Malicious MD5 Hashes
Free feed of MD5 file hashes for known malware shared by Twitter/X researchers
Malicious MD5 Hashes
MD5 file hashes for known malware
Related Threat Intelligence feeds: URLs · Domains · IPs · SHA-256 · All IOC types
MD5 hashes by window
-
MD5 hashes
-
MD5 hashes
-
MD5 hashes
-
MD5 hashes
What this list contains
- Sourced from ~95 Twitter/X security researchers, refreshed every 15 minutes.
- MD5 hashes of malware samples: RATs, infostealers, ransomware, droppers, loaders.
- MD5 has known collisions; for high-confidence detection, prefer the SHA-256 feed.
- Cross-reference against VirusTotal or your sandbox for sample verdicts and family attribution.
Recent samples
Latest 10 MD5 hashes from the past 7 days. Live from api.tweetfeed.live/v1/week/md5.
Top tags for MD5 hashes
Formats and how to use
Every TweetFeed feed is free and public domain (CC0 1.0) with no API key or sign-up. The malicious MD5 hashes are available in four formats:
| Format | Where | Best for |
|---|---|---|
| JSON API | api.tweetfeed.live/v1/<window>/md5 | SOAR / SIEM enrichment, scripts |
| CSV | today / week / month / year .csv | bulk import, spreadsheets, blocklists |
| RSS | rss.xml | watch new IOCs in a reader |
| MCP | mcp.tweetfeed.live | live lookups from AI agents / Claude |
Feed the hashes into your EDR or YARA tooling as known-bad indicators, or pivot each hash through VirusTotal, Malpedia and Hybrid Analysis. Validate against VirusTotal or your own sandbox before blocking outright, since OSINT feeds can carry false positives.
Frequently asked questions
What is an MD5 hash?
MD5 is a cryptographic hash function that produces a 32-character hexadecimal fingerprint of a file. Identical files produce identical hashes, so MD5 is a fast way to identify a known sample without exchanging the binary. Antivirus signatures, sandbox reports and Threat Intelligence feeds commonly cite MD5 hashes alongside SHA-1 and SHA-256.
How is this list updated?
Every 15 minutes. The pipeline scrapes RSS feeds from public Twitter/X researcher accounts and lists, extracts 32-character hex MD5 hashes from tweets, deduplicates against the past year, tags them with malware family, and republishes the result in CSV, JSON and RSS.
Why MD5 if SHA-256 is more secure?
MD5 is faster and shorter, which matters for large-scale endpoint scanning where every byte saved on signature storage adds up. Many legacy AV and IDS systems index by MD5. For high-confidence detection or when collision resistance matters (e.g. forensic chain of custody), SHA-256 is preferred. TweetFeed publishes both.
Are these hashes verified malicious?
TweetFeed is OSINT, not a sandbox. Hashes are sourced from public posts by infosec researchers, then deduplicated and tagged. Most posts include sandbox links; cross-reference VirusTotal, MalwareBazaar or your own sandbox to confirm a sample's verdict and gather family attribution before action.
Is the malicious MD5 hashes list free?
Yes. Every TweetFeed feed is free and released into the public domain under CC0 1.0, with no API key, sign-up or rate card. You can use it in commercial or personal projects; a link back is appreciated but not required.
How do I use these MD5 hashes to block threats?
Feed the hashes into your EDR or YARA tooling as known-bad indicators, or pivot each hash through VirusTotal, Malpedia and Hybrid Analysis. Validate against VirusTotal or your own sandbox before blocking outright, since OSINT feeds can carry false positives.
License
Source code for the pipeline: github.com/0xDanielLopez/TweetFeed (MIT).