Malicious SHA-256 Hashes

Free feed of SHA-256 file hashes for known malware shared by Twitter/X researchers


Malicious SHA-256 Hashes

SHA-256 file hashes for known malware


Related Threat Intelligence feeds: URLs · Domains · IPs · MD5 · All IOC types

SHA-256 hashes by window

Today

-

SHA-256 hashes

Week

-

SHA-256 hashes

Month

-

SHA-256 hashes

Year

-

SHA-256 hashes

What this list contains

  • Sourced from ~95 Twitter/X security researchers, refreshed every 15 minutes.
  • SHA-256 hashes of malware samples: RATs, infostealers, ransomware, droppers, loaders.
  • Higher-confidence than MD5 (no known collisions). Preferred for forensic chain of custody.
  • Cross-reference against VirusTotal or MalwareBazaar for sample verdicts and family attribution.

Recent samples

Latest 10 SHA-256 hashes from the past 7 days. Live from api.tweetfeed.live/v1/week/sha256.

Loading samples

Top tags for SHA-256 hashes

Filter the SHA-256 feed by malware family or category. Each tag has its own landing page with recent samples and context.

See all tags on the Dashboard or browse the full IOC feed.

Formats and how to use

Every TweetFeed feed is free and public domain (CC0 1.0) with no API key or sign-up. The malicious SHA-256 hashes are available in four formats:

FormatWhereBest for
JSON APIapi.tweetfeed.live/v1/<window>/sha256SOAR / SIEM enrichment, scripts
CSVtoday / week / month / year .csvbulk import, spreadsheets, blocklists
RSSrss.xmlwatch new IOCs in a reader
MCPmcp.tweetfeed.livelive lookups from AI agents / Claude

Feed the hashes into your EDR as known-bad indicators, or pivot each hash through VirusTotal and Malpedia. SHA-256 is preferred over MD5 for forensic chain of custody. Validate against VirusTotal or your own sandbox before blocking outright, since OSINT feeds can carry false positives.

Frequently asked questions

What is a SHA-256 hash?

SHA-256 is a cryptographic hash function that produces a 64-character hexadecimal fingerprint of a file. Two identical files always produce the same hash, but two different files producing the same SHA-256 hash has never been demonstrated, so it is the recommended hash for high-confidence sample identification.

How is this list updated?

Every 15 minutes. The pipeline scrapes RSS feeds from public Twitter/X researcher accounts and lists, extracts 64-character hex SHA-256 hashes from tweets, deduplicates against the past year, tags them with malware family, and republishes the result in CSV, JSON and RSS.

SHA-256 vs MD5: which should I use?

Use SHA-256 when collision resistance matters: forensic evidence chain of custody, cryptographic signature verification, blockchain-style integrity. Use MD5 when speed and storage matter and collision risk is acceptable: large-scale endpoint scanning, AV signature databases. TweetFeed publishes both; many tweets include both for the same sample.

Are these hashes verified malicious?

TweetFeed is OSINT, not a sandbox. Hashes are sourced from public posts by infosec researchers, then deduplicated and tagged. Most posts include sandbox links; cross-reference VirusTotal, MalwareBazaar or your own sandbox to confirm a sample's verdict and gather family attribution before action.

Is the malicious SHA-256 hashes list free?

Yes. Every TweetFeed feed is free and released into the public domain under CC0 1.0, with no API key, sign-up or rate card. You can use it in commercial or personal projects; a link back is appreciated but not required.

How do I use these SHA-256 hashes to block threats?

Feed the hashes into your EDR as known-bad indicators, or pivot each hash through VirusTotal and Malpedia. SHA-256 is preferred over MD5 for forensic chain of custody. Validate against VirusTotal or your own sandbox before blocking outright, since OSINT feeds can carry false positives.

License

Source code for the pipeline: github.com/0xDanielLopez/TweetFeed (MIT).