Direct Exe hosts are commonly used by malware as they allow a Downloader to work properly (I mean, if you used MediaFire, the HTML page will be downloaded, duh?). Despite getting blacklisted fairly fast, they are all still very popular as blacklist usually only affects the browser. However, what they DON’T know is that most Direct Exe hosts are highly vulnerable.
One fairly good example is NeverGreen.net
This direct Exe hosting is currently blacklisted by 18/68 AntiVirus engines on VirusTotal, and is advertised on HackForums. Despite the good design, the host is not really secure. All of the URLs are in the simple format of nevergreen.net/abc, where abc consists of 3 random numbers/letters. With 5 minutes of scripting, I made a scraper that would try to bruteforce the url, and obtained around 8 samples in a mere 3 minutes. The only problem was that Nevergreen does not remove files that are older than 1 month, therefore I am also getting samples that are as old as almost a year. File extension is another problem since some of the files might be .RAR, so I had to use ExeInfo PE to figure out what it is..
Another vulnerable host is AutoUpload.club. The full vulnerability is mentioned by L!NK in his video at https://www.youtube.com/watch?v=vQOidWoeOB8
Those are just the 2 direct exe hostings that I havve been looking at. So don’t rely on these hosts, since anyone can obtain your stub with ease.