Resolved toxhoster.net to 184.108.40.206
Gate file: /forum/gate.php
Some idiot set it to download itself from the server, so it will run in an endless loop of stealing passwords, sending logs, and then downloading and running itself.
Hosting infos: http://whois.domaintools.com/220.127.116.11
Related md5s (search on malwr.com to download the samples):