Malicious MD5 Hashes

Free feed of MD5 file hashes for known malware shared by Twitter/X researchers


Malicious MD5 Hashes

MD5 file hashes for known malware

MD5 hashes by window

Today

-

MD5 hashes

Week

-

MD5 hashes

Month

-

MD5 hashes

Year

-

MD5 hashes

What this list contains

  • Sourced from ~95 Twitter/X security researchers, refreshed every 15 minutes.
  • MD5 hashes of malware samples: RATs, infostealers, ransomware, droppers, loaders.
  • MD5 has known collisions; for high-confidence detection, prefer the SHA-256 feed.
  • Cross-reference against VirusTotal or your sandbox for sample verdicts and family attribution.

Recent samples

Latest 10 MD5 hashes from the past 7 days. Live from api.tweetfeed.live/v1/week/md5.

Loading samples

Top tags for MD5 hashes

Filter the MD5 feed by malware family or category. Each tag has its own landing page with recent samples and context.

See all tags on the Dashboard or browse the full IOC feed.

Frequently asked questions

What is an MD5 hash?

MD5 is a cryptographic hash function that produces a 32-character hexadecimal fingerprint of a file. Identical files produce identical hashes, so MD5 is a fast way to identify a known sample without exchanging the binary. Antivirus signatures, sandbox reports and Threat Intelligence feeds commonly cite MD5 hashes alongside SHA-1 and SHA-256.

How is this list updated?

Every 15 minutes. The pipeline scrapes RSS feeds from public Twitter/X researcher accounts and lists, extracts 32-character hex MD5 hashes from tweets, deduplicates against the past year, tags them with malware family, and republishes the result in CSV, JSON and RSS.

Why MD5 if SHA-256 is more secure?

MD5 is faster and shorter, which matters for large-scale endpoint scanning where every byte saved on signature storage adds up. Many legacy AV and IDS systems index by MD5. For high-confidence detection or when collision resistance matters (e.g. forensic chain of custody), SHA-256 is preferred. TweetFeed publishes both.

Are these hashes verified malicious?

TweetFeed is OSINT, not a sandbox. Hashes are sourced from public posts by infosec researchers, then deduplicated and tagged. Most posts include sandbox links; cross-reference VirusTotal, MalwareBazaar or your own sandbox to confirm a sample's verdict and gather family attribution before action.

License

Source code for the pipeline: github.com/0xDanielLopez/TweetFeed (MIT).