Malicious SHA-256 Hashes
Free feed of SHA-256 file hashes for known malware shared by Twitter/X researchers
Malicious SHA-256 Hashes
SHA-256 file hashes for known malware
Related Threat Intelligence feeds: URLs · Domains · IPs · MD5 · All IOC types
SHA-256 hashes by window
-
SHA-256 hashes
-
SHA-256 hashes
-
SHA-256 hashes
-
SHA-256 hashes
What this list contains
- Sourced from ~95 Twitter/X security researchers, refreshed every 15 minutes.
- SHA-256 hashes of malware samples: RATs, infostealers, ransomware, droppers, loaders.
- Higher-confidence than MD5 (no known collisions). Preferred for forensic chain of custody.
- Cross-reference against VirusTotal or MalwareBazaar for sample verdicts and family attribution.
Recent samples
Latest 10 SHA-256 hashes from the past 7 days. Live from api.tweetfeed.live/v1/week/sha256.
Top tags for SHA-256 hashes
Formats and how to use
Every TweetFeed feed is free and public domain (CC0 1.0) with no API key or sign-up. The malicious SHA-256 hashes are available in four formats:
| Format | Where | Best for |
|---|---|---|
| JSON API | api.tweetfeed.live/v1/<window>/sha256 | SOAR / SIEM enrichment, scripts |
| CSV | today / week / month / year .csv | bulk import, spreadsheets, blocklists |
| RSS | rss.xml | watch new IOCs in a reader |
| MCP | mcp.tweetfeed.live | live lookups from AI agents / Claude |
Feed the hashes into your EDR as known-bad indicators, or pivot each hash through VirusTotal and Malpedia. SHA-256 is preferred over MD5 for forensic chain of custody. Validate against VirusTotal or your own sandbox before blocking outright, since OSINT feeds can carry false positives.
Frequently asked questions
What is a SHA-256 hash?
SHA-256 is a cryptographic hash function that produces a 64-character hexadecimal fingerprint of a file. Two identical files always produce the same hash, but two different files producing the same SHA-256 hash has never been demonstrated, so it is the recommended hash for high-confidence sample identification.
How is this list updated?
Every 15 minutes. The pipeline scrapes RSS feeds from public Twitter/X researcher accounts and lists, extracts 64-character hex SHA-256 hashes from tweets, deduplicates against the past year, tags them with malware family, and republishes the result in CSV, JSON and RSS.
SHA-256 vs MD5: which should I use?
Use SHA-256 when collision resistance matters: forensic evidence chain of custody, cryptographic signature verification, blockchain-style integrity. Use MD5 when speed and storage matter and collision risk is acceptable: large-scale endpoint scanning, AV signature databases. TweetFeed publishes both; many tweets include both for the same sample.
Are these hashes verified malicious?
TweetFeed is OSINT, not a sandbox. Hashes are sourced from public posts by infosec researchers, then deduplicated and tagged. Most posts include sandbox links; cross-reference VirusTotal, MalwareBazaar or your own sandbox to confirm a sample's verdict and gather family attribution before action.
Is the malicious SHA-256 hashes list free?
Yes. Every TweetFeed feed is free and released into the public domain under CC0 1.0, with no API key, sign-up or rate card. You can use it in commercial or personal projects; a link back is appreciated but not required.
How do I use these SHA-256 hashes to block threats?
Feed the hashes into your EDR as known-bad indicators, or pivot each hash through VirusTotal and Malpedia. SHA-256 is preferred over MD5 for forensic chain of custody. Validate against VirusTotal or your own sandbox before blocking outright, since OSINT feeds can carry false positives.
License
Source code for the pipeline: github.com/0xDanielLopez/TweetFeed (MIT).