AsyncRAT Dropper: Stage-1 Loader Analysis

By Tech Ordus Research April 15, 2026 malware

Affiliate disclosure: When you buy through links on BestPocketTech we may earn a commission at no extra cost to you. As an Amazon Associate we earn from qualifying purchases. Our recommendations are based on independent research and editorial standards.

Sample Metadata

Field	Value
SHA256	`a3f1c8...` (truncated)
File type	PE32 .NET executable
First seen	2026-04-08
C2 protocol	TCP/6606 with AES-256-CBC

Stage-1: PowerShell Dropper

The initial delivery is via a malicious Office document that executes a PowerShell one-liner using base64-encoded commands with -EncodedCommand.

AMSI Bypass

The loader patches AmsiScanBuffer in memory using reflection before loading the next stage:

[Ref].Assembly.GetType('System.Management.Automation.AmsiUtils') | 
  ForEach-Object { $_.GetField('amsiInitFailed','NonPublic,Static').SetValue($null,$true) }

Process Hollowing

The final payload is injected into a suspended RegAsm.exe process via the classic NtWriteVirtualMemory + ResumeThread sequence.

Detection

YARA:

rule asyncrat_dropper_2026 {
  strings:
    $ps1 = "AmsiUtils" ascii wide
    $ps2 = "amsiInitFailed" ascii wide
    $pe  = "RegAsm" ascii wide
  condition:
    2 of them
}

Sigma: process creation where Image ends with RegAsm.exe and parent is powershell.exe with -EncodedCommand in command line.