{ "id": "0d962a09-6485-4c3f-8461-6fd9b6809b82", "created_at": "2026-04-06T00:10:50.74099Z", "updated_at": "2026-04-10T03:20:49.152157Z", "deleted_at": null, "sha1_hash": "efec6c11ab4288efe48c7dd372c256ca41c8f833", "title": "Trickbot rdpscanDll – Transforming Candidate Credentials for Brute-Forcing RDP Servers", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 38175, "plain_text": "Trickbot rdpscanDll – Transforming Candidate Credentials for\r\nBrute-Forcing RDP Servers\r\nArchived: 2026-04-05 21:49:39 UTC\r\nEmptyPass   tries an empty password GetHost   fills in the hostname of the currently attacked IP (ex: myhost) IP  \r\nmothe currently attacked IP address (ex: 234.234.234.234)re Port   fills in the currently attacked port (ex: 3389)\r\nIpReplaceDot 234.234.234.234 → 234234234234 remove the dots of the IP address RemoveNumerics us3rn4me\r\n→ usrnme removes all number from the username RemoveLetters us3rn4m3 → 343 removes all letters from the\r\nusername RemoveOtherSymbols usern@m3 → usernm3 removes all non-alphanumeric characters from the\r\nusername OriginalUsernameLettersBeginInverse 123admin456 → 123654nimda keeps all non-letters (i.e. digits,\r\nspecial chars) at the beginning of the username and reverses the rest (“invert [from where] letters begin”)\r\nOriginalUsernameLettersBeginSwap 123admin456 → admin456123 swaps all non-letters (i.e. digits, special\r\nchars) at the beginning of the username with the rest (“swap [where] letters begin”)\r\nOriginalUsernameLettersEndInverse admin123root → admintoor321 keeps all letters at the beginning of the\r\nusername and reverses the rest (“invert [where] letters end”) OriginalUsernameLettersEndSwap admin123root →\r\n123rootadmin swaps all letters at the beginning of the username with the rest (“swap [where] letters end”)\r\nOriginalUsernameNumsBeginInverse admin123root → admintoor321 keeps all non-digits at the beginning of the\r\nusername and reverses the rest (“invert [from where] nums begin”) OriginalUsernameNumsBeginSwap\r\nadmin123root → admintoor321 swaps all non-digits at the beginning of the username with the rest (“swap\r\n[where] nums begin”) OriginalUsernameNumsEndInverse 123admin → 123nimda keeps all digits at the\r\nbeginning of the username and reverses the rest (“invert [where] nums end”) OriginalUsernameNumsEndSwap\r\n123admin456 → admin456123 swaps all digits at the beginning of the username with the rest (“swap [where]\r\nnums end”) OriginalUsernameInsert %OriginalUsernameInsert%(N)SOMESTRING → SOMEusernameSTRING\r\n(ex: N = 4) insert username after Nth character of SOMESTRING OriginalUsername   use the username as\r\npassword OnlyName Firstname Lastname → Firstname uses only the first name (everything left of the first space)\r\nof the username as password OnlySurname Firstname Lastname → Lastname uses only the last name (everything\r\nright of the first space) of the username as password username Admin → admin username in lowercase Username\r\nAdMin → Admin username lowercase but first char upper UsErNaMe Admin → AdMiN username in alternating\r\ncase, starting with uppercase uSeRnAmE Admin → aDmIn username in alternating case, starting with lowercase\r\nUSERNAME Admin → ADMIN username in uppercase EMANRESU Admin → NIMDA username in uppercase\r\nand reversed EmanresuLowercase AdMin → Nimda username reversed and lowercase, first char uppercase\r\nEmanresu AdMin → NiMdA username reversed, first char upper emanresuLowercase AdMin → nimda username\r\nreversed and lowercase emanresuUppercase AdMin → NIMDA username reversed and uppercase emanresu\r\nAdmin → nimda username reversed and lowercase ReplaceFirst_X-x administrator → @dministrator (ex:\r\n%ReplaceFirst_a-@%) replaces the first occurrence of X with x in the username (needle and replacement can be\r\nmore than 1 char) ReplaceFirstI_X-x Administrator → @dministrator (ex: %ReplaceFirstI_a-@%) case\r\ninsensitively replaces the first occurrence of X with x in the username (needle and replacement can be more than 1\r\nchar) ReplaceLast_X-x administrator → @dministrator (ex: %ReplaceLast_a-@%) replaces the last occurrence of\r\nX with x in the username (needle and replacement can be more than 1 char) ReplaceLastI_X-x Administrator →\r\nhttps://cyber.wtf/2020/08/31/trickbot-rdpscandll-password-transof/\r\nPage 1 of 3\n\n@dministrator (ex: %ReplaceLastI_a-@%) case insensitively replaces the last occurrence of X with x in the\r\nusername (needle and replacement can be more than 1 char) ReplaceAll_X-x administrator → @dministrator (ex:\r\n%ReplaceAll_a-@%) replaces all occurrences of X with x in the username (needle and replacement can be more\r\nthan 1 char) ReplaceAllI_X-x Administrator → @dministrator (ex: %ReplaceAllI_a-@%) case insensitively\r\nreplaces all occurrences of X with x in the username (needle and replacement can be more than 1 char)\r\nDomainRemoveNumerics test-123.com → test-.com removes all digits from the domain DomainRemoveLetters\r\ntest-123.com → -123. removes all letters from the domain DomainRemoveOtherSymbols test-123.com →\r\ntest123com removes all non-alphanum chars from the domain OriginaldomainInsert %OriginaldomainInsert%\r\n(N)SOMESTRING → SOMEdomainSTRING (ex: N = 4) insert domain after Nth character of SOMESTRING\r\nOriginaldomainPart test-123.com → 123com (ex: %OriginaldomainPart%(6)) takes the last N chars of the domain\r\nname (ignoring any dots) OriginaldomainNumsBeginInverse test-123.com → test-moc.321 keeps all non-digits at\r\nthe beginning of the domain and reverses the rest (“invert [from where] nums begin”)\r\nOriginaldomainNumsBeginSwap test-123.com → 123.comtest- swaps all non-digits at the beginning of the\r\ndomain with the rest (“swap [where] nums begin”) OriginaldomainNumsEndInverse 123-test.com →\r\n123moc.tset- keeps all digits at the beginning of the domain and reverses the rest (“invert [where] nums end”)\r\nOriginaldomainNumsEndSwap 123-test.com → -test.com123 swaps all digits at the beginning of the domain with\r\nthe rest (“swap [where] nums end”) OriginaldomainLettersBeginInverse test-123.com → test-moc.321 keeps all\r\nnon-letters (i.e. digits, special chars) at the beginning of the domain and reverses the rest (“invert [from where]\r\nletters begin”) OriginaldomainLettersBeginSwap 123-test.com → test.com123- swaps all non-letters (i.e. digits,\r\nspecial chars) at the beginning of the domain with the rest (“swap [where] letters begin”)\r\nOriginaldomainLettersEndInverse test-123.com → testmoc.321- keeps all letters at the beginning of the domain\r\nand reverses the rest (“invert [where] letters end”) OriginaldomainLettersEndSwap test-123.com → -123.comtest\r\nswaps all letters at the beginning of the domain with the rest (“swap [where] letters end”) Originaldomainleft test-123.com → test-123 takes the left part of the domain (everything left of the first dot) and lowercases the first\r\ncharacter OriginalDomainleft test-123.com → Test-123 takes the left part of the domain (everything left of the\r\nfirst dot) and capitalizes the first character Originaldomainright test-123.com → test-123 takes the right part of the\r\ndomain (everything right of the first dot) and lowercases the first character OriginalDomainright test-123.com →\r\nTest-123 takes the right part of the domain (everything right of the first dot) and capitalizes the first character\r\nOriginaldomain uses the plain domain name   OriginalDomain test-123.com → Test-123.com uses the domain\r\nname and capitalizes the first character NiamodLowercase abc%NiamodLowercase%123 abc123\r\nniamodLowercase test-123.com → Moc.321-tset reverses and lowercases the domain name, first character\r\ncapitalized niamodUppercase test-123.com → mOC.312-TSET reverses and capitalizes the domain name, first\r\nchar lowercase domainleftHyphen test-123.com → test takes everything left of the first hyphen\r\nDOMAINLEFTHYPHEN test-123.com → TEST takes everything left of the first hyphen, capitalized\r\nDomainleftHyphen test-123.com → Test takes everything left of the first hyphen, first char capitalized\r\ndomainrightHyphen test-123.com → 123.com takes everything right of the first hyphen\r\nDOMAINRIGHTHYPHEN test-123.com → 123.COM takes everything right of the first hyphen, capitalized\r\nDomainrightHyphen test-abc.com → Abc.com takes everything right of the first hyphen, first char capitalized\r\ndomainleftUnderscore test_123.com → test takes everything left of the first underscore\r\nDOMAINLEFTUNDERSCORE test_123.com → TEST takes everything left of the first underscore, capitalized\r\nDomainleftUnderscore test_123.com → Test takes everything left of the first underscore, first char capitalized\r\ndomainrightUnderscore test_abc.com → abc.com takes everything right of the first underscore\r\nhttps://cyber.wtf/2020/08/31/trickbot-rdpscandll-password-transof/\r\nPage 2 of 3\n\nDOMAINRIGHTUNDERSCORE test_123.com → 123.COM takes everything right of the first underscore,\r\ncapitalized DomainrightUnderscore test_abc.com → Abc.com takes everything right of the first underscore, first\r\nchar capitalized DomainReplaceFirst_X-x EXAMPLE-attack.com → EXAMPLE-@ttack.com (ex:\r\n%DomainReplaceFirst_a-@%) replaces the first occurrence of X with x in the domain (needle and replacement\r\ncan be more than 1 char) DomainReplaceFirstI_X-x EXAMPLE-attack.com → EX@MPLE-attack.com (ex:\r\n%DomainReplaceFirstI_a-@%) case insensitively replaces the first occurrence of X with x in the domain (needle\r\nand replacement can be more than 1 char) DomainReplaceLast_X-x EXAMPLE-attack.com → EXAMPLE-att@ck.com (ex: %DomainReplaceLast_a-@%) replaces the last occurrence of X with x in the domain (needle\r\nand replacement can be more than 1 char) DomainReplaceLastI_X-x EXAMPLE-attack.com → EXAMPLE-att@ck.com (ex: %DomainReplaceLastI_a-@%) case insensitively replaces the last occurrence of X with x in the\r\ndomain (needle and replacement can be more than 1 char) DomainReplaceAll_X-x EXAMPLE-attack.com →\r\nEXAMPLE-@tt@ck.com (ex: %DomainReplaceAll_a-@%) replaces all occurrences of X with x in the domain\r\n(needle and replacement can be more than 1 char) DomainReplaceAllI_X-x EXAMPLE-attack.com →\r\nEX@MPLE-@tt@ck.com (ex: %DomainReplaceAllI_a-@%) case insensitively replaces all occurrences of X\r\nwith x in the domain (needle and replacement can be more than 1 char) niamod test-123.com → moc.321-tset\r\nreverses the domain name Niamod test-123.com → Moc.321-tset reverses the domain name, first char capitalized\r\ndomainleft TEST-123.com → test-123 everything left of the first dot, lowercased DOMAINLEFT Test-123.com\r\n→ TEST-123 everything left of the first dor, capitalized Domainleft test-123.com → Test-123 everything left of\r\nthe first dot, lowercased but first char capitalized domainright TEST-123.com → com everything right of the first\r\ndot, lowercased DOMAINRIGHT Test-123.com → COM everything right of the first dor, capitalized\r\nDomainright test-123.com → Com everything right of the first dot, lowercased but first char capitalized domain\r\nTEST-123.com → test-123.com domain name, lowercase Domain TEST-123.com domain name lowercased, first\r\nchar capitalized DoMaIn test-123.com → TeSt-123.cOm domain name in alternating case, starting with uppercase\r\ndOmAiN test-123.com → tEsT-123.CoM domain name in alternating case, starting with lowercase DOMAIN test-123.com → TEST-123.COM domain name capitalized NIAMOD test-123.com → MOC.321-TSET domain name\r\nreversed and capitalized\r\nSource: https://cyber.wtf/2020/08/31/trickbot-rdpscandll-password-transof/\r\nhttps://cyber.wtf/2020/08/31/trickbot-rdpscandll-password-transof/\r\nPage 3 of 3", "extraction_quality": 1, "language": "EN", "sources": [ "Malpedia" ], "references": [ "https://cyber.wtf/2020/08/31/trickbot-rdpscandll-password-transof/" ], "report_names": [ "trickbot-rdpscandll-password-transof" ], "threat_actors": [], "ts_created_at": 1775434250, "ts_updated_at": 1775791249, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/efec6c11ab4288efe48c7dd372c256ca41c8f833.pdf", "text": "https://archive.orkl.eu/efec6c11ab4288efe48c7dd372c256ca41c8f833.txt", "img": "https://archive.orkl.eu/efec6c11ab4288efe48c7dd372c256ca41c8f833.jpg" } }