Resolved toxhoster.net to 18.104.22.168
Gate file: /forum/gate.php
Some idiot set it to download itself from the server, so it will run in an endless loop of stealing passwords, sending logs, and then downloading and running itself.
Hosting infos: http://whois.domaintools.com/22.214.171.124
Related md5s (search on malwr.com to download the samples):