Malicious SHA-256 Hashes

Free feed of SHA-256 file hashes for known malware shared by Twitter/X researchers


Malicious SHA-256 Hashes

SHA-256 file hashes for known malware

SHA-256 hashes by window

Today

-

SHA-256 hashes

Week

-

SHA-256 hashes

Month

-

SHA-256 hashes

Year

-

SHA-256 hashes

What this list contains

  • Sourced from ~95 Twitter/X security researchers, refreshed every 15 minutes.
  • SHA-256 hashes of malware samples: RATs, infostealers, ransomware, droppers, loaders.
  • Higher-confidence than MD5 (no known collisions). Preferred for forensic chain of custody.
  • Cross-reference against VirusTotal or MalwareBazaar for sample verdicts and family attribution.

Recent samples

Latest 10 SHA-256 hashes from the past 7 days. Live from api.tweetfeed.live/v1/week/sha256.

Loading samples

Top tags for SHA-256 hashes

Filter the SHA-256 feed by malware family or category. Each tag has its own landing page with recent samples and context.

See all tags on the Dashboard or browse the full IOC feed.

Frequently asked questions

What is a SHA-256 hash?

SHA-256 is a cryptographic hash function that produces a 64-character hexadecimal fingerprint of a file. Two identical files always produce the same hash, but two different files producing the same SHA-256 hash has never been demonstrated, so it is the recommended hash for high-confidence sample identification.

How is this list updated?

Every 15 minutes. The pipeline scrapes RSS feeds from public Twitter/X researcher accounts and lists, extracts 64-character hex SHA-256 hashes from tweets, deduplicates against the past year, tags them with malware family, and republishes the result in CSV, JSON and RSS.

SHA-256 vs MD5: which should I use?

Use SHA-256 when collision resistance matters: forensic evidence chain of custody, cryptographic signature verification, blockchain-style integrity. Use MD5 when speed and storage matter and collision risk is acceptable: large-scale endpoint scanning, AV signature databases. TweetFeed publishes both; many tweets include both for the same sample.

Are these hashes verified malicious?

TweetFeed is OSINT, not a sandbox. Hashes are sourced from public posts by infosec researchers, then deduplicated and tagged. Most posts include sandbox links; cross-reference VirusTotal, MalwareBazaar or your own sandbox to confirm a sample's verdict and gather family attribution before action.

License

Source code for the pipeline: github.com/0xDanielLopez/TweetFeed (MIT).