Resolved toxhoster.net to 188.8.131.52
Gate file: /forum/gate.php
Some idiot set it to download itself from the server, so it will run in an endless loop of stealing passwords, sending logs, and then downloading and running itself.
Hosting infos: http://whois.domaintools.com/184.108.40.206
Related md5s (search on malwr.com to download the samples):