Add YARA rule for SimplePack packer detection

DosX-dev · DosX-dev · commit ee52952a3c08 · 2025-09-22T12:47:32.000+03:00
Introduced a new rule 'Packer__SimplePack' to detect PE files packed with SimplePack by checking for a section named '.spack'.
diff --git a/yara_rules/DiE_InterestingThings_by_DosX.yar b/yara_rules/DiE_InterestingThings_by_DosX.yar
@@ -123,6 +123,16 @@ rule Packer__SoftwareCompress {
         )
 }
 
+rule Packer__SimplePack {
+    condition:
+        IsPE and
+        IsNative and (
+            for any i in (0..pe.number_of_sections - 1) : (
+                pe.sections[i].name == ".spack"
+            )
+        )
+}
+
 rule Protection__obfus_h {
     condition:
         IsPE and
