\nNtOpenProcess C0P7A7F2E0S3T7R2\r\nNtProtectVirtualMemory B4Y5P8D6B6H5X6Y3\r\nNtQueryDirectoryFile T5S2Y5T4C4F7U7H0\r\nNtQueryInformationFile B5A5U0Q7Y2Y3Q1E3\r\nNtQueryInformationProcess C4P7T3B7C7S4P6Q0\r\nNtQueryInformationThread C3Q6D4C4F6H3F2Y0\r\nNtQueryKey T5S7B2T7H1A2P4R5\r\nNtQueryObject X6U2A2E3Q3U0A7H1\r\nNtQuerySystemInformationEx U0Y1S6E3F0U7C3R8\r\nNtQueryValueKey E5H8F2Y6S2A6R1Y7\r\nNtQueryVirtualMemory U6G3B5G1F1T7S3E5\r\nNtReadVirtualMemory E7G2G4S8Y3Y4X3X3\r\nhttps://www.zscaler.com/blogs/security-research/ares-banking-trojan-learns-old-tricks-adds-defunct-qakbot-dga\r\nPage 8 of 10\n\nNtResumeThread P3U8P1B3P6E8D1U4\r\nNtSetContextThread Q2U4U2S2C3F3S8G1\r\nNtSetInformationFile P4Y2Q6Q1E6P5R6A3\r\nNtSetValueKey U5P3A7T2Q5P5S0F3\r\nNtSuspendThread G3R4B6T2T5A6Y8P7\r\nNtTerminateThread S4Q5T3G3R4F7Q6G4\r\nNtUnmapViewOfSection G4C3G4F6X7Y3D7H7\r\nNtWriteFile C8A3E5D4U3E2T3T5\r\nNtWriteVirtualMemory F0X2G2Q5B5Q6G3U6\r\nRtlAnsiStringToUnicodeString Y3S6P7G1H7H0C8G4\r\nRtlCompareUnicodeString U2H5G7F7B6A5P2F4\r\nRtlCreateUserThread F3A6S6D2B8B3X2C7\r\nRtlDeregisterWaitEx S7U1S0U0H7G2Q7E3\r\nRtlDosPathNameToNtPathName_U G3B2Q3G0B6A7D0P5\r\nRtlFreeAnsiString X2X7C3S2R2B4S0X4\r\nhttps://www.zscaler.com/blogs/security-research/ares-banking-trojan-learns-old-tricks-adds-defunct-qakbot-dga\r\nPage 9 of 10\n\nRtlFreeUnicodeString T1H6C8A2R2C3T7S8\r\nRtlInitAnsiString D1X1G3A7Q6T0U3U1\r\nRtlInitUnicodeString D6G5P3A8R3G3Y4Q1\r\nRtlRandomEx R7T6F8E2G2B8B2Y4\r\nRtlRegisterWait R4C0F3R3P8Y1X6Y2\r\nRtlUnicodeStringToAnsiString B0U7C3F3D3B4X5T5\r\n_vsnprintf Y2X6H4E2U7B3G6T0\r\n_vsnwprintf T5C2D5Q2F2D6H0G3\r\n_wcsicmp E3C2R6D6R8Q4R2U7\r\n_wcsnicmp U3S3Y5P3F2S8Q4S5\r\nsprintf S4Y7R5G1G7T6F3R3\r\nExplore more Zscaler blogs\r\nSource: https://www.zscaler.com/blogs/security-research/ares-banking-trojan-learns-old-tricks-adds-defunct-qakbot-dga\r\nhttps://www.zscaler.com/blogs/security-research/ares-banking-trojan-learns-old-tricks-adds-defunct-qakbot-dga\r\nPage 10 of 10",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"ETDA",
		"Malpedia"
	],
	"origins": [
		"web"
	],
	"references": [
		"https://www.zscaler.com/blogs/security-research/ares-banking-trojan-learns-old-tricks-adds-defunct-qakbot-dga"
	],
	"report_names": [
		"ares-banking-trojan-learns-old-tricks-adds-defunct-qakbot-dga"
	],
	"threat_actors": [],
	"ts_created_at": 1775434404,
	"ts_updated_at": 1775826724,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/c4ed56d311e13b5c7ee7afa143fc293ac4b0263e.pdf",
		"text": "https://archive.orkl.eu/c4ed56d311e13b5c7ee7afa143fc293ac4b0263e.txt",
		"img": "https://archive.orkl.eu/c4ed56d311e13b5c7ee7afa143fc293ac4b0263e.jpg"
	}
}