I believe so too. But the confusing fact for me is that the only difference between the two samples I posted above is that one has this extra code at the start to elevate admin privilege.
@echo off
if _%1_==_payload_ goto :payload
:getadmin
echo %~nx0: elevating self
set vbs=%temp%\getadmin.vbs
echo Set UAC = CreateObject^("Shell.Application"^) >> "%vbs%"
echo UAC.ShellExecute "%~s0", "payload %~sdp0 %*", "", "runas", 1 >> "%vbs%"
"%temp%\getadmin.vbs"
del "%temp%\getadmin.vbs"
goto :eof
:payload
Everything else is the same. The sample doesn’t even require admin privilege and works fine without it. In fact, that’s how the original sample was, without the admin privilege code. The code was added by an amateur for testing purpose.
There must be a reason, I guess, for Avast and also Kaspersky not to add a signature but it’s still a bit confusing.