Resolved toxhoster.net to 220.127.116.11
Gate file: /forum/gate.php
Some idiot set it to download itself from the server, so it will run in an endless loop of stealing passwords, sending logs, and then downloading and running itself.
Hosting infos: http://whois.domaintools.com/18.104.22.168
Related md5s (search on malwr.com to download the samples):